You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Sudheer Vinukonda (JIRA)" <ji...@apache.org> on 2015/07/28 19:44:05 UTC
[jira] [Created] (TS-3802) ASAN Crash with latest master due to
double free of MIOBuffer in SSLNetVConnection.
Sudheer Vinukonda created TS-3802:
-------------------------------------
Summary: ASAN Crash with latest master due to double free of MIOBuffer in SSLNetVConnection.
Key: TS-3802
URL: https://issues.apache.org/jira/browse/TS-3802
Project: Traffic Server
Issue Type: Bug
Components: SPDY
Reporter: Sudheer Vinukonda
Below's the ASAN stack trace that [~zwoop] found on docs@ after installing the latest master.
The issue is that, the recent rearrangement of cleanup via ProxyClientSession for SPDY/H2 etc resulted in the *netvc* being null'ed out before calling SpdyClientSession::clear() (for example, when an inactivity timeout occurs). This results in bypassing the code that sets the SSL_VC's iobuf to null (specifically to prevent double free via SSLNetVConnection::free() and via SpdyClientSession::clear (req_buffer))..
The fix is to basically set the SSL_VC's iobuf to null before calling ProxyClientSession with SSN_CLOSE_HOOK, thus, making sure the iobuf is only cleaned once.
{code}
[E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
[Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
[Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
traffic_server: using root directory '/opt/ats'
=================================================================
==30546==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110001cb010 at pc 0xb4ee72 bp 0x2b0ac04527e0 sp 0x2b0ac04527d8
READ of size 8 at 0x6110001cb010 thread T6 ([ET_NET 5])
#0 0xb4ee71 in Ptr<IOBufferBlock>::operator=(IOBufferBlock*) ../../lib/ts/Ptr.h:354
#1 0xb4ee71 in free_MIOBuffer ../../iocore/eventsystem/P_IOBuffer.h:770
#2 0xb4ee71 in SSLNetVConnection::free(EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:907
#3 0xbac5f9 in close_UnixNetVConnection(UnixNetVConnection*, EThread*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:134
#4 0xbb62c6 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:164
#5 0xbb62c6 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
#6 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
#7 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
#8 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
#9 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#10 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
#11 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
#12 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
#13 0x2b0aba1771ac in __clone (/lib64/libc.so.6+0xf61ac)
0x6110001cb010 is located 16 bytes inside of 240-byte region [0x6110001cb000,0x6110001cb0f0)
freed by thread T6 ([ET_NET 5]) here:
#0 0x2b0ab650d1c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x782f88 in SpdyClientSession::clear() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:162
#2 0x783310 in SpdyClientSession::destroy() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:274
#3 0x780240 in SpdyClientSession::do_io_close(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:487
#4 0x780240 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:263
#5 0xbb6410 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
#6 0xbb6410 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145
#7 0xbb6410 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
#8 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
#9 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
#10 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
#11 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#12 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
#13 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
#14 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
previously allocated by thread T6 ([ET_NET 5]) here:
#0 0x2b0ab650d93b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
#1 0x2b0ab73f6849 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:100
#2 0x2b0ab73f71b0 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:239
#3 0xb617cc in ClassAllocator<MIOBuffer>::alloc() ../../lib/ts/Allocator.h:120
#4 0xb617cc in thread_alloc<MIOBuffer> ../../iocore/eventsystem/I_ProxyAllocator.h:63
#5 0xb617cc in new_MIOBuffer_internal ../../iocore/eventsystem/P_IOBuffer.h:759
#6 0xb617cc in MIOBuffer_tracker::operator()(long) ../../iocore/eventsystem/I_IOBuffer.h:1253
#7 0xb617cc in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:520
#8 0xb8163c in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516
#9 0xc346ee in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
#10 0xc346ee in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#11 0xc346ee in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
#12 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
#13 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
Thread T6 ([ET_NET 5]) created by T0 ([ET_NET 0]) here:
#0 0x2b0ab64dc86a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
#1 0xc310a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
#2 0xc310a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
#3 0xc396f6 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
#4 0x49676b in main /usr/local/src/trafficserver/proxy/Main.cc:1624
#5 0x2b0aba0a2af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: heap-use-after-free ../../lib/ts/Ptr.h:354 Ptr<IOBufferBlock>::operator=(IOBufferBlock*)
Shadow bytes around the buggy address:
0x0c22800315b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800315c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c22800315d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c22800315e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800315f0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
=>0x0c2280031600: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280031610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c2280031620: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280031630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280031640: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c2280031650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==30546==ABORTING
traffic_server: using root directory '/opt/ats'
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)