You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Cody Maloney (JIRA)" <ji...@apache.org> on 2015/02/27 03:52:05 UTC

[jira] [Created] (MESOS-2417) Memory use after free with process::finalize()

Cody Maloney created MESOS-2417:
-----------------------------------

             Summary: Memory use after free with process::finalize()
                 Key: MESOS-2417
                 URL: https://issues.apache.org/jira/browse/MESOS-2417
             Project: Mesos
          Issue Type: Bug
          Components: libprocess
         Environment: ArchLinux building Mesos with [AddressSanitizer|http://clang.llvm.org/docs/AddressSanitizer.html]

CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O2" CC=clang CXX=clang++ ../configure --disable-python --enable-silent-rules --disable-java
            Reporter: Cody Maloney
            Priority: Minor


Below gives the three relevant stacks (A dump from AddressSanitizer). First stack is the clock being triggered, referencing process_manager after
it has been deleted by the second stack in the printing. The final stack printed is the initial allocation.

==30852==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000009b7c at pc 0x000000e5a2c8 bp 0x7f8a247f7640 sp 0x7f8a247f7638
READ of size 1 at 0x611000009b7c thread T9
    #0 0xe5a2c7 in Synchronizable::acquire() /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:36:9
    #1 0xe5a2c7 in Synchronized::Synchronized(Synchronizable*) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:77
    #2 0xe5a2c7 in process::ProcessManager::use(process::UPID const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:1940
    #3 0xe80515 in process::ProcessManager::deliver(process::UPID const&, process::Event*, process::ProcessBase*) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:2114:35
    #4 0xe8d5fc in process::internal::dispatch(process::UPID const&, std::shared_ptr<std::function<void (process::ProcessBase*)> > const&, Option<std::type_info const*> const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:3034:3
    #5 0xf2ec76 in void process::dispatch<process::ReaperProcess>(process::PID<process::ReaperProcess> const&, void (process::ReaperProcess::*)()) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/include/process/c++11/dispatch.hpp:81:3
    #6 0xe59dd8 in std::function<void ()>::operator()() const /usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
    #7 0xe59dd8 in process::Timer::operator()() const /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/include/process/timer.hpp:30
    #8 0xe59dd8 in process::timedout(std::list<process::Timer, std::allocator<process::Timer> > const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:676
    #9 0xd72a88 in std::function<void (std::list<process::Timer, std::allocator<process::Timer> > const&)>::operator()(std::list<process::Timer, std::allocator<process::Timer> > const&) const /usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
    #10 0xd72a88 in process::clock::tick(process::Time const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/clock.cpp:171
    #11 0xf5b81c in std::function<void ()>::operator()() const /usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
    #12 0xf5b81c in process::internal::handle_delay(ev_loop*, ev_timer*, int) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/libev.cpp:65
    #13 0xfe6e34 in ev_invoke_pending /home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.c:2994:11
    #14 0xfe79b2 in ev_run /home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.c:3394:7
    #15 0xf5c625 in ev_loop(ev_loop*, int) /home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.h:826:50
    #16 0xf5c625 in process::EventLoop::run(void*) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/libev.cpp:121
    #17 0x7f8a31be7373 in start_thread (/usr/lib/libpthread.so.0+0x7373)
    #18 0x7f8a3019f27c in __clone (/usr/lib/libc.so.6+0xe827c)

0x611000009b7c is located 60 bytes inside of 224-byte region [0x611000009b40,0x611000009c20)
freed by thread T0 here:
    #0 0x55a78b in operator delete(void*) (/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x55a78b)
    #1 0x76ef1e in main /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:40:3
    #2 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

previously allocated by thread T0 here:
    #0 0x55a24b in operator new(unsigned long) (/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x55a24b)
    #1 0xe5b911 in process::initialize(std::string const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:781:3
    #2 0x76ed33 in main /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:21:3
    #3 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

Thread T9 created by T0 here:
    #0 0x5a971f in pthread_create (/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x5a971f)
    #1 0xe5ba89 in process::initialize(std::string const&) /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:823:7
    #2 0x76ed33 in main /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:21:3
    #3 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-use-after-free /home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:36 Synchronizable::acquire()
Shadow bytes around the buggy address:
  0x0c227fff9310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff9320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9330: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9350: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x0c227fff9360: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
  0x0c227fff9370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9380: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff93a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff93b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==30852==ABORTING




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)