Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
qpid-dispatch github actions CI has hit this ASAN issue a couple of times since enabling use of latest proton-c/main in our CI tests (see attached).
Appears to show a pconnection being freed at the end of batch processing, then accessing that freed pconnection while waiting for the next event.
https://github.com/apache/qpid-dispatch/runs/4513058827?check_suite_focus=true#step:9:7347
==4956==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000171412 at pc 0x7f7144626f6d bp 0x7ffe23b9a600 sp 0x7ffe23b9a5f0 63: E READ of size 1 at 0x616000171412 thread T0 63: E #0 0x7f7144626f6c in next_runnable ../c/src/proactor/epoll.c:2403 63: E #1 0x7f7144627e53 in next_event_batch ../c/src/proactor/epoll.c:2456 63: E #2 0x7f714462d11a in pn_proactor_wait ../c/src/proactor/epoll.c:2715 63: E #3 0x556f559f860e in thread_run ../src/server.c:1118 63: E #4 0x556f55a001cf in qd_server_run ../src/server.c:1527 63: E #5 0x556f55a5b7ea in main_process ../router/src/main.c:115 63: E #6 0x556f55a5d7ee in main ../router/src/main.c:369 63: E #7 0x7f714327e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 63: E #8 0x556f5571574d in _start (/home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/build/router/qdrouterd+0x56874d) 63: E 63: E 0x616000171412 is located 146 bytes inside of 576-byte region [0x616000171380,0x6160001715c0) 63: E freed by thread T0 here: 63: E #0 0x7f71447f07cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) 63: E #1 0x7f714460d565 in pconnection_final_free ../c/src/proactor/epoll.c:832 63: E #2 0x7f714460d8bc in pconnection_cleanup ../c/src/proactor/epoll.c:848 63: E #3 0x7f71446104ab in pconnection_done ../c/src/proactor/epoll.c:1048 63: E #4 0x7f714462d20e in pn_proactor_done ../c/src/proactor/epoll.c:2725 63: E #5 0x556f559f88b5 in thread_run ../src/server.c:1151 63: E #6 0x556f55a001cf in qd_server_run ../src/server.c:1527 63: E #7 0x556f55a5b7ea in main_process ../router/src/main.c:115 63: E #8 0x556f55a5d7ee in main ../router/src/main.c:369 63: E #9 0x7f714327e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 63: E 63: E previously allocated by thread T2 here: 63: E #0 0x7f71447f0bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) 63: E #1 0x7f714461dbda in pn_listener_accept2 ../c/src/proactor/epoll.c:1883 63: E #2 0x7f7144638bd3 in pn_listener_accept ../c/src/proactor/proactor-internal.c:94 63: E #3 0x556f559efbe1 in on_accept ../src/server.c:622 63: E #4 0x556f559f44fc in handle_listener ../src/server.c:865 63: E #5 0x556f559f3d83 in handle_event_with_context ../src/server.c:814 63: E #6 0x556f559f3e0a in do_handle_listener ../src/server.c:825 63: E #7 0x556f559f6a2f in handle ../src/server.c:1024 63: E #8 0x556f559f86b1 in thread_run ../src/server.c:1133 63: E #9 0x556f55871fbb in _thread_init ../src/posix/threading.c:172 63: E #10 0x7f7144183608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) 63: E 63: E Thread T2 created by T0 here: 63: E #0 0x7f714471d805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) 63: E #1 0x556f5587212a in sys_thread ../src/posix/threading.c:181 63: E #2 0x556f55a00137 in qd_server_run ../src/server.c:1525 63: E #3 0x556f55a5b7ea in main_process ../router/src/main.c:115 63: E #4 0x556f55a5d7ee in main ../router/src/main.c:369 63: E #5 0x7f714327e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 63: E 63: E SUMMARY: AddressSanitizer: heap-use-after-free ../c/src/proactor/epoll.c:2403 in next_runnable 63: E Shadow bytes around the buggy address: 63: E 0x0c2c80026230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 63: E 0x0c2c80026240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 63: E 0x0c2c80026250: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 63: E 0x0c2c80026260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 63: E 0x0c2c80026270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 63: E =>0x0c2c80026280: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd 63: E 0x0c2c80026290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 63: E 0x0c2c800262a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 63: E 0x0c2c800262b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 63: E 0x0c2c800262c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 63: E 0x0c2c800262d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63: E Shadow byte legend (one shadow byte represents 8 application bytes):