You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2016/10/14 22:05:20 UTC
[jira] [Created] (TS-4975) ATS crashing when taking it out of
rotation
Bryan Call created TS-4975:
------------------------------
Summary: ATS crashing when taking it out of rotation
Key: TS-4975
URL: https://issues.apache.org/jira/browse/TS-4975
Project: Traffic Server
Issue Type: Bug
Reporter: Bryan Call
ATS crashing when setting keep-alive to 0 and http2 inactive timeout to 10.
{noformat}
=================================================================
==64589==ERROR: AddressSanitizer: heap-use-after-free on address 0x6180062bcf98 at pc 0x000000723b51 bp 0x2ab58616d520 sp 0x2ab58616d518
WRITE of size 8 at 0x6180062bcf98 thread T29 ([ET_NET 27])
#0 0x723b50 in Http1ClientTransaction::transaction_done() ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:70
#1 0x775452 in HttpSM::kill_this() ../../../trafficserver/proxy/http/HttpSM.cc:6798
#2 0x74f808 in HttpSM::main_handler(int, void*) ../../../trafficserver/proxy/http/HttpSM.cc:2674
#3 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#4 0x8211fd in HttpTunnel::main_handler(int, void*) ../../../trafficserver/proxy/http/HttpTunnel.cc:1662
#5 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#6 0xae565d in write_signal_and_update ../../../trafficserver/iocore/net/UnixNetVConnection.cc:179
#7 0xae5aae in write_signal_done ../../../trafficserver/iocore/net/UnixNetVConnection.cc:221
#8 0xae7b31 in write_to_net_io(NetHandler*, UnixNetVConnection*, EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:552
#9 0xae6d92 in write_to_net(NetHandler*, UnixNetVConnection*, EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:419
#10 0xad210c in NetHandler::mainNetEvent(int, Event*) ../../../trafficserver/iocore/net/UnixNet.cc:542
#11 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#12 0xb310f2 in EThread::process_event(Event*, int) ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
#13 0xb31d85 in EThread::execute() ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
#14 0xb2fb6b in spawn_thread_internal ../../../trafficserver/iocore/eventsystem/Thread.cc:84
#15 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
#16 0x32ef2e893c in clone (/lib64/libc.so.6+0x32ef2e893c)
0x6180062bcf98 is located 792 bytes inside of 880-byte region [0x6180062bcc80,0x6180062bcff0)
freed by thread T29 ([ET_NET 27]) here:
#0 0x5835ea in __interceptor_free (/home/y/bin64/traffic_server+0x5835ea)
#1 0x2ab57bd5a154 in ats_memalign_free ../../../trafficserver/lib/ts/ink_memory.cc:141
#2 0x2ab57bd5bfc3 in malloc_bulkfree ../../../trafficserver/lib/ts/ink_queue.cc:384
#3 0x2ab57bd5bc94 in ink_freelist_free_bulk ../../../trafficserver/lib/ts/ink_queue.cc:326
#4 0x723343 in ClassAllocator<Http1ClientSession>::free_bulk(Http1ClientSession*, Http1ClientSession*, unsigned long) ../../../trafficserver/lib/ts/Allocator.h:148
#5 0x723266 in void thread_freeup<Http1ClientSession>(ClassAllocator<Http1ClientSession>&, ProxyAllocator&) (/home/y/bin64/traffic_server+0x723266)
#6 0x71e016 in Http1ClientSession::free() ../../../trafficserver/proxy/http/Http1ClientSession.cc:125
#7 0x67e16c in ProxyClientSession::handle_api_return(int) ../../trafficserver/proxy/ProxyClientSession.cc:206
#8 0x67dcfc in ProxyClientSession::do_api_callout(TSHttpHookID) ../../trafficserver/proxy/ProxyClientSession.cc:177
#9 0x71dc3b in Http1ClientSession::destroy() ../../../trafficserver/proxy/http/Http1ClientSession.cc:94
#10 0x723b2b in Http1ClientTransaction::transaction_done() ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:69
#11 0x775452 in HttpSM::kill_this() ../../../trafficserver/proxy/http/HttpSM.cc:6798
#12 0x74f808 in HttpSM::main_handler(int, void*) ../../../trafficserver/proxy/http/HttpSM.cc:2674
#13 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#14 0x8211fd in HttpTunnel::main_handler(int, void*) ../../../trafficserver/proxy/http/HttpTunnel.cc:1662
#15 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#16 0xae565d in write_signal_and_update ../../../trafficserver/iocore/net/UnixNetVConnection.cc:179
#17 0xae5aae in write_signal_done ../../../trafficserver/iocore/net/UnixNetVConnection.cc:221
#18 0xae7b31 in write_to_net_io(NetHandler*, UnixNetVConnection*, EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:552
#19 0xae6d92 in write_to_net(NetHandler*, UnixNetVConnection*, EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:419
#20 0xad210c in NetHandler::mainNetEvent(int, Event*) ../../../trafficserver/iocore/net/UnixNet.cc:542
#21 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#22 0xb310f2 in EThread::process_event(Event*, int) ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
#23 0xb31d85 in EThread::execute() ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
#24 0xb2fb6b in spawn_thread_internal ../../../trafficserver/iocore/eventsystem/Thread.cc:84
#25 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
previously allocated by thread T29 ([ET_NET 27]) here:
#0 0x5841ce in __interceptor_posix_memalign (/home/y/bin64/traffic_server+0x5841ce)
#1 0x2ab57bd59fd4 in ats_memalign ../../../trafficserver/lib/ts/ink_memory.cc:102
#2 0x2ab57bd5b873 in malloc_new ../../../trafficserver/lib/ts/ink_queue.cc:258
#3 0x2ab57bd5b275 in ink_freelist_new ../../../trafficserver/lib/ts/ink_queue.cc:183
#4 0x7134c9 in ClassAllocator<Http1ClientSession>::alloc() ../../../trafficserver/lib/ts/Allocator.h:121
#5 0x71348a in Http1ClientSession* thread_alloc_init<Http1ClientSession>(ClassAllocator<Http1ClientSession>&, ProxyAllocator&) ../../../trafficserver/iocore/eventsystem/I_ProxyAllocator.h:73
#6 0x712af4 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*) ../../../trafficserver/proxy/http/HttpSessionAccept.cc:61
#7 0x67ca24 in ProtocolProbeTrampoline::ioCompletionEvent(int, void*) ../../trafficserver/proxy/ProtocolProbeSessionAccept.cc:107
#8 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#9 0xae51c1 in read_signal_and_update ../../../trafficserver/iocore/net/UnixNetVConnection.cc:148
#10 0xaeb98b in UnixNetVConnection::readSignalAndUpdate(int) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:1030
#11 0xaab411 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) ../../../trafficserver/iocore/net/SSLNetVConnection.cc:585
#12 0xad1e7b in NetHandler::mainNetEvent(int, Event*) ../../../trafficserver/iocore/net/UnixNet.cc:525
#13 0x5ef2b4 in Continuation::handleEvent(int, void*) ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
#14 0xb310f2 in EThread::process_event(Event*, int) ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
#15 0xb31d85 in EThread::execute() ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
#16 0xb2fb6b in spawn_thread_internal ../../../trafficserver/iocore/eventsystem/Thread.cc:84
#17 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
Thread T29 ([ET_NET 27]) created by T0 ([TS_MAIN]) here:
#0 0x5257f4 in pthread_create (/home/y/bin64/traffic_server+0x5257f4)
#1 0xb2f6f6 in ink_thread_create ../../../trafficserver/lib/ts/ink_thread.h:152
#2 0xb2fc95 in Thread::start(char const*, unsigned long, void* (*)(void*), void*, void*) ../../../trafficserver/iocore/eventsystem/Thread.cc:99
#3 0xb35515 in EventProcessor::start(int, unsigned long) ../../../trafficserver/iocore/eventsystem/UnixEventProcessor.cc:240
#4 0x6501f2 in main ../../trafficserver/proxy/Main.cc:1715
#5 0x32ef21ed5c in __libc_start_main (/lib64/libc.so.6+0x32ef21ed5c)
SUMMARY: AddressSanitizer: heap-use-after-free ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:70 Http1ClientTransaction::transaction_done()
Shadow bytes around the buggy address:
0x0c3080c4f9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3080c4f9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3080c4f9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3080c4f9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3080c4f9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3080c4f9f0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa fa
0x0c3080c4fa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3080c4fa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3080c4fa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3080c4fa30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3080c4fa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==64589==ABORTING
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)