[
https://issues.apache.org/jira/browse/DISPATCH-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480653#comment-17480653
]
ASF GitHub Bot commented on DISPATCH-848:
-----------------------------------------
jiridanek commented on pull request #1052:
URL: https://github.com/apache/qpid-dispatch/pull/1052#issuecomment-1019505774
This really is crazy. Consider what may happen when both the subscribe and
unsubscribe actions get discarded:
```
==218518==ERROR: AddressSanitizer: attempting double-free on 0x6060000227c0
in thread T3:
#0 0x14d6627 in free (/lib64/libasan.so.6+0xae627)
#1 0x6f32e6 in qdr_unsubscribe_CT
/home/jdanek/repos/qpid/qpid-dispatch/src/router_core/route_tables.c:691
#2 0x6c8fe7 in qdr_core_free
/home/jdanek/repos/qpid/qpid-dispatch/src/router_core/router_core.c:270
#3 0x7634f3 in qd_router_free
/home/jdanek/repos/qpid/qpid-dispatch/src/router_node.c:2165
#4 0x5906bd in qd_dispatch_free
/home/jdanek/repos/qpid/qpid-dispatch/src/dispatch.c:375
#5 0x869b8d in QDR::deinitialize(bool) const
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/./helpers.hpp:265
#6 0x858299 in
check_amqp_listener_startup_log_message(qd_server_config_t,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
>, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >)
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:58
#7 0x85cd25 in operator()
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:129
#8 0x863eef in __invoke_impl<void, DOCTEST_ANON_FUNC_28()::<lambda()> >
/usr/include/c++/11/bits/invoke.h:61
#9 0x863cd7 in __invoke<DOCTEST_ANON_FUNC_28()::<lambda()> >
/usr/include/c++/11/bits/invoke.h:96
#10 0x8639de in _M_invoke<0> /usr/include/c++/11/bits/std_thread.h:253
#11 0x863817 in operator() /usr/include/c++/11/bits/std_thread.h:260
#12 0x863200 in _M_run /usr/include/c++/11/bits/std_thread.h:211
#13 0x7f0a01eac5c3 in execute_native_thread_routine
(/lib64/libstdc++.so.6+0xd95c3)
#14 0x440d10670a86 in start_thread (/lib64/libc.so.6+0x8da86)
#15 0x440d106f48d3 in __GI___clone (/lib64/libc.so.6+0x1118d3)
0x6060000227c0 is located 0 bytes inside of 56-byte region
[0x6060000227c0,0x6060000227f8)
freed by thread T3 here:
#0 0x14d6627 in free (/lib64/libasan.so.6+0xae627)
#1 0x6f26a9 in qdr_subscribe_CT
/home/jdanek/repos/qpid/qpid-dispatch/src/router_core/route_tables.c:675
#2 0x6c8fe7 in qdr_core_free
/home/jdanek/repos/qpid/qpid-dispatch/src/router_core/router_core.c:270
#3 0x7634f3 in qd_router_free
/home/jdanek/repos/qpid/qpid-dispatch/src/router_node.c:2165
#4 0x5906bd in qd_dispatch_free
/home/jdanek/repos/qpid/qpid-dispatch/src/dispatch.c:375
#5 0x869b8d in QDR::deinitialize(bool) const
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/./helpers.hpp:265
#6 0x858299 in
check_amqp_listener_startup_log_message(qd_server_config_t,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
>, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >)
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:58
#7 0x85cd25 in operator()
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:129
#8 0x863eef in __invoke_impl<void, DOCTEST_ANON_FUNC_28()::<lambda()> >
/usr/include/c++/11/bits/invoke.h:61
#9 0x863cd7 in __invoke<DOCTEST_ANON_FUNC_28()::<lambda()> >
/usr/include/c++/11/bits/invoke.h:96
#10 0x8639de in _M_invoke<0> /usr/include/c++/11/bits/std_thread.h:253
#11 0x863817 in operator() /usr/include/c++/11/bits/std_thread.h:260
#12 0x863200 in _M_run /usr/include/c++/11/bits/std_thread.h:211
#13 0x7f0a01eac5c3 in execute_native_thread_routine
(/lib64/libstdc++.so.6+0xd95c3)
previously allocated by thread T3 here:
#0 0x14d691f in __interceptor_malloc (/lib64/libasan.so.6+0xae91f)
#1 0x6e68c3 in qd_malloc
/home/jdanek/repos/qpid/qpid-dispatch/include/qpid/dispatch/ctools.h:234
#2 0x6e752c in qdr_core_subscribe
/home/jdanek/repos/qpid/qpid-dispatch/src/router_core/route_tables.c:147
#3 0x609db3 in IoAdapter_init
/home/jdanek/repos/qpid/qpid-dispatch/src/python_embedded.c:726
#4 0x716250fdc15a in type_call (/lib64/libpython3.10d.so.1.0+0x1c415a)
#5 0x716250f48139 in _PyObject_MakeTpCall
(/lib64/libpython3.10d.so.1.0+0x130139)
#6 0x7162510b3aed in _PyObject_VectorcallTstate.lto_priv.26
(/lib64/libpython3.10d.so.1.0+0x29baed)
#7 0x7162510b3b69 in PyObject_Vectorcall.lto_priv.1
(/lib64/libpython3.10d.so.1.0+0x29bb69)
#8 0x7162510ceb04 in call_function
(/lib64/libpython3.10d.so.1.0+0x2b6b04)
#9 0x7162510c83dd in _PyEval_EvalFrameDefault
(/lib64/libpython3.10d.so.1.0+0x2b03dd)
#10 0x7162510b3e1d in _PyEval_EvalFrame.lto_priv.1
(/lib64/libpython3.10d.so.1.0+0x29be1d)
#11 0x7162510cc8b5 in _PyEval_Vector
(/lib64/libpython3.10d.so.1.0+0x2b48b5)
#12 0x716250f487df in _PyFunction_Vectorcall
(/lib64/libpython3.10d.so.1.0+0x1307df)
#13 0x7162510b3b09 in _PyObject_VectorcallTstate.lto_priv.26
(/lib64/libpython3.10d.so.1.0+0x29bb09)
#14 0x7162510b3b69 in PyObject_Vectorcall.lto_priv.1
(/lib64/libpython3.10d.so.1.0+0x29bb69)
#15 0x7162510ceb04 in call_function
(/lib64/libpython3.10d.so.1.0+0x2b6b04)
#16 0x7162510c8208 in _PyEval_EvalFrameDefault
(/lib64/libpython3.10d.so.1.0+0x2b0208)
#17 0x7162510b3e1d in _PyEval_EvalFrame.lto_priv.1
(/lib64/libpython3.10d.so.1.0+0x29be1d)
#18 0x7162510cc8b5 in _PyEval_Vector
(/lib64/libpython3.10d.so.1.0+0x2b48b5)
#19 0x716250f487df in _PyFunction_Vectorcall
(/lib64/libpython3.10d.so.1.0+0x1307df)
#20 0x716250f47737 in _PyObject_VectorcallTstate.lto_priv.5
(/lib64/libpython3.10d.so.1.0+0x12f737)
#21 0x716250f48dd1 in _PyObject_CallFunctionVa
(/lib64/libpython3.10d.so.1.0+0x130dd1)
#22 0x716250f48f49 in PyObject_CallFunction
(/lib64/libpython3.10d.so.1.0+0x130f49)
#23 0x58deb7 in qd_dispatch_load_config
/home/jdanek/repos/qpid/qpid-dispatch/src/dispatch.c:130
#24 0x8689d4 in QDR::initialize(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&)
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/./helpers.hpp:215
#25 0x857d9d in
check_amqp_listener_startup_log_message(qd_server_config_t,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
>, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >)
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:44
#26 0x85cd25 in operator()
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:129
#27 0x863eef in __invoke_impl<void, DOCTEST_ANON_FUNC_28()::<lambda()> >
/usr/include/c++/11/bits/invoke.h:61
#28 0x863cd7 in __invoke<DOCTEST_ANON_FUNC_28()::<lambda()> >
/usr/include/c++/11/bits/invoke.h:96
#29 0x8639de in _M_invoke<0> /usr/include/c++/11/bits/std_thread.h:253
Thread T3 created by T0 here:
#0 0x147e866 in pthread_create (/lib64/libasan.so.6+0x56866)
#1 0x7f0a01eac698 in
std::thread::_M_start_thread(std::unique_ptr<std::thread::_State,
std::default_delete<std::thread::_State> >, void (*)())
(/lib64/libstdc++.so.6+0xd9698)
#2 0x85cfad in DOCTEST_ANON_FUNC_28
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:122
#3 0x7fe4a6 in doctest::Context::run()
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/doctest.h:6656
#4 0x801ba8 in main
/home/jdanek/repos/qpid/qpid-dispatch/tests/c_unittests/doctest.h:6741
#5 0x440d1061055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.6+0xae627) in free
==218518==ABORTING
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
> Direct leak of 48 byte(s) in 1 object(s) allocated from qdr_core_subscribe in
> router_core/route_tables.c:149
> ------------------------------------------------------------------------------------------------------------
>
> Key: DISPATCH-848
> URL: https://issues.apache.org/jira/browse/DISPATCH-848
> Project: Qpid Dispatch
> Issue Type: Bug
> Components: Tests
> Affects Versions: 1.1.0
> Environment: Git tip of Proton and Dtspatch, commit hashes follow
> {noformat}
> commit aece4ad2f4e4eb2d141020c59c393a30a79f53a9 (upstream/master)
> Author: Andrew Stitcher <[email protected]>
> PROTON-1609: Fix C++ example flags
> {noformat}
> {noformat}
> commit 18c5f8d6293de4227c8c17ef08675cb4eaef689c (HEAD -> master,
> upstream/master)
> Author: Ganesh Murthy <[email protected]>
> NO-JIRA - Removed accidental printf inclusion
> {noformat}
> Reporter: Jiri Daněk
> Priority: Minor
> Labels: memory-bug
> Fix For: Backlog
>
> Attachments: LSan.supp
>
>
> Compile Proton and Dispatch with the Address Sanitizer option (c.f.
> DISPATCH-809) and run ctest
> {noformat}
> # proton
> cmake .. -DBUILD_GO=OFF -DENABLE_SANITIZERS=ON
> -DCMAKE_INSTALL_PREFIX=../install_asan -DCMAKE_BUILD_TYPE=Release -GNinja
> {noformat}
> {noformat}
> # dispatch
> cmake .. -DUSE_SANITIZERS=ON
> -DProton_DIR=`pwd`/../../qpid-proton/install_asan/lib64/cmake/Proton/
> -DCMAKE_BUILD_TYPE=Release -GNinja
> LD_PRELOAD=/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so
> ASAN_OPTIONS=symbolize=1,color=always
> LSAN_OPTIONS=suppressions=`pwd`/../../qpid-proton/LSan.supp
> PYTHONPATH=`pwd`/../../qpid-proton/install_asan/lib64/proton/bindings/python
> LD_LIBRARY_PATH=`pwd`/../../qpid-proton/install_asan/lib64 ctest -VV
> {noformat}
> {noformat}
> [...]
> 9: Test Case parse_tree_tests.test_matches: PASS
> 9: Test Case parse_tree_tests.test_multiple_matches: PASS
> 9:
> 9: =================================================================
> 9: ==25904==ERROR: LeakSanitizer: detected memory leaks
> 9:
> 9: Direct leak of 48 byte(s) in 1 object(s) allocated from:
> 9: #0 0x7fb5442cb050 in __interceptor_malloc
> (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0xd9050)
> 9: #1 0x7fb543dd94fe in qdr_core_subscribe
> ../src/router_core/route_tables.c:149
> 9: #2 0x7fb543d89ff0 in IoAdapter_init ../src/python_embedded.c:548
> 9: #3 0x7fb542ba8ecd in type_call
> (/nix/store/1snk2wkpv97an87pk1842fgskl1vqhkr-python-2.7.14/lib/libpython2.7.so.1.0+0x9fecd)
> 9:
> 9: -----------------------------------------------------
> 9: Suppressions used:
> 9: count bytes template
> 9: 1310 2021760 dictresize
> 9: 204 188272 _PyObject_GC_Malloc
> 9: 45 39369 PyString_FromStringAndSize
> 9: 308 15056 list_resize
> 9: 11 9784 PyString_FromString
> 9: 2 1280 _PyObject_GC_Resize
> 9: 1035 24104 PyList_New
> 9: 14 672 s_init
> 9: 1 32 PyThread_allocate_lock
> 9: 11 11097 type_new
> 9: 3 3984 unicode_resize
> 9: 179 204712 _PyUnicode_New.part.8
> 9: 11 8028 PyObject_Realloc
> 9: 37 120 _ctypes_alloc_format_string
> 9: 3 24576 set_table_resize
> 9: -----------------------------------------------------
> 9:
> 9: SUMMARY: AddressSanitizer: 48 byte(s) leaked in 1 allocation(s).
> 9/36 Test #9: unit_tests ................................***Failed 0.21
> sec
> {noformat}
> The relevant functions are
> {code}
> static int IoAdapter_init(IoAdapter *self, PyObject *args, PyObject *kwds)
> {
> PyObject *addr;
> char aclass = 'L';
> char phase = '0';
> int treatment = QD_TREATMENT_ANYCAST_CLOSEST;
> if (!PyArg_ParseTuple(args, "OO|cci", &self->handler, &addr, &aclass,
> &phase, &treatment))
> return -1;
> if (!PyCallable_Check(self->handler)) {
> PyErr_SetString(PyExc_TypeError, "IoAdapter.__init__ handler is not
> callable");
> return -1;
> }
> if (treatment == QD_TREATMENT_ANYCAST_BALANCED) {
> PyErr_SetString(PyExc_TypeError, "IoAdapter: ANYCAST_BALANCED is not
> supported for in-process subscriptions");
> return -1;
> }
> Py_INCREF(self->handler);
> self->qd = dispatch;
> self->core = qd_router_core(self->qd);
> const char *address = PyString_AsString(addr);
> if (!address) return -1;
> qd_error_clear();
> self->sub = qdr_core_subscribe(self->core, address, aclass, phase,
> treatment, qd_io_rx_handler, self);
> if (qd_error_code()) {
> PyErr_SetString(PyExc_RuntimeError, qd_error_message());
> return -1;
> }
> return 0;
> }
> {code}
> {code}
> static void IoAdapter_dealloc(IoAdapter* self)
> {
> qdr_core_unsubscribe(self->sub);
> Py_DECREF(self->handler);
> self->ob_type->tp_free((PyObject*)self);
> }
> {code}
> {code}
> static PyTypeObject IoAdapterType = {
> PyObject_HEAD_INIT(0)
> 0, /* ob_size*/
> DISPATCH_MODULE ".IoAdapter", /* tp_name*/
> sizeof(IoAdapter), /* tp_basicsize*/
> 0, /* tp_itemsize*/
> (destructor)IoAdapter_dealloc, /* tp_dealloc*/
> 0, /* tp_print*/
> 0, /* tp_getattr*/
> 0, /* tp_setattr*/
> 0, /* tp_compare*/
> 0, /* tp_repr*/
> 0, /* tp_as_number*/
> 0, /* tp_as_sequence*/
> 0, /* tp_as_mapping*/
> 0, /* tp_hash */
> 0, /* tp_call*/
> 0, /* tp_str*/
> 0, /* tp_getattro*/
> 0, /* tp_setattro*/
> 0, /* tp_as_buffer*/
> Py_TPFLAGS_DEFAULT, /* tp_flags*/
> "Dispatch IO Adapter", /* tp_doc */
> 0, /* tp_traverse */
> 0, /* tp_clear */
> 0, /* tp_richcompare */
> 0, /* tp_weaklistoffset */
> 0, /* tp_iter */
> 0, /* tp_iternext */
> IoAdapter_methods, /* tp_methods */
> 0, /* tp_members */
> 0, /* tp_getset */
> 0, /* tp_base */
> 0, /* tp_dict */
> 0, /* tp_descr_get */
> 0, /* tp_descr_set */
> 0, /* tp_dictoffset */
> (initproc)IoAdapter_init, /* tp_init */
> 0, /* tp_alloc */
> 0, /* tp_new */
> 0, /* tp_free */
> 0, /* tp_is_gc */
> 0, /* tp_bases */
> 0, /* tp_mro */
> 0, /* tp_cache */
> 0, /* tp_subclasses */
> 0, /* tp_weaklist */
> 0, /* tp_del */
> 0 /* tp_version_tag */
> };
> {code}
> I believe that there is indeed nothing that would free the {{sub}} field in
> {{IoAdapter}}.
> Depending on how this is triaged (real issue or not, I am myself a bit unsure
> about freeing memory in relation to Python) I may have more reports coming.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
