You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Ken Giusti (Jira)" <ji...@apache.org> on 2021/08/10 21:24:00 UTC
[jira] [Updated] (DISPATCH-2076) [ASan] use-after-poison in
qd_connector_decref during system_tests_edge_router
[ https://issues.apache.org/jira/browse/DISPATCH-2076?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ken Giusti updated DISPATCH-2076:
---------------------------------
Fix Version/s: (was: 1.17.0)
1.18.0
> [ASan] use-after-poison in qd_connector_decref during system_tests_edge_router
> ------------------------------------------------------------------------------
>
> Key: DISPATCH-2076
> URL: https://issues.apache.org/jira/browse/DISPATCH-2076
> Project: Qpid Dispatch
> Issue Type: Bug
> Affects Versions: 1.16.0
> Reporter: Jiri Daněk
> Priority: Minor
> Labels: asan
> Fix For: 1.18.0
>
>
> https://github.com/apache/qpid-dispatch/runs/2425607516?check_suite_focus=true#step:9:6961
> {noformat}
> 54: ==4179==ERROR: AddressSanitizer: use-after-poison on address 0x61e0000295d0 at pc 0x7ff6f63ac8b4 bp 0x7ff6ee0c7010 sp 0x7ff6ee0c7000
> 54: WRITE of size 8 at 0x61e0000295d0 thread T2
> 54: #0 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1693
> 54: #1 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1688
> 54: #2 0x7ff6f031eff4 (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
> 54: #3 0x7ff6f031e409 (/lib/x86_64-linux-gnu/libffi.so.7+0x6409)
> 54: #4 0x7ff6f034502e in _call_function_pointer /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:816
> 54: #5 0x7ff6f034502e in _ctypes_callproc /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:1188
> 54: #6 0x7ff6f0341b33 in PyCFuncPtr_call /home/vsts/work/1/s/SourceCode/Modules/_ctypes/_ctypes.c:4025
> 54: #7 0x7ff6f488e998 in _PyObject_FastCallKeywords Objects/call.c:199
> 54: #8 0x7ff6f4901c78 in call_function Python/ceval.c:4619
> 54: #9 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
> 54: #10 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
> 54: #11 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
> 54: #12 0x7ff6f4901aee in call_function Python/ceval.c:4616
> 54: #13 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
> 54: #14 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
> 54: #15 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
> 54: #16 0x7ff6f4901aee in call_function Python/ceval.c:4616
> 54: #17 0x7ff6f48fa58c in _PyEval_EvalFrameDefault Python/ceval.c:3124
> 54: #18 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
> 54: #19 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
> 54: #20 0x7ff6f4901aee in call_function Python/ceval.c:4616
> 54: #21 0x7ff6f48fa629 in _PyEval_EvalFrameDefault Python/ceval.c:3110
> 54: #22 0x7ff6f48f8fa2 in _PyEval_EvalCodeWithName Python/ceval.c:3930
> 54: #23 0x7ff6f488f807 in _PyFunction_FastCallDict Objects/call.c:376
> 54: #24 0x7ff6f488fc89 in _PyObject_Call_Prepend Objects/call.c:906
> 54: #25 0x7ff6f488e1ec in _PyObject_FastCallDict Objects/call.c:125
> 54: #26 0x7ff6f488f467 in _PyObject_CallFunctionVa Objects/call.c:959
> 54: #27 0x7ff6f489007c in _PyObject_CallFunctionVa Objects/call.c:932
> 54: #28 0x7ff6f489007c in PyObject_CallFunction Objects/call.c:979
> 54: #29 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:660
> 54: #30 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:631
> 54: #31 0x7ff6f62e799b in qdr_forward_on_message ../src/router_core/forwarder.c:336
> 54: #32 0x7ff6f630b5ed in qdr_general_handler ../src/router_core/router_core.c:927
> 54: #33 0x7ff6f63b16a2 in qd_timer_visit ../src/timer.c:205
> 54: #34 0x7ff6f639d8e6 in handle ../src/server.c:1006
> 54: #35 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
> 54: #36 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 54: #37 0x7ff6f51e4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
> 54:
> 54: 0x61e0000295d0 is located 336 bytes inside of 2624-byte region [0x61e000029480,0x61e000029ec0)
> 54: allocated by thread T2 here:
> 54: #0 0x7ff6f6a8baa5 in posix_memalign (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
> 54: #1 0x7ff6f6180810 in qd_alloc ../src/alloc_pool.c:397
> 54: #2 0x7ff6f639999f in qd_server_connection ../src/server.c:567
> 54: #3 0x7ff6f63aac13 in on_accept ../src/server.c:599
> 54: #4 0x7ff6f63aac13 in handle_listener ../src/server.c:853
> 54: #5 0x7ff6f639d7b5 in handle_event_with_context ../src/server.c:802
> 54: #6 0x7ff6f639d7b5 in do_handle_raw_connection_event ../src/server.c:808
> 54: #7 0x7ff6f639d7b5 in handle ../src/server.c:1088
> 54: #8 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
> 54: #9 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 54:
> 54: Thread T2 created by T0 here:
> 54: #0 0x7ff6f69b7805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
> 54: #1 0x7ff6f626100f in sys_thread ../src/posix/threading.c:181
> 54: #2 0x7ff6f63a81c6 in qd_server_run ../src/server.c:1485
> 54: #3 0x5571ce0981bc in main_process ../router/src/main.c:115
> 54: #4 0x5571ce097ce0 in main ../router/src/main.c:369
> 54: #5 0x7ff6f50e90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> 54:
> 54: SUMMARY: AddressSanitizer: use-after-poison ../src/server.c:1693 in qd_connector_decref
> 54: Shadow bytes around the buggy address:
> 54: 0x0c3c7fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 54: 0x0c3c7fffd270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 54: 0x0c3c7fffd280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 54: 0x0c3c7fffd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 54: 0x0c3c7fffd2a0: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: =>0x0c3c7fffd2b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
> 54: 0x0c3c7fffd2c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: 0x0c3c7fffd2d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: 0x0c3c7fffd2e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: 0x0c3c7fffd2f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: 0x0c3c7fffd300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: Shadow byte legend (one shadow byte represents 8 application bytes):
> 54: Addressable: 00
> 54: Partially addressable: 01 02 03 04 05 06 07
> 54: Heap left redzone: fa
> 54: Freed heap region: fd
> 54: Stack left redzone: f1
> 54: Stack mid redzone: f2
> 54: Stack right redzone: f3
> 54: Stack after return: f5
> 54: Stack use after scope: f8
> 54: Global redzone: f9
> 54: Global init order: f6
> 54: Poisoned by user: f7
> 54: Container overflow: fc
> 54: Array cookie: ac
> 54: Intra object redzone: bb
> 54: ASan internal: fe
> 54: Left alloca redzone: ca
> 54: Right alloca redzone: cb
> 54: Shadow gap: cc
> 54: ==4179==ABORTING
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org