Skip to content

Regression test use after free when running under ASAN #5049

Closed
#5058
Closed
Regression test use after free when running under ASAN#5049
#5058
Assignees
bryancall
Labels
ASanAddress SanitizerTests
Milestone
9.0.0
@bryancall

Description

@bryancall
bryancall
opened on Feb 21, 2019
$ sudo LSAN_OPTIONS=suppressions=ci/asan_leak_suppression/regression.txt /usr/local/bin/traffic_server -R 3
=================================================================
==21434==ERROR: AddressSanitizer: heap-use-after-free on address 0x626000003968 at pc 0x000000e638ec bp 0x7f77c7166560 sp 0x7f77c7166550
READ of size 8 at 0x626000003968 thread T4 ([ET_NET 2])
    #0 0xe638eb in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_find_before_node(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long) const /usr/include/c++/8/bits/hashtable.h:1560
    #1 0xe6bc42 in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_find_node(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long) const /usr/include/c++/8/bits/hashtable.h:654
    #2 0xe6bc42 in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/8/bits/hashtable.h:1441
    #3 0xe6bc42 in std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RecRecord*, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/8/bits/unordered_map.h:921
    #4 0xe6bc42 in RecGetRecord_Xmalloc(char const*, RecDataT, RecData*, bool) /home/bcall/dev/apache/trafficserver/lib/records/RecCore.cc:924
    #5 0xe6cefa in RecGetRecordInt(char const*, long*, bool) /home/bcall/dev/apache/trafficserver/lib/records/RecCore.cc:368
    #6 0xe6cefa in REC_ConfigReadInteger(char const*) /home/bcall/dev/apache/trafficserver/lib/records/RecCore.cc:1060
    #7 0x5e7f54 in DiagsLogContinuation::periodic(int, Event*) traffic_server/traffic_server.cc:386
    #8 0xebe47c in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:190
    #9 0xebe47c in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:186
    #10 0xebe47c in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:132
    #11 0xec0fcc in EThread::execute_regular() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:246
    #12 0xec3e01 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:335
    #13 0xec3e01 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:313
    #14 0xebc46a in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:92
    #15 0x7f77cd0d458d in start_thread (/lib64/libpthread.so.0+0x858d)
    #16 0x7f77cccc46a2 in clone (/lib64/libc.so.6+0xfd6a2)

0x626000003968 is located 2152 bytes inside of 11944-byte region [0x626000003100,0x626000005fa8)
freed by thread T11 ([ET_NET 9]) here:
    #0 0x7f77cd9c4348 in operator delete(void*) (/lib64/libasan.so.5+0xf2348)
    #1 0xe73c6c in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, true> > >::_M_deallocate_buckets(std::__detail::_Hash_node_base**, unsigned long) /usr/include/c++/8/ext/new_allocator.h:125
    #2 0xe73c6c in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_deallocate_buckets(std::__detail::_Hash_node_base**, unsigned long) /usr/include/c++/8/bits/hashtable.h:375
    #3 0xe73c6c in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_deallocate_buckets() /usr/include/c++/8/bits/hashtable.h:380
    #4 0xe73c6c in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::~_Hashtable() /usr/include/c++/8/bits/hashtable.h:1375
    #5 0xe73c6c in std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RecRecord*, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> > >::~unordered_map() /usr/include/c++/8/bits/unordered_map.h:102
    #6 0x7f77ccc01ccb in __run_exit_handlers (/lib64/libc.so.6+0x3accb)

previously allocated by thread T0 ([TS_MAIN]) here:
    #0 0x7f77cd9c3470 in operator new(unsigned long) (/lib64/libasan.so.5+0xf1470)
    #1 0xe639d4 in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, true> > >::_M_allocate_buckets(unsigned long) /usr/include/c++/8/ext/new_allocator.h:111
    #2 0xe639d4 in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_allocate_buckets(unsigned long) /usr/include/c++/8/bits/hashtable.h:366
    #3 0xe639d4 in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_rehash_aux(unsigned long, std::integral_constant<bool, true>) /usr/include/c++/8/bits/hashtable.h:2110
    #4 0xe639d4 in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_rehash(unsigned long, unsigned long const&) /usr/include/c++/8/bits/hashtable.h:2089
    #5 0xe63e5b in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_insert_unique_node(unsigned long, unsigned long, std::__detail::_Hash_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, true>*, unsigned long) /usr/include/c++/8/bits/hashtable.h:1735
    #6 0xe71792 in std::pair<std::__detail::_Node_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, false, true>, bool> std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_emplace<char const*&, RecRecord*&>(std::integral_constant<bool, true>, char const*&, RecRecord*&) /usr/include/c++/8/bits/hashtable.h:1682
    #7 0xe731a1 in std::pair<std::__detail::_Node_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, false, true>, bool> std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::emplace<char const*&, RecRecord*&>(char const*&, RecRecord*&) /usr/include/c++/8/bits/hashtable.h:748
    #8 0xe731a1 in std::pair<std::__detail::_Node_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, false, true>, bool> std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RecRecord*, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> > >::emplace<char const*&, RecRecord*&>(char const*&, RecRecord*&) /usr/include/c++/8/bits/unordered_map.h:388
    #9 0xe731a1 in register_record /home/bcall/dev/apache/trafficserver/lib/records/RecCore.cc:89
    #10 0xe7390c in RecRegisterConfig(RecT, char const*, RecDataT, RecData, RecUpdateT, RecCheckT, char const*, RecSourceT, RecAccessT) /home/bcall/dev/apache/trafficserver/lib/records/RecCore.cc:893
    #11 0xe5a03c in RecRegisterConfigInt(RecT, char const*, long, RecUpdateT, RecCheckT, char const*, RecSourceT, RecAccessT) /home/bcall/dev/apache/trafficserver/lib/records/P_RecCore.cc:330
    #12 0xa4d91d in initialize_record /home/bcall/dev/apache/trafficserver/mgmt/RecordsConfigUtils.cc:97
    #13 0xa5829c in RecordsConfigIterate(void (*)(RecordElement const*, void*), void*) /home/bcall/dev/apache/trafficserver/mgmt/RecordsConfig.cc:1389
    #14 0x4d62cf in initialize_process_manager traffic_server/traffic_server.cc:621
    #15 0x4d62cf in main traffic_server/traffic_server.cc:1621
    #16 0x7f77ccbeb412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Thread T4 ([ET_NET 2]) created by T0 ([TS_MAIN]) here:
    #0 0x7f77cd91e043 in __interceptor_pthread_create (/lib64/libasan.so.5+0x4c043)
    #1 0xebd71e in ink_thread_create ../../include/tscore/ink_thread.h:159
    #2 0xebd71e in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:109
    #3 0xeccd84 in EventProcessor::spawn_event_threads(int, int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:382
    #4 0xecddb9 in EventProcessor::start(int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:449
    #5 0x4d8b85 in main traffic_server/traffic_server.cc:1843
    #6 0x7f77ccbeb412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Thread T11 ([ET_NET 9]) created by T0 ([TS_MAIN]) here:
    #0 0x7f77cd91e043 in __interceptor_pthread_create (/lib64/libasan.so.5+0x4c043)
    #1 0xebd71e in ink_thread_create ../../include/tscore/ink_thread.h:159
    #2 0xebd71e in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:109
    #3 0xeccd84 in EventProcessor::spawn_event_threads(int, int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:382
    #4 0xecddb9 in EventProcessor::start(int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:449
    #5 0x4d8b85 in main traffic_server/traffic_server.cc:1843
    #6 0x7f77ccbeb412 in __libc_start_main (/lib64/libc.so.6+0x24412)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/8/bits/hashtable.h:1560 in std::_Hashtable<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, RecRecord*> >, std::__detail::_Select1st, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::_M_find_before_node(unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long) const
Shadow bytes around the buggy address:
  0x0c4c7fff86d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff86e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff86f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff8700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff8710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4c7fff8720: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c4c7fff8730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff8740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff8750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff8760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c7fff8770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21434==ABORTING

Metadata

Metadata

Assignees

Labels

ASanAddress SanitizerTests

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions