Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3915

Regression fails when compilied with ASAN, heap-use-after-free

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 7.0.0
    • 7.1.0
    • TS API

    Description

      Running regression with asan enable on Fedora 22:

      CXXFLAGS="-Werror -fno-omit-frame-pointer -fsanitize=address" CFLAGS="-Werror" SPDYLAY_CFLAGS="-I /usr/local/include/" SPDYLAY_LIBS="-L/usr/local/lib -lspdylay"  ./configure --enable-ccache --enable-spdy --disable-freelist

REGRESSION TEST SDK_API_HttpTxnTransform started
Regression test(SDK_API_HttpTxnTransform) still in progress
[SDK_API_HttpTxnTransform] TSTransformCreate : [TestCase1] <<PASS>> { ok }
[SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { ok }
[SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { ok }
[SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { ok }
[SDK_API_HttpTxnTransform] TSHttpTxnUntransformedResponseCache : [TestCase1] <<PASS>> { ok }
[SDK_API_HttpTxnTransform] TSHttpTxnTransformedResponseCache : [TestCase1] <<PASS>> { ok }
=================================================================
==14340==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800d59276b at pc 0x0000005cb466 bp 0x7f4f46b88b40 sp 0x7f4f46b88b30
READ of size 1 at 0x60800d59276b thread T9 ([ET_NET 8])
    #0 0x5cb465 in transformtest_transform /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6318
    #1 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #2 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #3 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
    #4 0xc32438 in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86
    #5 0x7f4f4da8c554 in start_thread (/lib64/libpthread.so.0+0x7554)
    #6 0x7f4f4c9bcb9c in __clone (/lib64/libc.so.6+0x102b9c)

0x60800d59276b is located 75 bytes inside of 96-byte region [0x60800d592720,0x60800d592780)
freed by thread T4 ([ET_NET 3]) here:
    #0 0x7f4f4fb2470a in __interceptor_free (/lib64/libasan.so.2+0x9870a)
    #1 0x5de815 in transform_hook_handler /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6637
    #2 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #3 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #4 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
    #5 0xc32438 in spawn_thread_internal /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86
    #6 0x7f4f4da8c554 in start_thread (/lib64/libpthread.so.0+0x7554)

previously allocated by thread T0 ([ET_NET 0]) here:
    #0 0x7f4f4fb24a0a in malloc (/lib64/libasan.so.2+0x98a0a)
    #1 0x7f4f4f859ae5 in ats_malloc /home/bcall/dev/apache/trafficserver/lib/ts/ink_memory.cc:54
    #2 0x5d3d2a in RegressionTest_SDK_API_HttpTxnTransform(RegressionTest*, int, int*) /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6663
    #3 0x7f4f4f844f69 in start_test /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78
    #4 0x7f4f4f844f69 in RegressionTest::run_some() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126
    #5 0x7f4f4f845366 in RegressionTest::check_status() /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141
    #6 0x563773 in RegressionCont::mainEvent(int, Event*) /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1210
    #7 0xc33609 in Continuation::handleEvent(int, void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #8 0xc33609 in EThread::process_event(Event*, int) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #9 0xc35605 in EThread::execute() /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207
    #10 0x497d2c in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1812
    #11 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)

Thread T9 ([ET_NET 8]) created by T0 ([ET_NET 0]) here:
    #0 0x7f4f4fac2703 in pthread_create (/lib64/libasan.so.2+0x36703)
    #1 0xc32eda in ink_thread_create ../../lib/ts/ink_thread.h:150
    #2 0xc32eda in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:101
    #3 0xc3b0d4 in EventProcessor::start(int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
    #4 0x496abf in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1624
    #5 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)

Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
    #0 0x7f4f4fac2703 in pthread_create (/lib64/libasan.so.2+0x36703)
    #1 0xc32eda in ink_thread_create ../../lib/ts/ink_thread.h:150
    #2 0xc32eda in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:101
    #3 0xc3b0d4 in EventProcessor::start(int, unsigned long) /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
    #4 0x496abf in main /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1624
    #5 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)

SUMMARY: AddressSanitizer: heap-use-after-free /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6318 transformtest_transform
Shadow bytes around the buggy address:
  0x0c1081aaa490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1081aaa4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1081aaa4b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1081aaa4c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1081aaa4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1081aaa4e0: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c1081aaa4f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1081aaa500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1081aaa510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1081aaa520: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1081aaa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==14340==ABORTING

      Attachments

        Activity

          People

            bcall Bryan Call
            bcall Bryan Call
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: