[ https://issues.apache.org/jira/browse/TS-3915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Call updated TS-3915: --------------------------- Labels: ASAN crash (was: ASAN) > Regression fails when compilied with ASAN, heap-use-after-free > -------------------------------------------------------------- > > Key: TS-3915 > URL: https://issues.apache.org/jira/browse/TS-3915 > Project: Traffic Server > Issue Type: Bug > Components: TS API > Reporter: Bryan Call > Assignee: Bryan Call > Labels: ASAN, crash > Fix For: 7.0.0 > > > Running regression with asan enable on Fedora 22: > {code} > CXXFLAGS="-Werror -fno-omit-frame-pointer -fsanitize=address" > CFLAGS="-Werror" SPDYLAY_CFLAGS="-I /usr/local/include/" > SPDYLAY_LIBS="-L/usr/local/lib -lspdylay" ./configure --enable-ccache > --enable-spdy --disable-freelist > REGRESSION TEST SDK_API_HttpTxnTransform started > Regression test(SDK_API_HttpTxnTransform) still in progress > [SDK_API_HttpTxnTransform] TSTransformCreate : [TestCase1] <<PASS>> { ok } > [SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { > ok } > [SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { > ok } > [SDK_API_HttpTxnTransform] TSHttpTxnTransformRespGet : [TestCase] <<PASS>> { > ok } > [SDK_API_HttpTxnTransform] TSHttpTxnUntransformedResponseCache : [TestCase1] > <<PASS>> { ok } > [SDK_API_HttpTxnTransform] TSHttpTxnTransformedResponseCache : [TestCase1] > <<PASS>> { ok } > ================================================================= > ==14340==ERROR: AddressSanitizer: heap-use-after-free on address > 0x60800d59276b at pc 0x0000005cb466 bp 0x7f4f46b88b40 sp 0x7f4f46b88b30 > READ of size 1 at 0x60800d59276b thread T9 ([ET_NET 8]) > #0 0x5cb465 in transformtest_transform > /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6318 > #1 0xc33609 in Continuation::handleEvent(int, void*) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #2 0xc33609 in EThread::process_event(Event*, int) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #3 0xc35605 in EThread::execute() > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207 > #4 0xc32438 in spawn_thread_internal > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86 > #5 0x7f4f4da8c554 in start_thread (/lib64/libpthread.so.0+0x7554) > #6 0x7f4f4c9bcb9c in __clone (/lib64/libc.so.6+0x102b9c) > 0x60800d59276b is located 75 bytes inside of 96-byte region > [0x60800d592720,0x60800d592780) > freed by thread T4 ([ET_NET 3]) here: > #0 0x7f4f4fb2470a in __interceptor_free (/lib64/libasan.so.2+0x9870a) > #1 0x5de815 in transform_hook_handler > /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6637 > #2 0xc33609 in Continuation::handleEvent(int, void*) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #3 0xc33609 in EThread::process_event(Event*, int) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #4 0xc35605 in EThread::execute() > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207 > #5 0xc32438 in spawn_thread_internal > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:86 > #6 0x7f4f4da8c554 in start_thread (/lib64/libpthread.so.0+0x7554) > previously allocated by thread T0 ([ET_NET 0]) here: > #0 0x7f4f4fb24a0a in malloc (/lib64/libasan.so.2+0x98a0a) > #1 0x7f4f4f859ae5 in ats_malloc > /home/bcall/dev/apache/trafficserver/lib/ts/ink_memory.cc:54 > #2 0x5d3d2a in RegressionTest_SDK_API_HttpTxnTransform(RegressionTest*, > int, int*) /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6663 > #3 0x7f4f4f844f69 in start_test > /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:78 > #4 0x7f4f4f844f69 in RegressionTest::run_some() > /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:126 > #5 0x7f4f4f845366 in RegressionTest::check_status() > /home/bcall/dev/apache/trafficserver/lib/ts/Regression.cc:141 > #6 0x563773 in RegressionCont::mainEvent(int, Event*) > /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1210 > #7 0xc33609 in Continuation::handleEvent(int, void*) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #8 0xc33609 in EThread::process_event(Event*, int) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #9 0xc35605 in EThread::execute() > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEThread.cc:207 > #10 0x497d2c in main > /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1812 > #11 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff) > Thread T9 ([ET_NET 8]) created by T0 ([ET_NET 0]) here: > #0 0x7f4f4fac2703 in pthread_create (/lib64/libasan.so.2+0x36703) > #1 0xc32eda in ink_thread_create ../../lib/ts/ink_thread.h:150 > #2 0xc32eda in Thread::start(char const*, unsigned long, void* > (*)(void*), void*) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:101 > #3 0xc3b0d4 in EventProcessor::start(int, unsigned long) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140 > #4 0x496abf in main > /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1624 > #5 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff) > Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here: > #0 0x7f4f4fac2703 in pthread_create (/lib64/libasan.so.2+0x36703) > #1 0xc32eda in ink_thread_create ../../lib/ts/ink_thread.h:150 > #2 0xc32eda in Thread::start(char const*, unsigned long, void* > (*)(void*), void*) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/Thread.cc:101 > #3 0xc3b0d4 in EventProcessor::start(int, unsigned long) > /home/bcall/dev/apache/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140 > #4 0x496abf in main > /home/bcall/dev/apache/trafficserver/proxy/Main.cc:1624 > #5 0x7f4f4c8da6ff in __libc_start_main (/lib64/libc.so.6+0x206ff) > SUMMARY: AddressSanitizer: heap-use-after-free > /home/bcall/dev/apache/trafficserver/proxy/InkAPITest.cc:6318 > transformtest_transform > Shadow bytes around the buggy address: > 0x0c1081aaa490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c1081aaa4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c1081aaa4b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa > 0x0c1081aaa4c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa > 0x0c1081aaa4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c1081aaa4e0: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd > 0x0c1081aaa4f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa > 0x0c1081aaa500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa > 0x0c1081aaa510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa > 0x0c1081aaa520: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa > 0x0c1081aaa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > ==14340==ABORTING > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)