You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Susan Hinrichs (JIRA)" <ji...@apache.org> on 2015/10/07 00:54:27 UTC
[jira] [Commented] (TS-3710) Crash in TLS with 6.0.0, related to
the session cleanup additions
[ https://issues.apache.org/jira/browse/TS-3710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14945958#comment-14945958 ]
Susan Hinrichs commented on TS-3710:
------------------------------------
Typoed the bug number in the commit comment. This commit belongs with this issue.
Commit 1859562086b330eed6eda637f5f98a3431db5915 in trafficserver's branch refs/heads/master from shinrich
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=1859562 ]
TS-3701 - Crash in trampoline cleanup
> Crash in TLS with 6.0.0, related to the session cleanup additions
> -----------------------------------------------------------------
>
> Key: TS-3710
> URL: https://issues.apache.org/jira/browse/TS-3710
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Affects Versions: 5.3.0
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Priority: Critical
> Labels: yahoo
> Fix For: 6.1.0
>
> Attachments: ts-3710-2.diff, ts-3710-8-26-15.diff, ts-3710-final-2.diff, ts-3710.diff
>
>
> {code}
> ==9570==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000049f48 at pc 0xb9f969 bp 0x2b8dbc348920 sp 0x2b8dbc348918
> READ of size 8 at 0x606000049f48 thread T8 ([ET_NET 7])
> #0 0xb9f968 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #1 0xb9f968 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:142
> #2 0xb9f968 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1115
> #3 0xb7daf7 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #4 0xb7daf7 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
> #5 0xc21ffe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #6 0xc21ffe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #7 0xc241f7 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #8 0xc20c18 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #9 0x2b8db3ff6df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> #10 0x2b8db585f1ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x606000049f48 is located 8 bytes inside of 56-byte region [0x606000049f40,0x606000049f78)
> freed by thread T8 ([ET_NET 7]) here:
> #0 0x2b8db1bf3117 in operator delete(void*) ../../.././libsanitizer/asan/asan_new_delete.cc:81
> #1 0xb5b20e in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89
> #2 0xbb2eef in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #3 0xbb2eef in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:142
> #4 0xbb2eef in read_signal_done /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:203
> #5 0xbb2eef in UnixNetVConnection::readSignalDone(int, NetHandler*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:957
> #6 0xb55d6d in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:480
> #7 0xb748fc in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516
> #8 0xc24e89 in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #9 0xc24e89 in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #10 0xc24e89 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
> #11 0xc20c18 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #12 0x2b8db3ff6df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T8 ([ET_NET 7]) here:
> #0 0x2b8db1bf2c9f in operator new(unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:50
> #1 0xb59f8b in SSLNextProtocolAccept::mainEvent(int, void*) /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:134
> #2 0xb888e9 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:145
> #3 0xb888e9 in NetAccept::acceptFastEvent(int, void*) /usr/local/src/trafficserver/iocore/net/UnixNetAccept.cc:466
> #4 0xc24e89 in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #5 0xc24e89 in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #6 0xc24e89 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
> #7 0xc20c18 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #8 0x2b8db3ff6df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T8 ([ET_NET 7]) created by T0 ([ET_NET 0]) here:
> #0 0x2b8db1bc186a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
> #1 0xc218a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xc218a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
> #3 0xc29e26 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x495e4b in main /usr/local/src/trafficserver/proxy/Main.cc:1621
> #5 0x2b8db578aaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> SUMMARY: AddressSanitizer: heap-use-after-free ../../iocore/eventsystem/I_Continuation.h:145 Continuation::handleEvent(int, void*)
> Shadow bytes around the buggy address:
> 0x0c0c80001390: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c800013a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 0x0c0c800013b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c800013c0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c800013d0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> =>0x0c0c800013e0: fd fd fd fa fa fa fa fa fd[fd]fd fd fd fd fd fa
> 0x0c0c800013f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c80001400: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
> 0x0c0c80001410: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c80001420: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c80001430: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==9570==ABORTING
> traffic_server: using root directory '/opt/ats'
> traffic_server: using root directory '/opt/ats'
> {code}
> Update: Seems I didn't get the latest version of the code / ASAN report matched up, this should be with 6.0.x proper.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)