On Thu, Jul 18, 2019 at 07:00:37AM +0200, Philippe Mathieu-Daudé wrote: > Cc'ing qemu-block@ > > On 7/18/19 5:25 AM, no-re...@patchew.org wrote: > > Patchew URL: > > https://patchew.org/QEMU/20190717094728.31006-1-pbonz...@redhat.com/ > [...]> time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu > J=14 NETWORK=1 > [...] > > PASS 18 test-bdrv-drain /bdrv-drain/iothread/drain_all > > ================================================================= > > ==8106==ERROR: AddressSanitizer: heap-use-after-free on address > > 0x61200002c7f0 at pc 0x5622ea95c8b6 bp 0x7f174fdb8680 sp 0x7f174fdb8678 > > WRITE of size 1 at 0x61200002c7f0 thread T9 > > ==8108==WARNING: ASan doesn't fully support makecontext/swapcontext > > functions and may produce false positives in some cases! > > #0 0x5622ea95c8b5 in aio_notify /tmp/qemu-test/src/util/async.c:351:9
The 1-byte write is probably atomic_mb_set(&ctx->notified, true) on a freed AioContext: 000000000073b580 <aio_notify>: 73b580: 0f ae f0 mfence 73b583: 8b 87 98 00 00 00 mov 0x98(%rdi),%eax 73b589: 85 c0 test %eax,%eax 73b58b: 75 03 jne 73b590 <aio_notify+0x10> 73b58d: c3 retq 73b58e: 66 90 xchg %ax,%ax 73b590: 53 push %rbx 73b591: 48 89 fb mov %rdi,%rbx 73b594: 48 8d bf ac 00 00 00 lea 0xac(%rdi),%rdi 73b59b: e8 40 40 00 00 callq 73f5e0 <event_notifier_set> 73b5a0: b8 01 00 00 00 mov $0x1,%eax *** 73b5a5: 86 83 a8 00 00 00 xchg %al,0xa8(%rbx) *** 73b5ab: 5b pop %rbx 73b5ac: c3 retq I'll take a closer look and try to reproduce this. Stefan
signature.asc
Description: PGP signature
