When I run the testsuite with Address Sanitizer, I get several failures due to a use-after-free error in the extend-table code. The simplest one is test 29. It can be simplified to just:
echo 'ct_lb(192.168.1.2:80, 192.168.1.3:80);' | tests/ovstest test-ovn parse-actions which produces the appended output when run under Address Sanitizer. I tried to track this down but I got lost in the tangles of all the data structures in extend-table. -8<--------------------------cut here-------------------------->8-- ct_lb(192.168.1.2:80, 192.168.1.3:80); encodes as group:1 uses group: id(1), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2:80),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3:80),commit,table=19,zone=NXM_NX_REG13[0..15])) has prereqs ip ================================================================= ==1989915==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000bf8 at pc 0x00000076228f bp 0x7ffc00cb83d0 sp 0x7ffc00cb83c0 WRITE of size 8 at 0x604000000bf8 thread T0 #0 0x76228e in ovs_list_remove /home/bpfaff/nicira/ovs/include/openvswitch/list.h:215 #1 0x76228e in ovn_extend_table_info_destroy ../lib/extend-table.c:58 #2 0x7631ba in ovn_extend_table_clear ../lib/extend-table.c:189 #3 0x7634b3 in ovn_extend_table_destroy ../lib/extend-table.c:196 #4 0x410cbb in test_parse_actions ../tests/test-ovn.c:1403 #5 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247 #6 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623 #7 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626 #8 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247 #9 0x409305 in main ../tests/ovstest.c:133 #10 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #11 0x40b15d in _start (/home/bpfaff/nicira/ovn/_build/tests/ovstest+0x40b15d) 0x604000000bf8 is located 40 bytes inside of 48-byte region [0x604000000bd0,0x604000000c00) freed by thread T0 here: #0 0x7f9ff2b2085f in __interceptor_free (/lib64/libasan.so.5+0x10d85f) #1 0x763328 in ovn_extend_table_clear ../lib/extend-table.c:177 #2 0x7634b3 in ovn_extend_table_destroy ../lib/extend-table.c:196 #3 0x410cbb in test_parse_actions ../tests/test-ovn.c:1403 #4 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247 #5 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623 #6 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626 #7 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247 #8 0x409305 in main ../tests/ovstest.c:133 #9 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) previously allocated by thread T0 here: #0 0x7f9ff2b20c58 in __interceptor_malloc (/lib64/libasan.so.5+0x10dc58) #1 0x51a1b4 in xmalloc ../lib/util.c:138 #2 0x762959 in ovn_extend_table_add_desired_to_lflow ../lib/extend-table.c:107 #3 0x762959 in ovn_extend_info_add_lflow_ref ../lib/extend-table.c:150 #4 0x762959 in ovn_extend_info_add_lflow_ref ../lib/extend-table.c:138 #5 0x7648d6 in ovn_extend_table_assign_id ../lib/extend-table.c:326 #6 0x74384d in encode_CT_LB ../lib/actions.c:1085 #7 0x74384d in ovnact_encode ../lib/actions.c:3400 #8 0x74384d in ovnacts_encode ../lib/actions.c:3418 #9 0x4104fc in test_parse_actions ../tests/test-ovn.c:1342 #10 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247 #11 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623 #12 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626 #13 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247 #14 0x409305 in main ../tests/ovstest.c:133 #15 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) SUMMARY: AddressSanitizer: heap-use-after-free /home/bpfaff/nicira/ovs/include/openvswitch/list.h:215 in ovs_list_remove Shadow bytes around the buggy address: 0x0c087fff8120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff8130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff8140: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff8150: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff8160: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd =>0x0c087fff8170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd[fd] 0x0c087fff8180: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c087fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1989915==ABORTING _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev