Cody Maloney created MESOS-2417:
-----------------------------------
Summary: Memory use after free with process::finalize()
Key: MESOS-2417
URL: https://issues.apache.org/jira/browse/MESOS-2417
Project: Mesos
Issue Type: Bug
Components: libprocess
Environment: ArchLinux building Mesos with
[AddressSanitizer|http://clang.llvm.org/docs/AddressSanitizer.html]
CXXFLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O2" CC=clang
CXX=clang++ ../configure --disable-python --enable-silent-rules --disable-java
Reporter: Cody Maloney
Priority: Minor
Below gives the three relevant stacks (A dump from AddressSanitizer). First
stack is the clock being triggered, referencing process_manager after
it has been deleted by the second stack in the printing. The final stack
printed is the initial allocation.
==30852==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000009b7c
at pc 0x000000e5a2c8 bp 0x7f8a247f7640 sp 0x7f8a247f7638
READ of size 1 at 0x611000009b7c thread T9
#0 0xe5a2c7 in Synchronizable::acquire()
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:36:9
#1 0xe5a2c7 in Synchronized::Synchronized(Synchronizable*)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:77
#2 0xe5a2c7 in process::ProcessManager::use(process::UPID const&)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:1940
#3 0xe80515 in process::ProcessManager::deliver(process::UPID const&,
process::Event*, process::ProcessBase*)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:2114:35
#4 0xe8d5fc in process::internal::dispatch(process::UPID const&,
std::shared_ptr<std::function<void (process::ProcessBase*)> > const&,
Option<std::type_info const*> const&)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:3034:3
#5 0xf2ec76 in void
process::dispatch<process::ReaperProcess>(process::PID<process::ReaperProcess>
const&, void (process::ReaperProcess::*)())
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/include/process/c++11/dispatch.hpp:81:3
#6 0xe59dd8 in std::function<void ()>::operator()() const
/usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
#7 0xe59dd8 in process::Timer::operator()() const
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/include/process/timer.hpp:30
#8 0xe59dd8 in process::timedout(std::list<process::Timer,
std::allocator<process::Timer> > const&)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:676
#9 0xd72a88 in std::function<void (std::list<process::Timer,
std::allocator<process::Timer> > const&)>::operator()(std::list<process::Timer,
std::allocator<process::Timer> > const&) const
/usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
#10 0xd72a88 in process::clock::tick(process::Time const&)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/clock.cpp:171
#11 0xf5b81c in std::function<void ()>::operator()() const
/usr/bin/../lib64/gcc/x86_64-unknown-linux-gnu/4.9.2/../../../../include/c++/4.9.2/functional:2439:14
#12 0xf5b81c in process::internal::handle_delay(ev_loop*, ev_timer*, int)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/libev.cpp:65
#13 0xfe6e34 in ev_invoke_pending
/home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.c:2994:11
#14 0xfe79b2 in ev_run
/home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.c:3394:7
#15 0xf5c625 in ev_loop(ev_loop*, int)
/home/cody/projects/mesos/build/3rdparty/libprocess/3rdparty/libev-4.15/ev.h:826:50
#16 0xf5c625 in process::EventLoop::run(void*)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/libev.cpp:121
#17 0x7f8a31be7373 in start_thread (/usr/lib/libpthread.so.0+0x7373)
#18 0x7f8a3019f27c in __clone (/usr/lib/libc.so.6+0xe827c)
0x611000009b7c is located 60 bytes inside of 224-byte region
[0x611000009b40,0x611000009c20)
freed by thread T0 here:
#0 0x55a78b in operator delete(void*)
(/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x55a78b)
#1 0x76ef1e in main
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:40:3
#2 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
previously allocated by thread T0 here:
#0 0x55a24b in operator new(unsigned long)
(/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x55a24b)
#1 0xe5b911 in process::initialize(std::string const&)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:781:3
#2 0x76ed33 in main
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:21:3
#3 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
Thread T9 created by T0 here:
#0 0x5a971f in pthread_create
(/home/cody/projects/mesos/build/3rdparty/libprocess/tests+0x5a971f)
#1 0xe5ba89 in process::initialize(std::string const&)
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/process.cpp:823:7
#2 0x76ed33 in main
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/tests/main.cpp:21:3
#3 0x7f8a300d77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/cody/projects/mesos/build/3rdparty/libprocess/../../../3rdparty/libprocess/src/synchronized.hpp:36
Synchronizable::acquire()
Shadow bytes around the buggy address:
0x0c227fff9310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff9320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff9330: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff9350: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x0c227fff9360: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
0x0c227fff9370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff9380: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff93a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff93b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==30852==ABORTING
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
