Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-6126

ASAN detects heap-use-after-free in thrift-server-test

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: Impala 2.11.0
    • Fix Version/s: Impala 2.11.0
    • Component/s: Backend
    • Labels:
    • Epic Color:
      ghx-label-1

      Description

      ASAN detected a heap-use-after-free in thrift-server-test in a private build.

      Sailesh Mukil - You made changes to this test in this change: https://gerrit.cloudera.org/#/c/7938/

      Can you please have a look?

      Please reach out in person if you would like to access the artifacts of the private build.

      21:53:06 =================================================================
      21:53:06 ==28490==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000013318 at pc 0x00000129c04c bp 0x7fd43db71200 sp 0x7fd43db709b0
      21:53:06 READ of size 103 at 0x60c000013318 thread T62
      21:53:06     #0 0x129c04b in strlen /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/llvm/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:227
      21:53:06     #1 0x337cc0b0a0 in _sasl_strdup (/usr/lib64/libsasl2.so.2+0x337cc0b0a0)
      21:53:06     #2 0x337cc1135c in sasl_server_new (/usr/lib64/libsasl2.so.2+0x337cc1135c)
      21:53:06     #3 0x19b07b5 in sasl::TSaslServer::setupSaslContext() /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/transport/TSasl.cpp:214:16
      21:53:06     #4 0x19b1fb7 in apache::thrift::transport::TSaslServerTransport::handleSaslStartMessage() /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/transport/TSaslServerTransport.cpp:124:10
      21:53:06     #5 0x19b8299 in apache::thrift::transport::TSaslTransport::doSaslNegotiation() /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/transport/TSaslTransport.cpp:81:7
      21:53:06     #6 0x19b273a in apache::thrift::transport::TSaslServerTransport::Factory::getTransport(boost::shared_ptr<apache::thrift::transport::TTransport>) /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/transport/TSaslServerTransport.cpp:174:24
      21:53:06     #7 0x163ba86 in apache::thrift::server::TAcceptQueueServer::SetupConnection(boost::shared_ptr<apache::thrift::transport::TTransport>) /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/rpc/TAcceptQueueServer.cpp:146:46
      21:53:06     #8 0x163dc32 in apache::thrift::server::TAcceptQueueServer::serve()::$_0::operator()(int, boost::shared_ptr<apache::thrift::transport::TTransport> const&) const /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/rpc/TAcceptQueueServer.cpp:220:15
      21:53:06     #9 0x1645b43 in boost::function2<void, int, boost::shared_ptr<apache::thrift::transport::TTransport> const&>::operator()(int, boost::shared_ptr<apache::thrift::transport::TTransport> const&) const /data/jenkins/workspace/impala-asf-master-core-asan/Impala-Toolchain/boost-1.57.0-p3/include/boost/function/function_template.hpp:766:14
      21:53:06     #10 0x1644ba5 in impala::ThreadPool<boost::shared_ptr<apache::thrift::transport::TTransport> >::WorkerThread(int) /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/util/thread-pool.h:152:9
      21:53:06     #11 0x1645141 in boost::_bi::bind_t<void, boost::_mfi::mf1<void, impala::ThreadPool<boost::shared_ptr<apache::thrift::transport::TTransport> >, int>, boost::_bi::list2<boost::_bi::value<impala::ThreadPool<boost::shared_ptr<apache::thrift::transport::TTransport> >*>, boost::_bi::value<int> > >::operator()() /data/jenkins/workspace/impala-asf-master-core-asan/Impala-Toolchain/boost-1.57.0-p3/include/boost/bind/bind_template.hpp:20:16
      21:53:06     #12 0x15e2622 in boost::function0<void>::operator()() const /data/jenkins/workspace/impala-asf-master-core-asan/Impala-Toolchain/boost-1.57.0-p3/include/boost/function/function_template.hpp:766:14
      21:53:06     #13 0x1a89e47 in impala::Thread::SuperviseThread(std::string const&, std::string const&, boost::function<void ()>, impala::Promise<long>*) /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/util/thread.cc:352:3
      21:53:06     #14 0x1a94bb5 in void boost::_bi::list4<boost::_bi::value<std::string>, boost::_bi::value<std::string>, boost::_bi::value<boost::function<void ()> >, boost::_bi::value<impala::Promise<long>*> >::operator()<void (*)(std::string const&, std::string const&, boost::function<void ()>, impala::Promise<long>*), boost::_bi::list0>(boost::_bi::type<void>, void (*&)(std::string const&, std::string const&, boost::function<void ()>, impala::Promise<long>*), boost::_bi::list0&, int) /data/jenkins/workspace/impala-asf-master-core-asan/Impala-Toolchain/boost-1.57.0-p3/include/boost/bind/bind.hpp:457:9
      21:53:06     #15 0x1a94a31 in boost::_bi::bind_t<void, void (*)(std::string const&, std::string const&, boost::function<void ()>, impala::Promise<long>*), boost::_bi::list4<boost::_bi::value<std::string>, boost::_bi::value<std::string>, boost::_bi::value<boost::function<void ()> >, boost::_bi::value<impala::Promise<long>*> > >::operator()() /data/jenkins/workspace/impala-asf-master-core-asan/Impala-Toolchain/boost-1.57.0-p3/include/boost/bind/bind_template.hpp:20:16
      21:53:06     #16 0x2407ba9 in thread_proxy (/data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/build/debug/rpc/thrift-server-test+0x2407ba9)
      21:53:06     #17 0x3379c07850 in start_thread (/lib64/libpthread.so.0+0x3379c07850)
      21:53:06     #18 0x33798e894c in clone (/lib64/libc.so.6+0x33798e894c)
      21:53:06 
      21:53:06 0x60c000013318 is located 24 bytes inside of 127-byte region [0x60c000013300,0x60c00001337f)
      21:53:06 freed by thread T0 here:
      21:53:06     #0 0x13459a0 in operator delete(void*) /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/llvm/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:110
      21:53:06     #1 0x135f4d0 in ThriftParamsTest::SetUp() /data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/src/rpc/thrift-server-test.cc:141:3
      21:53:06     #2 0x331fec2 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (/data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/build/debug/rpc/thrift-server-test+0x331fec2)
      21:53:06 
      21:53:06 previously allocated by thread T0 here:
      21:53:06     #0 0x1345320 in operator new(unsigned long) /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/llvm/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:78
      21:53:06     #1 0x7fd4532e4c48 in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/gcc/build-4.9.2/x86_64-unknown-linux-gnu/libstdc++-v3/include/ext/new_allocator.h:104
      21:53:06     #2 0x7fd4532e4c48 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&) /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/gcc/build-4.9.2/x86_64-unknown-linux-gnu/libstdc++-v3/include/bits/basic_string.tcc:607
      21:53:06 
      21:53:06 Thread T62 created by T61 here:
      21:53:06     #0 0x12679ed in __interceptor_pthread_create /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/llvm/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
      21:53:06     #1 0x2406f89 in boost::thread::start_thread_noexcept() (/data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/build/debug/rpc/thrift-server-test+0x2406f89)
      21:53:06 
      21:53:06 Thread T61 created by T0 here:
      21:53:06     #0 0x12679ed in __interceptor_pthread_create /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/llvm/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245
      21:53:06     #1 0x2406f89 in boost::thread::start_thread_noexcept() (/data/jenkins/workspace/impala-asf-master-core-asan/repos/Impala/be/build/debug/rpc/thrift-server-test+0x2406f89)
      21:53:06 
      21:53:06 SUMMARY: AddressSanitizer: heap-use-after-free /data/jenkins/workspace/verify-impala-toolchain-package-build/label/ec2-package-centos-6/toolchain/source/llvm/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:227 in strlen
      21:53:06 Shadow bytes around the buggy address:
      21:53:06   0x0c187fffa610: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      21:53:06   0x0c187fffa620: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      21:53:06   0x0c187fffa630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
      21:53:06   0x0c187fffa640: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      21:53:06   0x0c187fffa650: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      21:53:06 =>0x0c187fffa660: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
      21:53:06   0x0c187fffa670: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      21:53:06   0x0c187fffa680: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      21:53:06   0x0c187fffa690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      21:53:06   0x0c187fffa6a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      21:53:06   0x0c187fffa6b0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      21:53:06 Shadow byte legend (one shadow byte represents 8 application bytes):
      21:53:06   Addressable:           00
      21:53:06   Partially addressable: 01 02 03 04 05 06 07 
      21:53:06   Heap left redzone:       fa
      21:53:06   Heap right redzone:      fb
      21:53:06   Freed heap region:       fd
      21:53:06   Stack left redzone:      f1
      21:53:06   Stack mid redzone:       f2
      21:53:06   Stack right redzone:     f3
      21:53:06   Stack partial redzone:   f4
      21:53:06   Stack after return:      f5
      21:53:06   Stack use after scope:   f8
      21:53:06   Global redzone:          f9
      21:53:06   Global init order:       f6
      21:53:06   Poisoned by user:        f7
      21:53:06   Container overflow:      fc
      21:53:06   Array cookie:            ac
      21:53:06   Intra object redzone:    bb
      21:53:06   ASan internal:           fe
      21:53:06   Left alloca redzone:     ca
      21:53:06   Right alloca redzone:    cb
      21:53:06 ==28490==ABORTING
      

        Attachments

          Activity

            People

            • Assignee:
              sailesh Sailesh Mukil
              Reporter:
              lv Lars Volker
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: