You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Cody Maloney (JIRA)" <ji...@apache.org> on 2015/02/27 03:55:05 UTC
[jira] [Updated] (MESOS-2417) Memory use after free with
process::finalize()
[ https://issues.apache.org/jira/browse/MESOS-2417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Cody Maloney updated MESOS-2417:
--------------------------------
Attachment: 0001-Stop-the-clock-so-we-don-t-use-process_manager-after.patch
One possible patch that would fix the issue. Not planning to submit / bring through review ATM.
> Memory use after free with process::finalize()
> ----------------------------------------------
>
> Key: MESOS-2417
> URL: https://issues.apache.org/jira/browse/MESOS-2417
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Environment: ArchLinux building Mesos with [AddressSanitizer|http://clang.llvm.org/docs/AddressSanitizer.html]
> CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O2" CC=clang CXX=clang++ ../configure --disable-python --enable-silent-rules --disable-java
> Reporter: Cody Maloney
> Priority: Minor
> Attachments: 0001-Stop-the-clock-so-we-don-t-use-process_manager-after.patch
>
>
> Below gives the three relevant stacks (A dump from AddressSanitizer). First stack is the clock being triggered, referencing process_manager after
> it has been deleted by the second stack in the printing. The final stack printed is the initial allocation.
> ==30852==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000009b7c at pc 0x000000e5a2c8 bp 0x7f8a247f7640 sp 0x7f8a247f7638
> READ of size 1 at 0x611000009b7c thread T9
> #0 0xe5a2c7 in Synchronizable::acquire() /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:36:9
> #1 0xe5a2c7 in Synchronized::Synchronized(Synchronizable*) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:77
> #2 0xe5a2c7 in process::ProcessManager::use(process::UPID const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:1940
> #3 0xe80515 in process::ProcessManager::deliver(process::UPID const&, process::Event*, process::ProcessBase*) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:2114:35
> #4 0xe8d5fc in process::internal::dispatch(process::UPID const&, std::shared_ptr<std::function<void (process::ProcessBase*)> > const&, Option<std::type_info const*> const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:3034:3
> #5 0xf2ec76 in void process::dispatch<process::ReaperProcess>(process::PID<process::ReaperProcess> const&, void (process::ReaperProcess::*)()) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/include/process/c++11/dispatch.hpp:81:3
> #6 0xe59dd8 in std::function<void ()>::operator()() const /usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
> #7 0xe59dd8 in process::Timer::operator()() const /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/include/process/timer.hpp:30
> #8 0xe59dd8 in process::timedout(std::list<process::Timer, std::allocator<process::Timer> > const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:676
> #9 0xd72a88 in std::function<void (std::list<process::Timer, std::allocator<process::Timer> > const&)>::operator()(std::list<process::Timer, std::allocator<process::Timer> > const&) const /usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
> #10 0xd72a88 in process::clock::tick(process::Time const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/clock.cpp:171
> #11 0xf5b81c in std::function<void ()>::operator()() const /usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
> #12 0xf5b81c in process::internal::handle_delay(ev_loop*, ev_timer*, int) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/libev.cpp:65
> #13 0xfe6e34 in ev_invoke_pending /home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.c:2994:11
> #14 0xfe79b2 in ev_run /home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.c:3394:7
> #15 0xf5c625 in ev_loop(ev_loop*, int) /home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.h:826:50
> #16 0xf5c625 in process::EventLoop::run(void*) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/libev.cpp:121
> #17 0x7f8a31be7373 in start_thread (/usr/lib/libpthread.so.0+0x7373)
> #18 0x7f8a3019f27c in __clone (/usr/lib/libc.so.6+0xe827c)
> 0x611000009b7c is located 60 bytes inside of 224-byte region [0x611000009b40,0x611000009c20)
> freed by thread T0 here:
> #0 0x55a78b in operator delete(void*) (/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x55a78b)
> #1 0x76ef1e in main /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:40:3
> #2 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
> previously allocated by thread T0 here:
> #0 0x55a24b in operator new(unsigned long) (/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x55a24b)
> #1 0xe5b911 in process::initialize(std::string const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:781:3
> #2 0x76ed33 in main /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:21:3
> #3 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
> Thread T9 created by T0 here:
> #0 0x5a971f in pthread_create (/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x5a971f)
> #1 0xe5ba89 in process::initialize(std::string const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:823:7
> #2 0x76ed33 in main /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:21:3
> #3 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
> SUMMARY: AddressSanitizer: heap-use-after-free /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:36 Synchronizable::acquire()
> Shadow bytes around the buggy address:
> 0x0c227fff9310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c227fff9320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c227fff9330: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c227fff9340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c227fff9350: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
> =>0x0c227fff9360: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
> 0x0c227fff9370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c227fff9380: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c227fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c227fff93a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c227fff93b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> ASan internal: fe
> ==30852==ABORTING
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)