You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/22 18:46:17 UTC

[jira] [Created] (TS-3633) SPDY memory use after free

Leif Hedstrom created TS-3633:
---------------------------------

             Summary: SPDY memory use after free
                 Key: TS-3633
                 URL: https://issues.apache.org/jira/browse/TS-3633
             Project: Traffic Server
          Issue Type: Bug
          Components: SPDY
            Reporter: Leif Hedstrom


>From ASAN:

{code}
==2681==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002785f4 at pc 0x7d9fc2 bp 0x2b9286cae7f0 sp 0x2b9286cae7e8
READ of size 1 at 0x6110002785f4 thread T4 ([ET_NET 3])
    #0 0x7d9fc1 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:332
    #1 0x7d9fc1 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
    #2 0x4f2258 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
    #3 0x4f2258 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:254
    #4 0x4f54aa in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:520
    #5 0x5a0907 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
    #6 0x5a0907 in PluginVC::process_write_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:509
    #7 0x5ab4fd in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:208
    #8 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
    #9 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #10 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
    #11 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
    #12 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
    #13 0x2b92811e11ac in __clone (/lib64/libc.so.6+0xf61ac)

0x6110002785f4 is located 52 bytes inside of 224-byte region [0x6110002785c0,0x6110002786a0)
freed by thread T4 ([ET_NET 3]) here:
    #0 0x2b927d5771c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7e02a3 in ClassAllocator<SpdyRequest>::free(SpdyRequest*) ../../lib/ts/Allocator.h:134
    #2 0x7e02a3 in SpdyClientSession::cleanup_request(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.h:137
    #3 0x7e02a3 in spdy_prepare_status_response_and_clean_request(SpdyClientSession*, int, char const*) /usr/local/src/trafficserver/proxy/spdy/SpdyCall
backs.cc:85
    #4 0x7d8ef4 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:347
    #5 0x7d8ef4 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
    #6 0x4f2be5 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
    #7 0x4f2be5 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:263
    #8 0x4f3dfa in FetchSM::process_fetch_read(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:469
    #9 0x4f5492 in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:518
    #10 0x59f247 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
    #11 0x59f247 in PluginVC::process_read_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:629
    #12 0x5abd79 in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:204
    #13 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
    #14 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #15 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
    #16 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
    #17 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)

previously allocated by thread T4 ([ET_NET 3]) here:
    #0 0x2b927d57793b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
    #1 0x2b927e4612d9 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:96
    #2 0x2b927e461b90 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:243
    #3 0x7e082a in ClassAllocator<SpdyRequest>::alloc() ../../lib/ts/Allocator.h:120
    #4 0x7e082a in spdy_on_ctrl_recv_callback(spdylay_session*, spdylay_frame_type, spdylay_frame*, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:312
    #5 0x2b927f11303f in spdylay_session_call_on_ctrl_frame_received /admin/src/spdylay/lib/spdylay_session.c:1634
    #6 0x2b927f11303f in spdylay_session_on_syn_stream_received /admin/src/spdylay/lib/spdylay_session.c:1782
    #7 0x5693900000193

Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
    #0 0x2b927d54686a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
    #1 0xc852a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
    #2 0xc852a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
    #3 0xc8d826 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
    #4 0x499003 in main /usr/local/src/trafficserver/proxy/Main.cc:1647
    #5 0x2b928110caf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
{code}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)