You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/22 18:47:17 UTC
[jira] [Resolved] (TS-3633) SPDY memory use after free
[ https://issues.apache.org/jira/browse/TS-3633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom resolved TS-3633.
-------------------------------
Resolution: Duplicate
Fix Version/s: (was: 6.0.0)
> SPDY memory use after free
> --------------------------
>
> Key: TS-3633
> URL: https://issues.apache.org/jira/browse/TS-3633
> Project: Traffic Server
> Issue Type: Bug
> Components: SPDY
> Affects Versions: 5.3.0
> Reporter: Leif Hedstrom
>
> From ASAN:
> {code}
> ==2681==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002785f4 at pc 0x7d9fc2 bp 0x2b9286cae7f0 sp 0x2b9286cae7e8
> READ of size 1 at 0x6110002785f4 thread T4 ([ET_NET 3])
> #0 0x7d9fc1 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:332
> #1 0x7d9fc1 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
> #2 0x4f2258 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
> #3 0x4f2258 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:254
> #4 0x4f54aa in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:520
> #5 0x5a0907 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
> #6 0x5a0907 in PluginVC::process_write_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:509
> #7 0x5ab4fd in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:208
> #8 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #9 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #10 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
> #11 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #12 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> #13 0x2b92811e11ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x6110002785f4 is located 52 bytes inside of 224-byte region [0x6110002785c0,0x6110002786a0)
> freed by thread T4 ([ET_NET 3]) here:
> #0 0x2b927d5771c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
> #1 0x7e02a3 in ClassAllocator<SpdyRequest>::free(SpdyRequest*) ../../lib/ts/Allocator.h:134
> #2 0x7e02a3 in SpdyClientSession::cleanup_request(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.h:137
> #3 0x7e02a3 in spdy_prepare_status_response_and_clean_request(SpdyClientSession*, int, char const*) /usr/local/src/trafficserver/proxy/spdy/SpdyCall
> backs.cc:85
> #4 0x7d8ef4 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:347
> #5 0x7d8ef4 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
> #6 0x4f2be5 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
> #7 0x4f2be5 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:263
> #8 0x4f3dfa in FetchSM::process_fetch_read(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:469
> #9 0x4f5492 in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:518
> #10 0x59f247 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
> #11 0x59f247 in PluginVC::process_read_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:629
> #12 0x5abd79 in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:204
> #13 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #14 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #15 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
> #16 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #17 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T4 ([ET_NET 3]) here:
> #0 0x2b927d57793b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
> #1 0x2b927e4612d9 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:96
> #2 0x2b927e461b90 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:243
> #3 0x7e082a in ClassAllocator<SpdyRequest>::alloc() ../../lib/ts/Allocator.h:120
> #4 0x7e082a in spdy_on_ctrl_recv_callback(spdylay_session*, spdylay_frame_type, spdylay_frame*, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:312
> #5 0x2b927f11303f in spdylay_session_call_on_ctrl_frame_received /admin/src/spdylay/lib/spdylay_session.c:1634
> #6 0x2b927f11303f in spdylay_session_on_syn_stream_received /admin/src/spdylay/lib/spdylay_session.c:1782
> #7 0x5693900000193
> Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
> #0 0x2b927d54686a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
> #1 0xc852a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xc852a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
> #3 0xc8d826 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x499003 in main /usr/local/src/trafficserver/proxy/Main.cc:1647
> #5 0x2b928110caf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)