You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2015/11/09 22:06:11 UTC
[jira] [Commented] (TS-4004) ASAN crash while running regression
test Cache_vol
[ https://issues.apache.org/jira/browse/TS-4004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14997354#comment-14997354 ]
Bryan Call commented on TS-4004:
--------------------------------
There are two different disk_vols arrays, so updating the one in delete_volume has no effect on the disk_vols list in cplist_update.
Deleting vol: 0 disk_vols: 0x602000045b30 disk_vols[0]: 0x604000063790
End of deleting vol: 0 disk_vols: 0x602000045b30 disk_vols[0]: (nil)
Updating vol: 0 disk_vols: 0x602000043730 disk_vols[0]: 0x604000063790
Before we core vol: 0 disk_vols: 0x602000043730 disk_vols[0]: 0x604000063790
> ASAN crash while running regression test Cache_vol
> --------------------------------------------------
>
> Key: TS-4004
> URL: https://issues.apache.org/jira/browse/TS-4004
> Project: Traffic Server
> Issue Type: Bug
> Components: Cache
> Reporter: Bryan Call
> Fix For: 6.1.0
>
>
> {code}
> ==31328==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000637a0 at pc 0x000000ac38f7 bp 0x7f3cd4ac9970 sp 0x7f3cd4ac9960
> READ of size 8 at 0x6040000637a0 thread T2 ([ET_NET 1])
> #0 0xac38f6 in cplist_update /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2746
> #1 0xac38f6 in cplist_reconfigure() /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2890
> #2 0xb047c6 in execute_and_verify /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:996
> #3 0xb047c6 in RegressionTest_Cache_vol(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:842
> #4 0x7f3cdced0b79 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
> #5 0x7f3cdced0b79 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
> #6 0x7f3cdced0f76 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
> #7 0x5895e3 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1252
> #8 0xd17bc5 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #9 0xd17bc5 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #10 0xd1a4cd in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #11 0xd169f8 in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86
> #12 0x7f3cdb326554 in start_thread (/lib64/libpthread.so.0+0x7554)
> #13 0x7f3cda256b9c in __clone (/lib64/libc.so.6+0x102b9c)
> 0x6040000637a0 is located 16 bytes inside of 40-byte region [0x604000063790,0x6040000637b8)
> freed by thread T2 ([ET_NET 1]) here:
> #0 0x7f3cdd1b3f0a in operator delete(void*) (/lib64/libasan.so.2+0x99f0a)
> #1 0xb00dfa in CacheDisk::delete_volume(int) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheDisk.cc:330
> #2 0xac2307 in cplist_update /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2725
> #3 0xac2307 in cplist_reconfigure() /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2890
> #4 0xb047c6 in execute_and_verify /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:996
> #5 0xb047c6 in RegressionTest_Cache_vol(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:842
> #6 0x7f3cdced0b79 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
> #7 0x7f3cdced0b79 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
> #8 0x7f3cdced0f76 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
> #9 0x5895e3 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1252
> #10 0xd17bc5 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #11 0xd17bc5 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #12 0xd1a4cd in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #13 0xd169f8 in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86
> #14 0x7f3cdb326554 in start_thread (/lib64/libpthread.so.0+0x7554)
> previously allocated by thread T2 ([ET_NET 1]) here:
> #0 0x7f3cdd1b3912 in operator new(unsigned long) (/lib64/libasan.so.2+0x99912)
> #1 0xaff99b in CacheDisk::create_volume(int, long, int) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheDisk.cc:296
> #2 0xabbd9c in create_volume /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:3067
> #3 0xac320b in create_volume /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:3028
> #4 0xac320b in cplist_reconfigure() /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2921
> #5 0xb047c6 in execute_and_verify /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:996
> #6 0xb047c6 in RegressionTest_Cache_vol(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/iocore/cache/CacheHosting.cc:842
> #7 0x7f3cdced0b79 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
> #8 0x7f3cdced0b79 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
> #9 0x7f3cdced0f76 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
> #10 0x5895e3 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1252
> #11 0xd17bc5 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #12 0xd17bc5 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #13 0xd1a4cd in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #14 0xd169f8 in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86
> #15 0x7f3cdb326554 in start_thread (/lib64/libpthread.so.0+0x7554)
> Thread T2 ([ET_NET 1]) created by T0 ([ET_NET 0]) here:
> #0 0x7f3cdd150703 in pthread_create (/lib64/libasan.so.2+0x36703)
> #1 0xd1749a in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xd1749a in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:101
> #3 0xd20422 in EventProcessor::start(int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x495d78 in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1733
> #5 0x7f3cda1746ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
> SUMMARY: AddressSanitizer: heap-use-after-free /home/bcall/dev/apache/trafficserver/iocore/cache/Cache.cc:2746 cplist_update
> Shadow bytes around the buggy address:
> 0x0c08800046a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c08800046b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c08800046c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c08800046d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c08800046e0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
> =>0x0c08800046f0: fa fa fd fd[fd]fd fd fa fa fa fd fd fd fd fd fd
> 0x0c0880004700: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
> 0x0c0880004710: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
> 0x0c0880004720: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
> 0x0c0880004730: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 05
> 0x0c0880004740: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==31328==ABORTING
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)