You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Susan Hinrichs (JIRA)" <ji...@apache.org> on 2015/07/03 13:38:04 UTC
[jira] [Comment Edited] (TS-3710) ASAN crash in TLS with 6.0.0
[ https://issues.apache.org/jira/browse/TS-3710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14612170#comment-14612170 ]
Susan Hinrichs edited comment on TS-3710 at 7/3/15 11:37 AM:
-------------------------------------------------------------
A new patch to tray in ts-3710-2.diff. It includes some extra debugs that I have in for tracking another issue. If this works, I'll pull them out before committing.
Talking with Alan, we decided to consider the case that ASAN might be mistaken in which "delete this" line is called. In the success case, there is a window of opportunity when inactivity timeout gets called after the NET_EVENT_ACCEPT is sent and the trampoline is delete but before the NET_EVENT_ACCEPT is processed and a new do_io_read is set to clear the reference to the deleted trampoline.
A similar issue was fixed for the other trampoline a few months ago. So in any case, we should fix it here as well.
was (Author: shinrich):
A new patch to tray in ts-3710-2.diff. It includes some extra debugs that I have in for tracking another. If this works, I'll pull them out before committing.
Talking with Alan, we decided to consider the case that ASAN might be mistaken in which "delete this" line is called. In the success case, there is a window of opportunity when inactivity timeout gets called after the NET_EVENT_ACCEPT is set and the trampoline is delete but before the NET_EVENT_ACCEPT is processed and a new do_io_read is set to clear the reference to the deleted trampoline.
A similar issue was fixed for the other trampoline a few months ago. So in any case, we should fix it here as well.
> ASAN crash in TLS with 6.0.0
> ----------------------------
>
> Key: TS-3710
> URL: https://issues.apache.org/jira/browse/TS-3710
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Priority: Critical
> Fix For: 6.0.0
>
> Attachments: ts-3710-2.diff, ts-3710.diff
>
>
> {code}
> ==9570==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000049f48 at pc 0xb9f969 bp 0x2b8dbc348920 sp 0x2b8dbc348918
> READ of size 8 at 0x606000049f48 thread T8 ([ET_NET 7])
> #0 0xb9f968 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #1 0xb9f968 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:142
> #2 0xb9f968 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1115
> #3 0xb7daf7 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #4 0xb7daf7 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
> #5 0xc21ffe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #6 0xc21ffe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #7 0xc241f7 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #8 0xc20c18 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #9 0x2b8db3ff6df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> #10 0x2b8db585f1ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x606000049f48 is located 8 bytes inside of 56-byte region [0x606000049f40,0x606000049f78)
> freed by thread T8 ([ET_NET 7]) here:
> #0 0x2b8db1bf3117 in operator delete(void*) ../../.././libsanitizer/asan/asan_new_delete.cc:81
> #1 0xb5b20e in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89
> #2 0xbb2eef in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #3 0xbb2eef in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:142
> #4 0xbb2eef in read_signal_done /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:203
> #5 0xbb2eef in UnixNetVConnection::readSignalDone(int, NetHandler*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:957
> #6 0xb55d6d in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:480
> #7 0xb748fc in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516
> #8 0xc24e89 in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #9 0xc24e89 in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #10 0xc24e89 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
> #11 0xc20c18 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #12 0x2b8db3ff6df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T8 ([ET_NET 7]) here:
> #0 0x2b8db1bf2c9f in operator new(unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:50
> #1 0xb59f8b in SSLNextProtocolAccept::mainEvent(int, void*) /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:134
> #2 0xb888e9 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #3 0xb888e9 in NetAccept::acceptFastEvent(int, void*) /usr/local/src/trafficserver/iocore/net/UnixNetAccept.cc:466
> #4 0xc24e89 in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #5 0xc24e89 in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #6 0xc24e89 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
> #7 0xc20c18 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #8 0x2b8db3ff6df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T8 ([ET_NET 7]) created by T0 ([ET_NET 0]) here:
> #0 0x2b8db1bc186a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
> #1 0xc218a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xc218a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
> #3 0xc29e26 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x495e4b in main /usr/local/src/trafficserver/proxy/Main.cc:1621
> #5 0x2b8db578aaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> SUMMARY: AddressSanitizer: heap-use-after-free ../../iocore/eventsystem/I_Continuation.h:145 Continuation::handleEvent(int, void*)
> Shadow bytes around the buggy address:
> 0x0c0c80001390: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c800013a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 0x0c0c800013b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c800013c0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c800013d0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> =>0x0c0c800013e0: fd fd fd fa fa fa fa fa fd[fd]fd fd fd fd fd fa
> 0x0c0c800013f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c80001400: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
> 0x0c0c80001410: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c80001420: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c80001430: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==9570==ABORTING
> traffic_server: using root directory '/opt/ats'
> traffic_server: using root directory '/opt/ats'
> {code}
> Update: Seems I didn't get the latest version of the code / ASAN report matched up, this should be with 6.0.x proper.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)