You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2015/09/15 19:03:45 UTC
[jira] [Commented] (TS-3915) Regression fails when compilied with
asan, heap-use-after-free
[ https://issues.apache.org/jira/browse/TS-3915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14745742#comment-14745742 ]
Bryan Call commented on TS-3915:
--------------------------------
Failed in a different location:
{code}
REGRESSION TEST Cache_vol started
RPRINT Cache_vol: 1 128 Megabyte Volumes
RPRINT Cache_vol: Not enough space for 10 volume
RPRINT Cache_vol: Random Volumes after clearing the disks
RPRINT Cache_vol: volume=1 scheme=http size=128
RPRINT Cache_vol: Random Volumes without clearing the disks
RPRINT Cache_vol: volume=1 scheme=rtsp size=128
=================================================================
==14555==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000a3420 at pc 0x000000a3905b bp 0x7ffdd7c00080 sp 0x7ffdd7c00070
READ of size 8 at 0x6040000a3420 thread T0 ([ET_NET 0])
#0 0xa3905a in cplist_update /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2702
#1 0xa3905a in cplist_reconfigure() /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2846
#2 0xa7c8ee in execute_and_verify(RegressionTest*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:996
#3 0xa7db50 in RegressionTest_Cache_vol(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:842
#4 0x7fa7b07ecf69 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
#5 0x7fa7b07ecf69 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
#6 0x7fa7b07ed366 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
#7 0x563773 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1210
#8 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
#9 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#10 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
#11 0x497d2c in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1812
#12 0x7fa7ad8826ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#13 0x4a80e8 in _start (/usr/local/bin/traffic_server+0x4a80e8)
0x6040000a3420 is located 16 bytes inside of 40-byte region [0x6040000a3410,0x6040000a3438)
freed by thread T0 ([ET_NET 0]) here:
#0 0x7fa7b0acdf0a in operator delete(void*) (/lib64/libasan.so.2+0x99f0a)
#1 0xa7350c in CacheDisk::delete_volume(int) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheDisk.cc:330
#2 0xa37bed in cplist_update /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2684
#3 0xa37bed in cplist_reconfigure() /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2846
#4 0xa7c8ee in execute_and_verify(RegressionTest*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:996
#5 0xa7db50 in RegressionTest_Cache_vol(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:842
#6 0x7fa7b07ecf69 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
#7 0x7fa7b07ecf69 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
#8 0x7fa7b07ed366 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
#9 0x563773 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1210
#10 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
#11 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#12 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
#13 0x497d2c in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1812
#14 0x7fa7ad8826ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
previously allocated by thread T0 ([ET_NET 0]) here:
#0 0x7fa7b0acd912 in operator new(unsigned long) (/lib64/libasan.so.2+0x99912)
#1 0xa7210b in CacheDisk::create_volume(int, long, int) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheDisk.cc:296
#2 0xa321cc in create_volume /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:3023
#3 0xa38a8b in create_volume /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2984
#4 0xa38a8b in cplist_reconfigure() /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2877
#5 0xa7c8ee in execute_and_verify(RegressionTest*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:996
#6 0xa7db50 in RegressionTest_Cache_vol(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:842
#7 0x7fa7b07ecf69 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
#8 0x7fa7b07ecf69 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
#9 0x7fa7b07ed366 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
#10 0x563773 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1210
#11 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
#12 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#13 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
#14 0x497d2c in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1812
#15 0x7fa7ad8826ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
SUMMARY: AddressSanitizer: heap-use-after-free /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2702 cplist_update
Shadow bytes around the buggy address:
0x0c088000c630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000c640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000c650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000c660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000c670: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c088000c680: fa fa fd fd[fd]fd fd fa fa fa fd fd fd fd fd fd
0x0c088000c690: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c088000c6a0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c088000c6b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c088000c6c0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05
0x0c088000c6d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14555==ABORTING
{code}
> Regression fails when compilied with asan, heap-use-after-free
> --------------------------------------------------------------
>
> Key: TS-3915
> URL: https://issues.apache.org/jira/browse/TS-3915
> Project: Traffic Server
> Issue Type: Bug
> Components: TS API
> Reporter: Bryan Call
>
> Running regression with asan enable on Fedora 22:
> {code}
> CXXFLAGS="-Werror -fno-omit-frame-pointer -fsanitize=address" CFLAGS="-Werror" SPDYLAY_CFLAGS="-I /usr/local/include/" SPDYLAY_LIBS="-L/usr/local/lib -lspdylay" ./configure --enable-ccache --enable-spdy --disable-freelist
> REGRESSION TEST SDK_API_HttpTxnTransform started
> Regression test(SDK_API_HttpTxnTransform) still in progress
> [SDK_API_HttpTxnTransform] TSTransformCreate : [TestCase1] <<PASS>> { ok }
> [SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { ok }
> [SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { ok }
> [SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { ok }
> [SDK_API_HttpTxnTransform] TSHttpTxnUntransformedResponseCache : [TestCase1] <<PASS>> { ok }
> [SDK_API_HttpTxnTransform] TSHttpTxnTransformedResponseCache : [TestCase1] <<PASS>> { ok }
> =================================================================
> ==14340==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800d59276b at pc 0x0000005cb466 bp 0x7f4f46b88b40 sp 0x7f4f46b88b30
> READ of size 1 at 0x60800d59276b thread T9 ([ET_NET 8])
> #0 0x5cb465 in transformtest_transform /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6318
> #1 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #2 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #3 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #4 0xc32438 in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86
> #5 0x7f4f4da8c554 in start_thread (/lib64/libpthread.so.0+0x7554)
> #6 0x7f4f4c9bcb9c in __clone (/lib64/libc.so.6+0x102b9c)
> 0x60800d59276b is located 75 bytes inside of 96-byte region [0x60800d592720,0x60800d592780)
> freed by thread T4 ([ET_NET 3]) here:
> #0 0x7f4f4fb2470a in __interceptor_free (/lib64/libasan.so.2+0x9870a)
> #1 0x5de815 in transform_hook_handler /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6637
> #2 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #3 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #4 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #5 0xc32438 in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86
> #6 0x7f4f4da8c554 in start_thread (/lib64/libpthread.so.0+0x7554)
> previously allocated by thread T0 ([ET_NET 0]) here:
> #0 0x7f4f4fb24a0a in malloc (/lib64/libasan.so.2+0x98a0a)
> #1 0x7f4f4f859ae5 in ats_malloc /home/bcall/dev/apache/trafficserver/lib/ts/ink_memory.cc:54
> #2 0x5d3d2a in RegressionTest_SDK_API_HttpTxnTransform(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6663
> #3 0x7f4f4f844f69 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
> #4 0x7f4f4f844f69 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
> #5 0x7f4f4f845366 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
> #6 0x563773 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1210
> #7 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #8 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #9 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #10 0x497d2c in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1812
> #11 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
> Thread T9 ([ET_NET 8]) created by T0 ([ET_NET 0]) here:
> #0 0x7f4f4fac2703 in pthread_create (/lib64/libasan.so.2+0x36703)
> #1 0xc32eda in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xc32eda in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:101
> #3 0xc3b0d4 in EventProcessor::start(int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x496abf in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1624
> #5 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
> Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
> #0 0x7f4f4fac2703 in pthread_create (/lib64/libasan.so.2+0x36703)
> #1 0xc32eda in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xc32eda in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:101
> #3 0xc3b0d4 in EventProcessor::start(int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x496abf in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1624
> #5 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
> SUMMARY: AddressSanitizer: heap-use-after-free /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6318 transformtest_transform
> Shadow bytes around the buggy address:
> 0x0c1081aaa490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c1081aaa4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c1081aaa4b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
> 0x0c1081aaa4c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
> 0x0c1081aaa4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c1081aaa4e0: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
> 0x0c1081aaa4f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
> 0x0c1081aaa500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
> 0x0c1081aaa510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
> 0x0c1081aaa520: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
> 0x0c1081aaa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==14340==ABORTING
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)