bneradt opened a new issue, #11113:
URL: https://github.com/apache/trafficserver/issues/11113
We are now running HTTP/3 on docs. I noticed the following use after free
report comes up with some frequency on the box:
```
==3640422==ERROR: AddressSanitizer: heap-use-after-free on address
0x6260000a8128 at pc 0x55f0a1802e10 bp 0x7f04cf74eae0 sp 0x7f04cf74ead0
READ of size 8 at 0x6260000a8128 thread T7 ([ET_NET 5])
#0 0x55f0a1802e0f in HQSession::main_event_handler(int, void*)
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:165
#1 0x55f0a0e1c416 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#2 0x55f0a1692fbe in QUICNetVConnection::_propagate_event(int)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:264
#3 0x55f0a169225c in QUICNetVConnection::state_established(int, Event*)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:211
#4 0x55f0a0e1c416 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#5 0x55f0a178e850 in EThread::process_event(Event*, int)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:163
#6 0x55f0a178eda4 in EThread::process_queue(Queue<Event,
Event::Link_link>*, int*, int*)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:198
#7 0x55f0a178f558 in EThread::execute_regular()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:277
#8 0x55f0a178fdca in EThread::execute()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:350
#9 0x55f0a178cbfd in spawn_thread_internal
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
#10 0x7f04d6aca608 in start_thread
/build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
#11 0x7f04d69ed132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
0x6260000a8128 is located 40 bytes inside of 10952-byte region
[0x6260000a8100,0x6260000aabc8)
freed by thread T7 ([ET_NET 5]) here:
#0 0x7f04d78d2c65 in operator delete(void*, unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cc:177
#1 0x55f0a180a976 in Http3Transaction::~Http3Transaction()
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:451
#2 0x55f0a1809c84 in HQTransaction::_delete_if_possible()
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:403
#3 0x55f0a180ccc1 in Http3Transaction::state_stream_closed(int, Event*)
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:547
#4 0x55f0a0e1c416 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#5 0x55f0a1802dc6 in HQSession::main_event_handler(int, void*)
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:167
#6 0x55f0a0e1c416 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#7 0x55f0a1692fbe in QUICNetVConnection::_propagate_event(int)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:264
#8 0x55f0a169225c in QUICNetVConnection::state_established(int, Event*)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:211
#9 0x55f0a0e1c416 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#10 0x55f0a178e850 in EThread::process_event(Event*, int)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:163
#11 0x55f0a178eda4 in EThread::process_queue(Queue<Event,
Event::Link_link>*, int*, int*)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:198
#12 0x55f0a178f558 in EThread::execute_regular()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:277
#13 0x55f0a178fdca in EThread::execute()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:350
#14 0x55f0a178cbfd in spawn_thread_internal
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
#15 0x7f04d6aca608 in start_thread
/build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
previously allocated by thread T7 ([ET_NET 5]) here:
#0 0x7f04d78d1587 in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cc:104
#1 0x55f0a17f8960 in Http3App::_handle_bidi_stream_on_read_ready(int,
VIO*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3App.cc:295
#2 0x55f0a17f6887 in Http3App::main_event_handler(int, Event*)
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3App.cc:149
#3 0x55f0a0e1c416 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#4 0x55f0a178e850 in EThread::process_event(Event*, int)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:163
#5 0x55f0a178eda4 in EThread::process_queue(Queue<Event,
Event::Link_link>*, int*, int*)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:198
#6 0x55f0a178f33b in EThread::execute_regular()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:256
#7 0x55f0a178fdca in EThread::execute()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:350
#8 0x55f0a178cbfd in spawn_thread_internal
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
#9 0x7f04d6aca608 in start_thread
/build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
Thread T7 ([ET_NET 5]) created by T0 ([TS_MAIN]) here:
#0 0x7f04d77fc815 in __interceptor_pthread_create
../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x55f0a178c711 in ink_thread_create
/home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
#2 0x55f0a178cd31 in Thread::start(char const*, void*, unsigned long,
std::function<void ()> const&)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:85
#3 0x55f0a17966dd in EventProcessor::spawn_event_threads(int, int,
unsigned long)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:467
#4 0x55f0a1797029 in EventProcessor::start(int, unsigned long)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:548
#5 0x55f0a0e3c46d in main
/home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2104
#6 0x7f04d68f2082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:165 in
HQSession::main_event_handler(int, void*)
Shadow bytes around the buggy address:
0x0c4c8000cfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c8000cfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c8000cff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c8000d000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c8000d010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4c8000d020: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c4c8000d030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4c8000d040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4c8000d050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4c8000d060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4c8000d070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3640422==ABORTING
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
