[ https://issues.apache.org/jira/browse/TS-3805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Susan Hinrichs resolved TS-3805. -------------------------------- Resolution: Fixed I think this was addressed with the session shutdown reworking that followed TS-3612. Please reopen if we are still seeing this. > ASAN heap-use-after-free in ProxyClientSession::ssn_hook_get > ------------------------------------------------------------ > > Key: TS-3805 > URL: https://issues.apache.org/jira/browse/TS-3805 > Project: Traffic Server > Issue Type: Bug > Components: Core > Reporter: Leif Hedstrom > Assignee: Susan Hinrichs > Labels: ASAN, crash > Fix For: 7.0.0 > > > {code} > [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats' > [Jul 30 11:02:22.124] Manager {0x7f1366c0e8c0} WARNING: Be aware that access > control checks for HTTP/2 connections are not active! > [Jul 30 11:02:22.124] Manager {0x7f1366c0e8c0} WARNING: Be aware that access > control checks for HTTP/2 connections are not active! > traffic_server: using root directory '/opt/ats' > ================================================================= > ==11239==ERROR: AddressSanitizer: heap-use-after-free on address > 0x61700009a170 at pc 0x52e50d bp 0x2b9d1a56a6b0 sp 0x2b9d1a56a6a8 > READ of size 8 at 0x61700009a170 thread T3 ([ET_NET 2]) > #0 0x52e50c in APIHooks::get() const > /usr/local/src/trafficserver/proxy/InkAPI.cc:1258 > #1 0x66bb1e in FeatureAPIHooks<TSHttpHookID, > (TSHttpHookID)19>::get(TSHttpHookID) const ../../proxy/InkAPIInternal.h:256 > #2 0x66bb1e in ProxyClientSession::ssn_hook_get(TSHttpHookID) const > ../../proxy/ProxyClientSession.h:64 > #3 0x66bb1e in HttpSM::state_api_callout(int, void*) > /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1328 > #4 0x67c586 in HttpSM::kill_this() > /usr/local/src/trafficserver/proxy/http/HttpSM.cc:6552 > #5 0x67f817 in HttpSM::main_handler(int, void*) > /usr/local/src/trafficserver/proxy/http/HttpSM.cc:2558 > #6 0xbb82d0 in Continuation::handleEvent(int, void*) > ../../iocore/eventsystem/I_Continuation.h:146 > #7 0xbb82d0 in read_signal_and_update > /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145 > #8 0xbb82d0 in UnixNetVConnection::mainEvent(int, Event*) > /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175 > #9 0xb8d622 in Continuation::handleEvent(int, void*) > ../../iocore/eventsystem/I_Continuation.h:146 > #10 0xb8d622 in InactivityCop::check_inactivity(int, Event*) > /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102 > #11 0xc336de in Continuation::handleEvent(int, void*) > /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #12 0xc336de in EThread::process_event(Event*, int) > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #13 0xc35947 in EThread::execute() > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207 > #14 0xc322e8 in spawn_thread_internal > /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86 > #15 0x2b9d1363bdf4 in start_thread (/lib64/libpthread.so.0+0x7df4) > #16 0x2b9d14ea41ac in __clone (/lib64/libc.so.6+0xf61ac) > 0x61700009a170 is located 240 bytes inside of 688-byte region > [0x61700009a080,0x61700009a330) > freed by thread T3 ([ET_NET 2]) here: > #0 0x2b9d1123a1c7 in __interceptor_free > ../../.././libsanitizer/asan/asan_malloc_linux.cc:62 > #1 0x62f74e in HttpVCTable::cleanup_entry(HttpVCTableEntry*) > /usr/local/src/trafficserver/proxy/http/HttpSM.cc:216 > #2 0x65047a in HttpSM::state_read_client_request_header(int, void*) > /usr/local/src/trafficserver/proxy/http/HttpSM.cc:606 > #3 0x67f4f0 in HttpSM::main_handler(int, void*) > /usr/local/src/trafficserver/proxy/http/HttpSM.cc:2545 > #4 0xbb82d0 in Continuation::handleEvent(int, void*) > ../../iocore/eventsystem/I_Continuation.h:146 > #5 0xbb82d0 in read_signal_and_update > /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145 > #6 0xbb82d0 in UnixNetVConnection::mainEvent(int, Event*) > /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175 > #7 0xb8d622 in Continuation::handleEvent(int, void*) > ../../iocore/eventsystem/I_Continuation.h:146 > #8 0xb8d622 in InactivityCop::check_inactivity(int, Event*) > /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102 > #9 0xc336de in Continuation::handleEvent(int, void*) > /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #10 0xc336de in EThread::process_event(Event*, int) > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #11 0xc35947 in EThread::execute() > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207 > #12 0xc322e8 in spawn_thread_internal > /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86 > #13 0x2b9d1363bdf4 in start_thread (/lib64/libpthread.so.0+0x7df4) > previously allocated by thread T3 ([ET_NET 2]) here: > #0 0x2b9d1123a93b in __interceptor_posix_memalign > ../../.././libsanitizer/asan/asan_malloc_linux.cc:130 > #1 0x2b9d12123849 in ats_memalign > /usr/local/src/trafficserver/lib/ts/ink_memory.cc:100 > #2 0x2b9d121241b0 in ink_freelist_new > /usr/local/src/trafficserver/lib/ts/ink_queue.cc:239 > #3 0x5ffe94 in ClassAllocator<HttpClientSession>::alloc() > ../../lib/ts/Allocator.h:120 > #4 0x5ffe94 in thread_alloc_init<HttpClientSession> > ../../iocore/eventsystem/I_ProxyAllocator.h:81 > #5 0x5ffe94 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, > IOBufferReader*) > /usr/local/src/trafficserver/proxy/http/HttpSessionAccept.cc:63 > #6 0x5ffa14 in HttpSessionAccept::mainEvent(int, void*) > /usr/local/src/trafficserver/proxy/http/HttpSessionAccept.cc:86 > #7 0xb6999e in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) > /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:99 > #8 0xbc420f in Continuation::handleEvent(int, void*) > ../../iocore/eventsystem/I_Continuation.h:146 > #9 0xbc420f in read_signal_and_update > /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145 > #10 0xbc420f in read_signal_done > /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:206 > #11 0xbc420f in UnixNetVConnection::readSignalDone(int, NetHandler*) > /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1006 > #12 0xb60ac8 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) > /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:540 > #13 0xb834fc in NetHandler::mainNetEvent(int, Event*) > /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516 > #14 0xc365be in Continuation::handleEvent(int, void*) > /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #15 0xc365be in EThread::process_event(Event*, int) > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #16 0xc365be in EThread::execute() > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252 > #17 0xc322e8 in spawn_thread_internal > /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86 > #18 0x2b9d1363bdf4 in start_thread (/lib64/libpthread.so.0+0x7df4) > Thread T3 ([ET_NET 2]) created by T0 ([ET_NET 0]) here: > #0 0x2b9d1120986a in __interceptor_pthread_create > ../../.././libsanitizer/asan/asan_interceptors.cc:183 > #1 0xc32f75 in ink_thread_create ../../lib/ts/ink_thread.h:150 > #2 0xc32f75 in Thread::start(char const*, unsigned long, void* > (*)(void*), void*) > /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101 > #3 0xc3b5c6 in EventProcessor::start(int, unsigned long) > /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140 > #4 0x4967bb in main /usr/local/src/trafficserver/proxy/Main.cc:1624 > #5 0x2b9d14dcfaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4) > SUMMARY: AddressSanitizer: heap-use-after-free > /usr/local/src/trafficserver/proxy/InkAPI.cc:1258 APIHooks::get() const > Shadow bytes around the buggy address: > 0x0c2e8000b3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2e8000b3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2e8000b3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2e8000b400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2e8000b410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > =>0x0c2e8000b420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd > 0x0c2e8000b430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c2e8000b440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c2e8000b450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c2e8000b460: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa > 0x0c2e8000b470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Contiguous container OOB:fc > ASan internal: fe > ==11239==ABORTING > [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats' > [Jul 30 11:11:14.291] Manager {0x7fe0756968c0} WARNING: Be aware that access > control checks for HTTP/2 connections are not active! > [Jul 30 11:11:14.291] Manager {0x7fe0756968c0} WARNING: Be aware that access > control checks for HTTP/2 connections are not active! > traffic_server: using root directory '/opt/ats' > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)