You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2021/04/24 07:29:00 UTC
[jira] [Created] (DISPATCH-2076) [ASan] use-after-poison in
qd_connector_decref during system_tests_edge_router
Jiri Daněk created DISPATCH-2076:
------------------------------------
Summary: [ASan] use-after-poison in qd_connector_decref during system_tests_edge_router
Key: DISPATCH-2076
URL: https://issues.apache.org/jira/browse/DISPATCH-2076
Project: Qpid Dispatch
Issue Type: Bug
Affects Versions: 1.16.0
Reporter: Jiri Daněk
https://github.com/apache/qpid-dispatch/runs/2425607516?check_suite_focus=true#step:9:6961
{noformat}
54: ==4179==ERROR: AddressSanitizer: use-after-poison on address 0x61e0000295d0 at pc 0x7ff6f63ac8b4 bp 0x7ff6ee0c7010 sp 0x7ff6ee0c7000
54: WRITE of size 8 at 0x61e0000295d0 thread T2
54: #0 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1693
54: #1 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1688
54: #2 0x7ff6f031eff4 (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
54: #3 0x7ff6f031e409 (/lib/x86_64-linux-gnu/libffi.so.7+0x6409)
54: #4 0x7ff6f034502e in _call_function_pointer /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:816
54: #5 0x7ff6f034502e in _ctypes_callproc /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:1188
54: #6 0x7ff6f0341b33 in PyCFuncPtr_call /home/vsts/work/1/s/SourceCode/Modules/_ctypes/_ctypes.c:4025
54: #7 0x7ff6f488e998 in _PyObject_FastCallKeywords Objects/call.c:199
54: #8 0x7ff6f4901c78 in call_function Python/ceval.c:4619
54: #9 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
54: #10 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
54: #11 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
54: #12 0x7ff6f4901aee in call_function Python/ceval.c:4616
54: #13 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
54: #14 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
54: #15 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
54: #16 0x7ff6f4901aee in call_function Python/ceval.c:4616
54: #17 0x7ff6f48fa58c in _PyEval_EvalFrameDefault Python/ceval.c:3124
54: #18 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
54: #19 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
54: #20 0x7ff6f4901aee in call_function Python/ceval.c:4616
54: #21 0x7ff6f48fa629 in _PyEval_EvalFrameDefault Python/ceval.c:3110
54: #22 0x7ff6f48f8fa2 in _PyEval_EvalCodeWithName Python/ceval.c:3930
54: #23 0x7ff6f488f807 in _PyFunction_FastCallDict Objects/call.c:376
54: #24 0x7ff6f488fc89 in _PyObject_Call_Prepend Objects/call.c:906
54: #25 0x7ff6f488e1ec in _PyObject_FastCallDict Objects/call.c:125
54: #26 0x7ff6f488f467 in _PyObject_CallFunctionVa Objects/call.c:959
54: #27 0x7ff6f489007c in _PyObject_CallFunctionVa Objects/call.c:932
54: #28 0x7ff6f489007c in PyObject_CallFunction Objects/call.c:979
54: #29 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:660
54: #30 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:631
54: #31 0x7ff6f62e799b in qdr_forward_on_message ../src/router_core/forwarder.c:336
54: #32 0x7ff6f630b5ed in qdr_general_handler ../src/router_core/router_core.c:927
54: #33 0x7ff6f63b16a2 in qd_timer_visit ../src/timer.c:205
54: #34 0x7ff6f639d8e6 in handle ../src/server.c:1006
54: #35 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
54: #36 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
54: #37 0x7ff6f51e4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
54:
54: 0x61e0000295d0 is located 336 bytes inside of 2624-byte region [0x61e000029480,0x61e000029ec0)
54: allocated by thread T2 here:
54: #0 0x7ff6f6a8baa5 in posix_memalign (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
54: #1 0x7ff6f6180810 in qd_alloc ../src/alloc_pool.c:397
54: #2 0x7ff6f639999f in qd_server_connection ../src/server.c:567
54: #3 0x7ff6f63aac13 in on_accept ../src/server.c:599
54: #4 0x7ff6f63aac13 in handle_listener ../src/server.c:853
54: #5 0x7ff6f639d7b5 in handle_event_with_context ../src/server.c:802
54: #6 0x7ff6f639d7b5 in do_handle_raw_connection_event ../src/server.c:808
54: #7 0x7ff6f639d7b5 in handle ../src/server.c:1088
54: #8 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
54: #9 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
54:
54: Thread T2 created by T0 here:
54: #0 0x7ff6f69b7805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
54: #1 0x7ff6f626100f in sys_thread ../src/posix/threading.c:181
54: #2 0x7ff6f63a81c6 in qd_server_run ../src/server.c:1485
54: #3 0x5571ce0981bc in main_process ../router/src/main.c:115
54: #4 0x5571ce097ce0 in main ../router/src/main.c:369
54: #5 0x7ff6f50e90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
54:
54: SUMMARY: AddressSanitizer: use-after-poison ../src/server.c:1693 in qd_connector_decref
54: Shadow bytes around the buggy address:
54: 0x0c3c7fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
54: 0x0c3c7fffd270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
54: 0x0c3c7fffd280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
54: 0x0c3c7fffd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
54: 0x0c3c7fffd2a0: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
54: =>0x0c3c7fffd2b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
54: 0x0c3c7fffd2c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
54: 0x0c3c7fffd2d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
54: 0x0c3c7fffd2e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
54: 0x0c3c7fffd2f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
54: 0x0c3c7fffd300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
54: Shadow byte legend (one shadow byte represents 8 application bytes):
54: Addressable: 00
54: Partially addressable: 01 02 03 04 05 06 07
54: Heap left redzone: fa
54: Freed heap region: fd
54: Stack left redzone: f1
54: Stack mid redzone: f2
54: Stack right redzone: f3
54: Stack after return: f5
54: Stack use after scope: f8
54: Global redzone: f9
54: Global init order: f6
54: Poisoned by user: f7
54: Container overflow: fc
54: Array cookie: ac
54: Intra object redzone: bb
54: ASan internal: fe
54: Left alloca redzone: ca
54: Right alloca redzone: cb
54: Shadow gap: cc
54: ==4179==ABORTING
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org