[
https://issues.apache.org/jira/browse/PROTON-2477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ganesh Murthy updated PROTON-2477:
----------------------------------
Description:
qpid-dispatch github actions CI has hit this ASAN issue a couple of times since
enabling use of latest proton-c/main in our CI tests (see attached).
Appears to show a pconnection being freed at the end of batch processing, then
accessing that freed pconnection while waiting for the next event.
[https://github.com/apache/qpid-dispatch/runs/4513058827?check_suite_focus=true#step:9:7347]
{noformat}
==4956==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000171412
at pc 0x7f7144626f6d bp 0x7ffe23b9a600 sp 0x7ffe23b9a5f0
63: E READ of size 1 at 0x616000171412 thread T0
63: E #0 0x7f7144626f6c in next_runnable
../c/src/proactor/epoll.c:2403
63: E #1 0x7f7144627e53 in next_event_batch
../c/src/proactor/epoll.c:2456
63: E #2 0x7f714462d11a in pn_proactor_wait
../c/src/proactor/epoll.c:2715
63: E #3 0x556f559f860e in thread_run ../src/server.c:1118
63: E #4 0x556f55a001cf in qd_server_run ../src/server.c:1527
63: E #5 0x556f55a5b7ea in main_process ../router/src/main.c:115
63: E #6 0x556f55a5d7ee in main ../router/src/main.c:369
63: E #7 0x7f714327e0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
63: E #8 0x556f5571574d in _start
(/home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/build/router/qdrouterd+0x56874d)
63: E
63: E 0x616000171412 is located 146 bytes inside of 576-byte region
[0x616000171380,0x6160001715c0)
63: E freed by thread T0 here:
63: E #0 0x7f71447f07cf in __interceptor_free
(/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
63: E #1 0x7f714460d565 in pconnection_final_free
../c/src/proactor/epoll.c:832
63: E #2 0x7f714460d8bc in pconnection_cleanup
../c/src/proactor/epoll.c:848
63: E #3 0x7f71446104ab in pconnection_done
../c/src/proactor/epoll.c:1048
63: E #4 0x7f714462d20e in pn_proactor_done
../c/src/proactor/epoll.c:2725
63: E #5 0x556f559f88b5 in thread_run ../src/server.c:1151
63: E #6 0x556f55a001cf in qd_server_run ../src/server.c:1527
63: E #7 0x556f55a5b7ea in main_process ../router/src/main.c:115
63: E #8 0x556f55a5d7ee in main ../router/src/main.c:369
63: E #9 0x7f714327e0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
63: E
63: E previously allocated by thread T2 here:
63: E #0 0x7f71447f0bc8 in malloc
(/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
63: E #1 0x7f714461dbda in pn_listener_accept2
../c/src/proactor/epoll.c:1883
63: E #2 0x7f7144638bd3 in pn_listener_accept
../c/src/proactor/proactor-internal.c:94
63: E #3 0x556f559efbe1 in on_accept ../src/server.c:622
63: E #4 0x556f559f44fc in handle_listener ../src/server.c:865
63: E #5 0x556f559f3d83 in handle_event_with_context
../src/server.c:814
63: E #6 0x556f559f3e0a in do_handle_listener ../src/server.c:825
63: E #7 0x556f559f6a2f in handle ../src/server.c:1024
63: E #8 0x556f559f86b1 in thread_run ../src/server.c:1133
63: E #9 0x556f55871fbb in _thread_init
../src/posix/threading.c:172
63: E #10 0x7f7144183608 in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
63: E
63: E Thread T2 created by T0 here:
63: E #0 0x7f714471d805 in pthread_create
(/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
63: E #1 0x556f5587212a in sys_thread ../src/posix/threading.c:181
63: E #2 0x556f55a00137 in qd_server_run ../src/server.c:1525
63: E #3 0x556f55a5b7ea in main_process ../router/src/main.c:115
63: E #4 0x556f55a5d7ee in main ../router/src/main.c:369
63: E #5 0x7f714327e0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
63: E
63: E SUMMARY: AddressSanitizer: heap-use-after-free
../c/src/proactor/epoll.c:2403 in next_runnable
63: E Shadow bytes around the buggy address:
63: E 0x0c2c80026230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
fd
63: E 0x0c2c80026240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
fd
63: E 0x0c2c80026250: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
fa
63: E 0x0c2c80026260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
fa
63: E 0x0c2c80026270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
fd
63: E =>0x0c2c80026280: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
fd
63: E 0x0c2c80026290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
fd
63: E 0x0c2c800262a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
fd
63: E 0x0c2c800262b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
fa
63: E 0x0c2c800262c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
fa
63: E 0x0c2c800262d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
63: E Shadow byte legend (one shadow byte represents 8 application
bytes): {noformat}
was:
qpid-dispatch github actions CI has hit this ASAN issue a couple of times since
enabling use of latest proton-c/main in our CI tests (see attached).
Appears to show a pconnection being freed at the end of batch processing, then
accessing that freed pconnection while waiting for the next event.
https://github.com/apache/qpid-dispatch/runs/4513058827?check_suite_focus=true#step:9:7347
> ASAN use-after-free of proactor pconnection
> -------------------------------------------
>
> Key: PROTON-2477
> URL: https://issues.apache.org/jira/browse/PROTON-2477
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Reporter: Ken Giusti
> Assignee: Clifford Jansen
> Priority: Major
> Attachments: ASAN.txt
>
>
> qpid-dispatch github actions CI has hit this ASAN issue a couple of times
> since enabling use of latest proton-c/main in our CI tests (see attached).
> Appears to show a pconnection being freed at the end of batch processing,
> then accessing that freed pconnection while waiting for the next event.
>
> [https://github.com/apache/qpid-dispatch/runs/4513058827?check_suite_focus=true#step:9:7347]
>
> {noformat}
> ==4956==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x616000171412 at pc 0x7f7144626f6d bp 0x7ffe23b9a600 sp 0x7ffe23b9a5f0
> 63: E READ of size 1 at 0x616000171412 thread T0
> 63: E #0 0x7f7144626f6c in next_runnable
> ../c/src/proactor/epoll.c:2403
> 63: E #1 0x7f7144627e53 in next_event_batch
> ../c/src/proactor/epoll.c:2456
> 63: E #2 0x7f714462d11a in pn_proactor_wait
> ../c/src/proactor/epoll.c:2715
> 63: E #3 0x556f559f860e in thread_run ../src/server.c:1118
> 63: E #4 0x556f55a001cf in qd_server_run ../src/server.c:1527
> 63: E #5 0x556f55a5b7ea in main_process ../router/src/main.c:115
> 63: E #6 0x556f55a5d7ee in main ../router/src/main.c:369
> 63: E #7 0x7f714327e0b2 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> 63: E #8 0x556f5571574d in _start
> (/home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/build/router/qdrouterd+0x56874d)
> 63: E
> 63: E 0x616000171412 is located 146 bytes inside of 576-byte region
> [0x616000171380,0x6160001715c0)
> 63: E freed by thread T0 here:
> 63: E #0 0x7f71447f07cf in __interceptor_free
> (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
> 63: E #1 0x7f714460d565 in pconnection_final_free
> ../c/src/proactor/epoll.c:832
> 63: E #2 0x7f714460d8bc in pconnection_cleanup
> ../c/src/proactor/epoll.c:848
> 63: E #3 0x7f71446104ab in pconnection_done
> ../c/src/proactor/epoll.c:1048
> 63: E #4 0x7f714462d20e in pn_proactor_done
> ../c/src/proactor/epoll.c:2725
> 63: E #5 0x556f559f88b5 in thread_run ../src/server.c:1151
> 63: E #6 0x556f55a001cf in qd_server_run ../src/server.c:1527
> 63: E #7 0x556f55a5b7ea in main_process ../router/src/main.c:115
> 63: E #8 0x556f55a5d7ee in main ../router/src/main.c:369
> 63: E #9 0x7f714327e0b2 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> 63: E
> 63: E previously allocated by thread T2 here:
> 63: E #0 0x7f71447f0bc8 in malloc
> (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
> 63: E #1 0x7f714461dbda in pn_listener_accept2
> ../c/src/proactor/epoll.c:1883
> 63: E #2 0x7f7144638bd3 in pn_listener_accept
> ../c/src/proactor/proactor-internal.c:94
> 63: E #3 0x556f559efbe1 in on_accept ../src/server.c:622
> 63: E #4 0x556f559f44fc in handle_listener ../src/server.c:865
> 63: E #5 0x556f559f3d83 in handle_event_with_context
> ../src/server.c:814
> 63: E #6 0x556f559f3e0a in do_handle_listener
> ../src/server.c:825
> 63: E #7 0x556f559f6a2f in handle ../src/server.c:1024
> 63: E #8 0x556f559f86b1 in thread_run ../src/server.c:1133
> 63: E #9 0x556f55871fbb in _thread_init
> ../src/posix/threading.c:172
> 63: E #10 0x7f7144183608 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 63: E
> 63: E Thread T2 created by T0 here:
> 63: E #0 0x7f714471d805 in pthread_create
> (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
> 63: E #1 0x556f5587212a in sys_thread
> ../src/posix/threading.c:181
> 63: E #2 0x556f55a00137 in qd_server_run ../src/server.c:1525
> 63: E #3 0x556f55a5b7ea in main_process ../router/src/main.c:115
> 63: E #4 0x556f55a5d7ee in main ../router/src/main.c:369
> 63: E #5 0x7f714327e0b2 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> 63: E
> 63: E SUMMARY: AddressSanitizer: heap-use-after-free
> ../c/src/proactor/epoll.c:2403 in next_runnable
> 63: E Shadow bytes around the buggy address:
> 63: E 0x0c2c80026230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> fd fd
> 63: E 0x0c2c80026240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> fd fd
> 63: E 0x0c2c80026250: fd fd fd fd fd fd fd fd fa fa fa fa fa fa
> fa fa
> 63: E 0x0c2c80026260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> fa fa
> 63: E 0x0c2c80026270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> fd fd
> 63: E =>0x0c2c80026280: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
> fd fd
> 63: E 0x0c2c80026290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> fd fd
> 63: E 0x0c2c800262a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> fd fd
> 63: E 0x0c2c800262b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa
> fa fa
> 63: E 0x0c2c800262c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> fa fa
> 63: E 0x0c2c800262d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00
> 63: E Shadow byte legend (one shadow byte represents 8 application
> bytes): {noformat}
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
