Description
Below's the ASAN stack trace that zwoop found on docs@ after installing the latest master.
The issue is that, the recent rearrangement of cleanup (TS-1007) via ProxyClientSession for SPDY/H2 etc resulted in the netvc being null'ed out before calling SpdyClientSession::clear() (for example, when an inactivity timeout occurs). This results in bypassing the code that sets the SSL_VC's iobuf to null (specifically to prevent double free via SSLNetVConnection::free() and via SpdyClientSession::clear (req_buffer))..
The fix is to basically set the SSL_VC's iobuf to null before calling ProxyClientSession with SSN_CLOSE_HOOK, thus, making sure the iobuf is only cleaned once.
[E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats' [Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active! [Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active! traffic_server: using root directory '/opt/ats' ================================================================= ==30546==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110001cb010 at pc 0xb4ee72 bp 0x2b0ac04527e0 sp 0x2b0ac04527d8 READ of size 8 at 0x6110001cb010 thread T6 ([ET_NET 5]) #0 0xb4ee71 in Ptr<IOBufferBlock>::operator=(IOBufferBlock*) ../../lib/ts/Ptr.h:354 #1 0xb4ee71 in free_MIOBuffer ../../iocore/eventsystem/P_IOBuffer.h:770 #2 0xb4ee71 in SSLNetVConnection::free(EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:907 #3 0xbac5f9 in close_UnixNetVConnection(UnixNetVConnection*, EThread*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:134 #4 0xbb62c6 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:164 #5 0xbb62c6 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175 #6 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146 #7 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102 #8 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 #9 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 #10 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207 #11 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86 #12 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4) #13 0x2b0aba1771ac in __clone (/lib64/libc.so.6+0xf61ac) 0x6110001cb010 is located 16 bytes inside of 240-byte region [0x6110001cb000,0x6110001cb0f0) freed by thread T6 ([ET_NET 5]) here: #0 0x2b0ab650d1c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x782f88 in SpdyClientSession::clear() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:162 #2 0x783310 in SpdyClientSession::destroy() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:274 #3 0x780240 in SpdyClientSession::do_io_close(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:487 #4 0x780240 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:263 #5 0xbb6410 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146 #6 0xbb6410 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145 #7 0xbb6410 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175 #8 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146 #9 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102 #10 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 #11 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 #12 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207 #13 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86 #14 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4) previously allocated by thread T6 ([ET_NET 5]) here: #0 0x2b0ab650d93b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130 #1 0x2b0ab73f6849 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:100 #2 0x2b0ab73f71b0 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:239 #3 0xb617cc in ClassAllocator<MIOBuffer>::alloc() ../../lib/ts/Allocator.h:120 #4 0xb617cc in thread_alloc<MIOBuffer> ../../iocore/eventsystem/I_ProxyAllocator.h:63 #5 0xb617cc in new_MIOBuffer_internal ../../iocore/eventsystem/P_IOBuffer.h:759 #6 0xb617cc in MIOBuffer_tracker::operator()(long) ../../iocore/eventsystem/I_IOBuffer.h:1253 #7 0xb617cc in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:520 #8 0xb8163c in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516 #9 0xc346ee in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 #10 0xc346ee in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 #11 0xc346ee in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252 #12 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86 #13 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4) Thread T6 ([ET_NET 5]) created by T0 ([ET_NET 0]) here: #0 0x2b0ab64dc86a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183 #1 0xc310a5 in ink_thread_create ../../lib/ts/ink_thread.h:150 #2 0xc310a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101 #3 0xc396f6 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140 #4 0x49676b in main /usr/local/src/trafficserver/proxy/Main.cc:1624 #5 0x2b0aba0a2af4 in __libc_start_main (/lib64/libc.so.6+0x21af4) SUMMARY: AddressSanitizer: heap-use-after-free ../../lib/ts/Ptr.h:354 Ptr<IOBufferBlock>::operator=(IOBufferBlock*) Shadow bytes around the buggy address: 0x0c22800315b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800315c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c22800315d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c22800315e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800315f0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa =>0x0c2280031600: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280031610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c2280031620: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280031630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280031640: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c2280031650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==30546==ABORTING traffic_server: using root directory '/opt/ats'