[
https://issues.apache.org/jira/browse/TS-4975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bryan Call updated TS-4975:
---------------------------
Affects Version/s: 7.0.0
> ATS crashing when taking it out of rotation
> -------------------------------------------
>
> Key: TS-4975
> URL: https://issues.apache.org/jira/browse/TS-4975
> Project: Traffic Server
> Issue Type: Bug
> Affects Versions: 7.0.0
> Reporter: Bryan Call
>
> ATS crashing when setting keep-alive to 0 and http2 inactive timeout to 10.
> {noformat}
> =================================================================
> ==64589==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x6180062bcf98 at pc 0x000000723b51 bp 0x2ab58616d520 sp 0x2ab58616d518
> WRITE of size 8 at 0x6180062bcf98 thread T29 ([ET_NET 27])
> #0 0x723b50 in Http1ClientTransaction::transaction_done()
> ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:70
> #1 0x775452 in HttpSM::kill_this()
> ../../../trafficserver/proxy/http/HttpSM.cc:6798
> #2 0x74f808 in HttpSM::main_handler(int, void*)
> ../../../trafficserver/proxy/http/HttpSM.cc:2674
> #3 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #4 0x8211fd in HttpTunnel::main_handler(int, void*)
> ../../../trafficserver/proxy/http/HttpTunnel.cc:1662
> #5 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #6 0xae565d in write_signal_and_update
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:179
> #7 0xae5aae in write_signal_done
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:221
> #8 0xae7b31 in write_to_net_io(NetHandler*, UnixNetVConnection*,
> EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:552
> #9 0xae6d92 in write_to_net(NetHandler*, UnixNetVConnection*, EThread*)
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:419
> #10 0xad210c in NetHandler::mainNetEvent(int, Event*)
> ../../../trafficserver/iocore/net/UnixNet.cc:542
> #11 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #12 0xb310f2 in EThread::process_event(Event*, int)
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
> #13 0xb31d85 in EThread::execute()
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
> #14 0xb2fb6b in spawn_thread_internal
> ../../../trafficserver/iocore/eventsystem/Thread.cc:84
> #15 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
> #16 0x32ef2e893c in clone (/lib64/libc.so.6+0x32ef2e893c)
> 0x6180062bcf98 is located 792 bytes inside of 880-byte region
> [0x6180062bcc80,0x6180062bcff0)
> freed by thread T29 ([ET_NET 27]) here:
> #0 0x5835ea in __interceptor_free (/home/y/bin64/traffic_server+0x5835ea)
> #1 0x2ab57bd5a154 in ats_memalign_free
> ../../../trafficserver/lib/ts/ink_memory.cc:141
> #2 0x2ab57bd5bfc3 in malloc_bulkfree
> ../../../trafficserver/lib/ts/ink_queue.cc:384
> #3 0x2ab57bd5bc94 in ink_freelist_free_bulk
> ../../../trafficserver/lib/ts/ink_queue.cc:326
> #4 0x723343 in
> ClassAllocator<Http1ClientSession>::free_bulk(Http1ClientSession*,
> Http1ClientSession*, unsigned long)
> ../../../trafficserver/lib/ts/Allocator.h:148
> #5 0x723266 in void
> thread_freeup<Http1ClientSession>(ClassAllocator<Http1ClientSession>&,
> ProxyAllocator&) (/home/y/bin64/traffic_server+0x723266)
> #6 0x71e016 in Http1ClientSession::free()
> ../../../trafficserver/proxy/http/Http1ClientSession.cc:125
> #7 0x67e16c in ProxyClientSession::handle_api_return(int)
> ../../trafficserver/proxy/ProxyClientSession.cc:206
> #8 0x67dcfc in ProxyClientSession::do_api_callout(TSHttpHookID)
> ../../trafficserver/proxy/ProxyClientSession.cc:177
> #9 0x71dc3b in Http1ClientSession::destroy()
> ../../../trafficserver/proxy/http/Http1ClientSession.cc:94
> #10 0x723b2b in Http1ClientTransaction::transaction_done()
> ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:69
> #11 0x775452 in HttpSM::kill_this()
> ../../../trafficserver/proxy/http/HttpSM.cc:6798
> #12 0x74f808 in HttpSM::main_handler(int, void*)
> ../../../trafficserver/proxy/http/HttpSM.cc:2674
> #13 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #14 0x8211fd in HttpTunnel::main_handler(int, void*)
> ../../../trafficserver/proxy/http/HttpTunnel.cc:1662
> #15 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #16 0xae565d in write_signal_and_update
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:179
> #17 0xae5aae in write_signal_done
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:221
> #18 0xae7b31 in write_to_net_io(NetHandler*, UnixNetVConnection*,
> EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:552
> #19 0xae6d92 in write_to_net(NetHandler*, UnixNetVConnection*, EThread*)
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:419
> #20 0xad210c in NetHandler::mainNetEvent(int, Event*)
> ../../../trafficserver/iocore/net/UnixNet.cc:542
> #21 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #22 0xb310f2 in EThread::process_event(Event*, int)
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
> #23 0xb31d85 in EThread::execute()
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
> #24 0xb2fb6b in spawn_thread_internal
> ../../../trafficserver/iocore/eventsystem/Thread.cc:84
> #25 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
> previously allocated by thread T29 ([ET_NET 27]) here:
> #0 0x5841ce in __interceptor_posix_memalign
> (/home/y/bin64/traffic_server+0x5841ce)
> #1 0x2ab57bd59fd4 in ats_memalign
> ../../../trafficserver/lib/ts/ink_memory.cc:102
> #2 0x2ab57bd5b873 in malloc_new
> ../../../trafficserver/lib/ts/ink_queue.cc:258
> #3 0x2ab57bd5b275 in ink_freelist_new
> ../../../trafficserver/lib/ts/ink_queue.cc:183
> #4 0x7134c9 in ClassAllocator<Http1ClientSession>::alloc()
> ../../../trafficserver/lib/ts/Allocator.h:121
> #5 0x71348a in Http1ClientSession*
> thread_alloc_init<Http1ClientSession>(ClassAllocator<Http1ClientSession>&,
> ProxyAllocator&)
> ../../../trafficserver/iocore/eventsystem/I_ProxyAllocator.h:73
> #6 0x712af4 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*,
> IOBufferReader*) ../../../trafficserver/proxy/http/HttpSessionAccept.cc:61
> #7 0x67ca24 in ProtocolProbeTrampoline::ioCompletionEvent(int, void*)
> ../../trafficserver/proxy/ProtocolProbeSessionAccept.cc:107
> #8 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #9 0xae51c1 in read_signal_and_update
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:148
> #10 0xaeb98b in UnixNetVConnection::readSignalAndUpdate(int)
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:1030
> #11 0xaab411 in SSLNetVConnection::net_read_io(NetHandler*, EThread*)
> ../../../trafficserver/iocore/net/SSLNetVConnection.cc:585
> #12 0xad1e7b in NetHandler::mainNetEvent(int, Event*)
> ../../../trafficserver/iocore/net/UnixNet.cc:525
> #13 0x5ef2b4 in Continuation::handleEvent(int, void*)
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
> #14 0xb310f2 in EThread::process_event(Event*, int)
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
> #15 0xb31d85 in EThread::execute()
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
> #16 0xb2fb6b in spawn_thread_internal
> ../../../trafficserver/iocore/eventsystem/Thread.cc:84
> #17 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
> Thread T29 ([ET_NET 27]) created by T0 ([TS_MAIN]) here:
> #0 0x5257f4 in pthread_create (/home/y/bin64/traffic_server+0x5257f4)
> #1 0xb2f6f6 in ink_thread_create
> ../../../trafficserver/lib/ts/ink_thread.h:152
> #2 0xb2fc95 in Thread::start(char const*, unsigned long, void*
> (*)(void*), void*, void*)
> ../../../trafficserver/iocore/eventsystem/Thread.cc:99
> #3 0xb35515 in EventProcessor::start(int, unsigned long)
> ../../../trafficserver/iocore/eventsystem/UnixEventProcessor.cc:240
> #4 0x6501f2 in main ../../trafficserver/proxy/Main.cc:1715
> #5 0x32ef21ed5c in __libc_start_main (/lib64/libc.so.6+0x32ef21ed5c)
> SUMMARY: AddressSanitizer: heap-use-after-free
> ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:70
> Http1ClientTransaction::transaction_done()
> Shadow bytes around the buggy address:
> 0x0c3080c4f9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c3080c4f9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c3080c4f9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c3080c4f9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c3080c4f9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c3080c4f9f0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa fa
> 0x0c3080c4fa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3080c4fa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3080c4fa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3080c4fa30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3080c4fa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> ==64589==ABORTING
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
