You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by GitBox <gi...@apache.org> on 2021/03/07 06:26:43 UTC
[GitHub] [incubator-doris] stdpain opened a new issue #5480: [BUG] stack-buffer-overflow in broker-writer
stdpain opened a new issue #5480:
URL: https://github.com/apache/incubator-doris/issues/5480
**Describe the bug**
stack-buffer-overflow
**To Reproduce**
It's hard to reproduce
**Screenshots**
```
start time: Sun Mar 7 01:11:43 CST 2021
==13644==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fc5b83348c0; bottom 0x7fc577e46000; size: 0x0000404ee8c0 (1078913216)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
=================================================================
==13644==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fc577e47b28 at pc 0x000002629e23 bp 0x7fc577e47a70 sp 0x7fc577e47a68
WRITE of size 24 at 0x7fc577e47b28 thread T295
#0 0x2629e22 in boost::function2<doris::ThriftClientImpl*, doris::TNetworkAddress const&, void**>::assign_to_own(boost::function2<doris::ThriftClientImpl*, doris::TNetworkAddress const&, void**> const&) /home/work/teamcity/agent/work/4304a7ff82e9a41d/thirdparty/installed/include/boost/function/function_template.hpp:898
#1 0x262556a in boost::function2<doris::ThriftClientImpl*, doris::TNetworkAddress const&, void**>::function2(boost::function2<doris::ThriftClientImpl*, doris::TNetworkAddress const&, void**> const&) /home/work/teamcity/agent/work/4304a7ff82e9a41d/thirdparty/installed/include/boost/function/function_template.hpp:742
#2 0x261f6e4 in boost::function<doris::ThriftClientImpl* (doris::TNetworkAddress const&, void**)>::function(boost::function<doris::ThriftClientImpl* (doris::TNetworkAddress const&, void**)> const&) /home/work/teamcity/agent/work/4304a7ff82e9a41d/thirdparty/installed/include/boost/function/function_template.hpp:1080
#3 0x2776896 in doris::ClientCache<doris::TPaloBrokerServiceClient>::reopen_client(doris::TPaloBrokerServiceClient**, int) ../src/runtime/client_cache.h:246
#4 0x2775f42 in doris::ClientConnection<doris::TPaloBrokerServiceClient>::reopen() ../src/runtime/client_cache.h:176
#5 0x3681406 in doris::BrokerWriter::open() ../src/exec/broker_writer.cpp:93
#6 0x3ae20c4 in doris::FileResultWriter::_create_file_writer() ../src/runtime/file_result_writer.cpp:76
#7 0x3ae0ebe in doris::FileResultWriter::init(doris::RuntimeState*) ../src/runtime/file_result_writer.cpp:53
#8 0x3a2f4b6 in doris::ResultSink::prepare(doris::RuntimeState*) ../src/runtime/result_sink.cpp:88
#9 0x27a6071 in doris::PlanFragmentExecutor::prepare(doris::TExecPlanFragmentParams const&, doris::QueryFragmentsCtx const*) ../src/runtime/plan_fragment_executor.cpp:201
#10 0x25fcf01 in doris::FragmentExecState::prepare(doris::TExecPlanFragmentParams const&) ../src/runtime/fragment_mgr.cpp:210
#11 0x2604977 in doris::FragmentMgr::exec_plan_fragment(doris::TExecPlanFragmentParams const&, std::function<void (doris::PlanFragmentExecutor*)>) ../src/runtime/fragment_mgr.cpp:519
#12 0x2603362 in doris::FragmentMgr::exec_plan_fragment(doris::TExecPlanFragmentParams const&) ../src/runtime/fragment_mgr.cpp:446
#13 0x28ec369 in doris::PInternalServiceImpl<doris::PBackendService>::_exec_plan_fragment(brpc::Controller*) ../src/service/internal_service.cpp:142
#14 0x28e8fc5 in doris::PInternalServiceImpl<doris::PBackendService>::exec_plan_fragment(google::protobuf::RpcController*, doris::PExecPlanFragmentRequest const*, doris::PExecPlanFragmentResult*, google::protobuf::Closure*) ../src/service/internal_service.cpp:80
#15 0x311b094 in doris::PBackendService::CallMethod(google::protobuf::MethodDescriptor const*, google::protobuf::RpcController*, google::protobuf::Message const*, google::protobuf::Message*, google::protobuf::Closure*) /home/work/teamcity/agent/work/4304a7ff82e9a41d/core/gensrc/build/gen_cpp/internal_service.pb.cc:11753
#16 0x40b45a0 in brpc::policy::ProcessRpcRequest(brpc::InputMessageBase*) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/policy/baidu_rpc_protocol.cpp:495
#17 0x40a9776 in brpc::ProcessInputMessage(void*) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/input_messenger.cpp:133
#18 0x40aa5f0 in brpc::RunLastMessage::operator()(brpc::InputMessageBase*) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/input_messenger.cpp:139
#19 0x40aa5f0 in brpc::InputMessenger::OnNewMessages(brpc::Socket*) /opt/stdpain/palo/doris/doris-toolchain/gcc730/include/c++/7.3.0/bits/unique_ptr.h:268
#20 0x41532cc in brpc::Socket::ProcessEvent(void*) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/socket.cpp:1077
#21 0x4208a46 in bthread::TaskGroup::task_runner(long) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/bthread/task_group.cpp:293
#22 0x41f1810 in bthread_make_fcontext (/home/disk1/palo_qa/teamcity/9535/PALO-BE/be/lib/palo_be+0x41f1810)
Address 0x7fc577e47b28 is a wild pointer.
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/work/teamcity/agent/work/4304a7ff82e9a41d/thirdparty/installed/include/boost/function/function_template.hpp:898 in boost::function2<doris::ThriftClientImpl*, doris::TNetworkAddress const&, void**>::assign_to_own(boost::function2<doris::ThriftClientImpl*, doris::TNetworkAddress const&, void**> const&)
Shadow bytes around the buggy address:
0x0ff92efc0f10: 01 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2
0x0ff92efc0f20: 04 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2
0x0ff92efc0f30: 00 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2
0x0ff92efc0f40: 00 00 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
0x0ff92efc0f50: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
=>0x0ff92efc0f60: f1 f1 f1 f1 00[00]f2 f2 f3 f3 f3 f3 00 00 00 00
0x0ff92efc0f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff92efc0f80: 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2 f2 01 f2
0x0ff92efc0f90: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2
0x0ff92efc0fa0: f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 00
0x0ff92efc0fb0: f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T295 created by T0 here:
#0 0x1959410 in __interceptor_pthread_create ../../../../gcc-7.3.0/libsanitizer/asan/asan_interceptors.cc:243
#1 0x42027fc in bthread::TaskControl::init(int) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/bthread/task_control.cpp:162
#2 0x41edafd in bthread::get_or_new_task_control() /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/bthread/bthread.cpp:88
#3 0x41edafd in bthread::start_from_non_worker(unsigned long*, bthread_attr_t const*, void* (*)(void*), void*) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/bthread/bthread.cpp:125
#4 0x41edafd in bthread_start_background /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/bthread/bthread.cpp:190
#5 0x40a3465 in GlobalInitializeOrDieImpl /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/global.cpp:594
#6 0x7fc662dd9972 in __GI___pthread_once (/opt/compiler/gcc-4.8.2/lib64/libpthread.so.0+0xd972)
#7 0x413baa2 in brpc::Server::InitializeOnce() /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/server.cpp:601
#8 0x413d620 in brpc::Server::AddServiceInternal(google::protobuf::Service*, bool, brpc::ServiceOptions const&) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/server.cpp:1169
#9 0x413ecf7 in brpc::Server::AddService(google::protobuf::Service*, brpc::ServiceOwnership) /opt/stdpain/palo/doris/core/thirdparty/src/incubator-brpc-0.9.5/src/brpc/server.cpp:1391
#10 0x28d663f in doris::BRpcService::start(int) ../src/service/brpc_service.cpp:45
#11 0x1a390e9 in main ../src/service/doris_main.cpp:231
#12 0x7fc66300bbd4 in __libc_start_main (/opt/compiler/gcc-4.8.2/lib64/libc.so.6+0x21bd4)
```
**Additional context**
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org
[GitHub] [incubator-doris] yangzhg closed issue #5480: [BUG] stack-buffer-overflow in broker-writer
Posted by GitBox <gi...@apache.org>.
yangzhg closed issue #5480:
URL: https://github.com/apache/incubator-doris/issues/5480
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org