[ https://issues.apache.org/jira/browse/DISPATCH-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17441132#comment-17441132 ]
Jiri Daněk commented on DISPATCH-2206: -------------------------------------- One more variant of the trace above, see how short the dealloc trace is here! https://github.com/jiridanek/qpid-dispatch/runs/4141024583?check_suite_focus=true#step:27:20633 {noformat} E ==6485==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700079c7b0 at pc 0x0000005a834b bp 0x7ffd644b3a30 sp 0x7ffd644b3a28 E READ of size 8 at 0x61700079c7b0 thread T0 E #0 0x5a834a in qdr_link_get_context /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:516 E #1 0x693d51 in CORE_link_second_attach /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_node.c:1736 E #2 0x5a3def in qdr_connection_process /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:355 E #3 0x4ededa in writable_handler /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/container.c:388 E #4 0x6aebc1 in handle /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/server.c:1108 E #5 0x6b6b3f in thread_run /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/server.c:1133 E #6 0x6b9241 in qd_server_run /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/server.c:1527 E #7 0x434afd in main_process /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/router/src/main.c:115 E #8 0x433a32 in main /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/router/src/main.c:369 E #9 0x7f30fa148b74 in __libc_start_main (/lib64/libc.so.6+0x27b74) E #10 0x4348ed in _start (/__w/qpid-dispatch/qpid-dispatch/qpid-dispatch/build/router/qdrouterd+0x4348ed) E E 0x61700079c7b0 is located 176 bytes inside of 704-byte region [0x61700079c700,0x61700079c9c0) E freed by thread T1 here: E #0 0x7f30fb573647 in free (/lib64/libasan.so.6+0xae647) E #1 0x4c2902 in qd_dealloc /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/alloc_pool.c:497 E #2 0x635c87 in router_core_thread /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core_thread.c:236 E #3 0x7f30fb058298 in start_thread (/lib64/libpthread.so.0+0x9298) E E previously allocated by thread T0 here: E #0 0x7f30fb57451c in __interceptor_posix_memalign (/lib64/libasan.so.6+0xaf51c) E #1 0x4bed1d in qd_alloc /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/alloc_pool.c:393 E #2 0x5a8a71 in qdr_link_first_attach /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:617 E #3 0x693894 in AMQP_outgoing_link_handler /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_node.c:1025 E #4 0x6aebc1 in handle /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/server.c:1108 E #5 0x6b6b3f in thread_run /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/server.c:1133 E #6 0x6b9241 in qd_server_run /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/server.c:1527 E #7 0x434afd in main_process /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/router/src/main.c:115 E #8 0x433a32 in main /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/router/src/main.c:369 E #9 0x7f30fa148b74 in __libc_start_main (/lib64/libc.so.6+0x27b74) E E Thread T1 created by T0 here: E #0 0x7f30fb51b8d6 in pthread_create (/lib64/libasan.so.6+0x568d6) E #1 0x56dbd5 in sys_thread /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/posix/threading.c:181 E #2 0x61bb52 in qdr_core /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core.c:124 E #3 0x69ee42 in qd_router_setup_late /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_node.c:2127 E #4 0x7f30f5c0cc03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) E #5 0x7ffd644b3b6f ([stack]+0x21b6f) E E SUMMARY: AddressSanitizer: heap-use-after-free /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:516 in qdr_link_get_context E Shadow bytes around the buggy address: E 0x0c2e800eb8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0x0c2e800eb8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0x0c2e800eb8c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa E 0x0c2e800eb8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa E 0x0c2e800eb8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd E =>0x0c2e800eb8f0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd E 0x0c2e800eb900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd E 0x0c2e800eb910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd E 0x0c2e800eb920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd E 0x0c2e800eb930: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa E 0x0c2e800eb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa E Shadow byte legend (one shadow byte represents 8 application bytes): E Addressable: 00 E Partially addressable: 01 02 03 04 05 06 07 E Heap left redzone: fa E Freed heap region: fd E Stack left redzone: f1 E Stack mid redzone: f2 E Stack right redzone: f3 E Stack after return: f5 E Stack use after scope: f8 E Global redzone: f9 E Global init order: f6 E Poisoned by user: f7 E Container overflow: fc E Array cookie: ac E Intra object redzone: bb E ASan internal: fe E Left alloca redzone: ca E Right alloca redzone: cb E Shadow gap: cc E ==6485==ABORTING {noformat} > ASAN use-after-free of qdr_link_t by I/O thread > ----------------------------------------------- > > Key: DISPATCH-2206 > URL: https://issues.apache.org/jira/browse/DISPATCH-2206 > Project: Qpid Dispatch > Issue Type: Bug > Components: Router Node > Affects Versions: 1.16.1 > Reporter: Ken Giusti > Priority: Major > Labels: asan > Fix For: 1.19.0 > > > [https://github.com/apache/qpid-dispatch/blob/main/src/router_core/connections.c#L1344] > > {{27: ==3859==ERROR: AddressSanitizer: use-after-poison on address > 0x61700017e030 at pc 0x56212343cdac bp 0x7f9d33c40c90 sp 0x7f9d33c40c80 }} > {{ }}{{}} > 27: READ of size 8 at 0x61700017e030 thread T2 > {{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{ }}{{}} > 27: #0 0x56212343cdab in qdr_link_get_context > ../src/router_core/connections.c:498 > {{}}{{ }}{{}} > 27: #1 0x56212352ec25 in CORE_link_second_attach ../src/router_node.c:1729 > {{}}{{ }}{{}} > 27: #2 0x5621234388df in qdr_connection_process > ../src/router_core/connections.c:355 > {{}}{{ }}{{}} > 27: #3 0x56212338eccf in writable_handler ../src/container.c:396 > {{}}{{ }}{{}} > 27: #4 0x56212338eccf in qd_container_handle_event ../src/container.c:748 > {{}}{{ }}{{}} > 27: #5 0x562123547289 in handle ../src/server.c:1108 > {{}}{{ }}{{}} > 27: #6 0x562123554c9f in thread_run ../src/server.c:1133 > {{}}{{ }}{{}} > 27: #7 0x7f9d3ba6c608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > {{}}{{ }}{{}} > 27: #8 0x7f9d3ac33292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) > {{}}{{ }}{{}} > 27: > {{}}{{ }}{{}} > 27: 0x61700017e030 is located 176 bytes inside of 704-byte region > [0x61700017df80,0x61700017e240) > {{}}{{ }}{{}} > 27: allocated by thread T2 here: > {{}}{{ }}{{}} > 27: #0 0x7f9d3bfd9aa5 in posix_memalign > (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5) > {{}}{{ }}{{}} > 27: #1 0x5621233247b0 in qd_alloc ../src/alloc_pool.c:396 > {{}}{{ }}{{}} > 27: #2 0x56212343d4c9 in qdr_link_first_attach > ../src/router_core/connections.c:592 > {{}}{{ }}{{}} > 27: #3 0x56212352dde9 in AMQP_outgoing_link_handler > ../src/router_node.c:1018 > {{}}{{ }}{{}} > 27: #4 0x562123547289 in handle ../src/server.c:1108 > {{}}{{ }}{{}} > 27: #5 0x562123554c9f in thread_run ../src/server.c:1133 > {{}}{{ }}{{}} > 27: #6 0x7f9d3ba6c608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > {{}}{{ }}{{}} > 27: > {{}}{{ }}{{}} > 27: Thread T2 created by T0 here: > {{}}{{ }}{{}} > 27: #0 0x7f9d3bf05805 in pthread_create > (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) > {{}}{{ }}{{}} > 27: #1 0x562123403bcf in sys_thread ../src/posix/threading.c:181 > {{}}{{ }}{{}} > 27: #2 0x56212355541e in qd_server_run ../src/server.c:1522 > {{}}{{ }}{{}} > 27: #3 0x56212359f46c in main_process ../router/src/main.c:115 > {{}}{{ }}{{}} > 27: #4 0x56212329bc50 in main ../router/src/main.c:369 > {{}}{{ }}{{}} > 27: #5 0x7f9d3ab380b2 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) > {{}}{{ }}{{}} > 27: > {{}}{{ }}{{}} > 27: SUMMARY: AddressSanitizer: use-after-poison > ../src/router_core/connections.c:498 in qdr_link_get_context > {{}}{{ }}{{}} > 27: Shadow bytes around the buggy address: > {{}}{{ }}{{}} > 27: 0x0c2e80027bb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 > {{}}{{ }}{{}} > 27: 0x0c2e80027bc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 > {{}}{{ }}{{}} > 27: 0x0c2e80027bd0: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa > {{}}{{ }}{{}} > 27: 0x0c2e80027be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > {{}}{{ }}{{}} > 27: 0x0c2e80027bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > {{}}{{ }}{{}} > 27: =>0x0c2e80027c00: 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 > {{}}{{ }}{{}} > 27: 0x0c2e80027c10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 > {{}}{{ }}{{}} > 27: 0x0c2e80027c20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 > {{}}{{ }}{{}} > 27: 0x0c2e80027c30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 > {{}}{{ }}{{}} > 27: 0x0c2e80027c40: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa > {{}}{{ }}{{}} > 27: 0x0c2e80027c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > {{}}{{ }}{{}} > 27: Shadow byte legend (one shadow byte represents 8 application bytes): > {{}}{{ }}{{}} > 27: Addressable: 00 > {{}}{{ }}{{}} > 27: Partially addressable: 01 02 03 04 05 06 07 > {{}}{{ }}{{}} > 27: Heap left redzone: fa > {{}}{{ }}{{}} > 27: Freed heap region: fd > {{}}{{ }}{{}} > 27: Stack left redzone: f1 > {{}}{{ }}{{}} > 27: Stack mid redzone: f2 > {{}}{{ }}{{}} > 27: Stack right redzone: f3 > {{}}{{ }}{{}} > 27: Stack after return: f5 > {{}}{{ }}{{}} > 27: Stack use after scope: f8 > {{}}{{ }}{{}} > 27: Global redzone: f9 > {{}}{{ }}{{}} > 27: Global init order: f6 > {{}}{{ }}{{}} > 27: Poisoned by user: f7 > {{}}{{ }}{{}} > 27: Container overflow: fc > {{}}{{ }}{{}} > 27: Array cookie: ac > {{}}{{ }}{{}} > 27: Intra object redzone: bb > {{}}{{ }}{{}} > 27: ASan internal: fe > {{}}{{ }}{{}} > 27: Left alloca redzone: ca > {{}}{{ }}{{}} > 27: Right alloca redzone: cb > {{}}{{ }}{{}} > 27: Shadow gap: cc > {{}}{{ }}{{}} > 27: ==3859==ABORTING > {{}}{{ }}{{27: }} -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org