Uploaded image for project: 'Qpid Dispatch'
  1. Qpid Dispatch
  2. DISPATCH-2076

[ASan] use-after-poison in qd_connector_decref during system_tests_edge_router

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.16.0
    • Fix Version/s: 1.18.0
    • Component/s: None
    • Labels:

      Description

      https://github.com/apache/qpid-dispatch/runs/2425607516?check_suite_focus=true#step:9:6961

      54: ==4179==ERROR: AddressSanitizer: use-after-poison on address 0x61e0000295d0 at pc 0x7ff6f63ac8b4 bp 0x7ff6ee0c7010 sp 0x7ff6ee0c7000
      54: WRITE of size 8 at 0x61e0000295d0 thread T2
      54:     #0 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1693
      54:     #1 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1688
      54:     #2 0x7ff6f031eff4  (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
      54:     #3 0x7ff6f031e409  (/lib/x86_64-linux-gnu/libffi.so.7+0x6409)
      54:     #4 0x7ff6f034502e in _call_function_pointer /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:816
      54:     #5 0x7ff6f034502e in _ctypes_callproc /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:1188
      54:     #6 0x7ff6f0341b33 in PyCFuncPtr_call /home/vsts/work/1/s/SourceCode/Modules/_ctypes/_ctypes.c:4025
      54:     #7 0x7ff6f488e998 in _PyObject_FastCallKeywords Objects/call.c:199
      54:     #8 0x7ff6f4901c78 in call_function Python/ceval.c:4619
      54:     #9 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
      54:     #10 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
      54:     #11 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
      54:     #12 0x7ff6f4901aee in call_function Python/ceval.c:4616
      54:     #13 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
      54:     #14 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
      54:     #15 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
      54:     #16 0x7ff6f4901aee in call_function Python/ceval.c:4616
      54:     #17 0x7ff6f48fa58c in _PyEval_EvalFrameDefault Python/ceval.c:3124
      54:     #18 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
      54:     #19 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
      54:     #20 0x7ff6f4901aee in call_function Python/ceval.c:4616
      54:     #21 0x7ff6f48fa629 in _PyEval_EvalFrameDefault Python/ceval.c:3110
      54:     #22 0x7ff6f48f8fa2 in _PyEval_EvalCodeWithName Python/ceval.c:3930
      54:     #23 0x7ff6f488f807 in _PyFunction_FastCallDict Objects/call.c:376
      54:     #24 0x7ff6f488fc89 in _PyObject_Call_Prepend Objects/call.c:906
      54:     #25 0x7ff6f488e1ec in _PyObject_FastCallDict Objects/call.c:125
      54:     #26 0x7ff6f488f467 in _PyObject_CallFunctionVa Objects/call.c:959
      54:     #27 0x7ff6f489007c in _PyObject_CallFunctionVa Objects/call.c:932
      54:     #28 0x7ff6f489007c in PyObject_CallFunction Objects/call.c:979
      54:     #29 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:660
      54:     #30 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:631
      54:     #31 0x7ff6f62e799b in qdr_forward_on_message ../src/router_core/forwarder.c:336
      54:     #32 0x7ff6f630b5ed in qdr_general_handler ../src/router_core/router_core.c:927
      54:     #33 0x7ff6f63b16a2 in qd_timer_visit ../src/timer.c:205
      54:     #34 0x7ff6f639d8e6 in handle ../src/server.c:1006
      54:     #35 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
      54:     #36 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
      54:     #37 0x7ff6f51e4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
      54: 
      54: 0x61e0000295d0 is located 336 bytes inside of 2624-byte region [0x61e000029480,0x61e000029ec0)
      54: allocated by thread T2 here:
      54:     #0 0x7ff6f6a8baa5 in posix_memalign (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
      54:     #1 0x7ff6f6180810 in qd_alloc ../src/alloc_pool.c:397
      54:     #2 0x7ff6f639999f in qd_server_connection ../src/server.c:567
      54:     #3 0x7ff6f63aac13 in on_accept ../src/server.c:599
      54:     #4 0x7ff6f63aac13 in handle_listener ../src/server.c:853
      54:     #5 0x7ff6f639d7b5 in handle_event_with_context ../src/server.c:802
      54:     #6 0x7ff6f639d7b5 in do_handle_raw_connection_event ../src/server.c:808
      54:     #7 0x7ff6f639d7b5 in handle ../src/server.c:1088
      54:     #8 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
      54:     #9 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
      54: 
      54: Thread T2 created by T0 here:
      54:     #0 0x7ff6f69b7805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
      54:     #1 0x7ff6f626100f in sys_thread ../src/posix/threading.c:181
      54:     #2 0x7ff6f63a81c6 in qd_server_run ../src/server.c:1485
      54:     #3 0x5571ce0981bc in main_process ../router/src/main.c:115
      54:     #4 0x5571ce097ce0 in main ../router/src/main.c:369
      54:     #5 0x7ff6f50e90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
      54: 
      54: SUMMARY: AddressSanitizer: use-after-poison ../src/server.c:1693 in qd_connector_decref
      54: Shadow bytes around the buggy address:
      54:   0x0c3c7fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      54:   0x0c3c7fffd270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      54:   0x0c3c7fffd280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      54:   0x0c3c7fffd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      54:   0x0c3c7fffd2a0: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      54: =>0x0c3c7fffd2b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
      54:   0x0c3c7fffd2c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      54:   0x0c3c7fffd2d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      54:   0x0c3c7fffd2e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      54:   0x0c3c7fffd2f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      54:   0x0c3c7fffd300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      54: Shadow byte legend (one shadow byte represents 8 application bytes):
      54:   Addressable:           00
      54:   Partially addressable: 01 02 03 04 05 06 07 
      54:   Heap left redzone:       fa
      54:   Freed heap region:       fd
      54:   Stack left redzone:      f1
      54:   Stack mid redzone:       f2
      54:   Stack right redzone:     f3
      54:   Stack after return:      f5
      54:   Stack use after scope:   f8
      54:   Global redzone:          f9
      54:   Global init order:       f6
      54:   Poisoned by user:        f7
      54:   Container overflow:      fc
      54:   Array cookie:            ac
      54:   Intra object redzone:    bb
      54:   ASan internal:           fe
      54:   Left alloca redzone:     ca
      54:   Right alloca redzone:    cb
      54:   Shadow gap:              cc
      54: ==4179==ABORTING
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jdanek Jiri Daněk
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: