[ 
https://issues.apache.org/jira/browse/TS-4975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Leif Hedstrom updated TS-4975:
------------------------------
    Fix Version/s: 7.1.0

> ATS crashing when taking it out of rotation
> -------------------------------------------
>
>                 Key: TS-4975
>                 URL: https://issues.apache.org/jira/browse/TS-4975
>             Project: Traffic Server
>          Issue Type: Bug
>    Affects Versions: 7.0.0
>            Reporter: Bryan Call
>             Fix For: 7.1.0
>
>
> ATS crashing when setting keep-alive to 0 and http2 inactive timeout to 10.
> {noformat}
> =================================================================
> ==64589==ERROR: AddressSanitizer: heap-use-after-free on address 
> 0x6180062bcf98 at pc 0x000000723b51 bp 0x2ab58616d520 sp 0x2ab58616d518
> WRITE of size 8 at 0x6180062bcf98 thread T29 ([ET_NET 27])
>     #0 0x723b50 in Http1ClientTransaction::transaction_done() 
> ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:70
>     #1 0x775452 in HttpSM::kill_this() 
> ../../../trafficserver/proxy/http/HttpSM.cc:6798
>     #2 0x74f808 in HttpSM::main_handler(int, void*) 
> ../../../trafficserver/proxy/http/HttpSM.cc:2674
>     #3 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #4 0x8211fd in HttpTunnel::main_handler(int, void*) 
> ../../../trafficserver/proxy/http/HttpTunnel.cc:1662
>     #5 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #6 0xae565d in write_signal_and_update 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:179
>     #7 0xae5aae in write_signal_done 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:221
>     #8 0xae7b31 in write_to_net_io(NetHandler*, UnixNetVConnection*, 
> EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:552
>     #9 0xae6d92 in write_to_net(NetHandler*, UnixNetVConnection*, EThread*) 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:419
>     #10 0xad210c in NetHandler::mainNetEvent(int, Event*) 
> ../../../trafficserver/iocore/net/UnixNet.cc:542
>     #11 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #12 0xb310f2 in EThread::process_event(Event*, int) 
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
>     #13 0xb31d85 in EThread::execute() 
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
>     #14 0xb2fb6b in spawn_thread_internal 
> ../../../trafficserver/iocore/eventsystem/Thread.cc:84
>     #15 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
>     #16 0x32ef2e893c in clone (/lib64/libc.so.6+0x32ef2e893c)
> 0x6180062bcf98 is located 792 bytes inside of 880-byte region 
> [0x6180062bcc80,0x6180062bcff0)
> freed by thread T29 ([ET_NET 27]) here:
>     #0 0x5835ea in __interceptor_free (/home/y/bin64/traffic_server+0x5835ea)
>     #1 0x2ab57bd5a154 in ats_memalign_free 
> ../../../trafficserver/lib/ts/ink_memory.cc:141
>     #2 0x2ab57bd5bfc3 in malloc_bulkfree 
> ../../../trafficserver/lib/ts/ink_queue.cc:384
>     #3 0x2ab57bd5bc94 in ink_freelist_free_bulk 
> ../../../trafficserver/lib/ts/ink_queue.cc:326
>     #4 0x723343 in 
> ClassAllocator<Http1ClientSession>::free_bulk(Http1ClientSession*, 
> Http1ClientSession*, unsigned long) 
> ../../../trafficserver/lib/ts/Allocator.h:148
>     #5 0x723266 in void 
> thread_freeup<Http1ClientSession>(ClassAllocator<Http1ClientSession>&, 
> ProxyAllocator&) (/home/y/bin64/traffic_server+0x723266)
>     #6 0x71e016 in Http1ClientSession::free() 
> ../../../trafficserver/proxy/http/Http1ClientSession.cc:125
>     #7 0x67e16c in ProxyClientSession::handle_api_return(int) 
> ../../trafficserver/proxy/ProxyClientSession.cc:206
>     #8 0x67dcfc in ProxyClientSession::do_api_callout(TSHttpHookID) 
> ../../trafficserver/proxy/ProxyClientSession.cc:177
>     #9 0x71dc3b in Http1ClientSession::destroy() 
> ../../../trafficserver/proxy/http/Http1ClientSession.cc:94
>     #10 0x723b2b in Http1ClientTransaction::transaction_done() 
> ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:69
>     #11 0x775452 in HttpSM::kill_this() 
> ../../../trafficserver/proxy/http/HttpSM.cc:6798
>     #12 0x74f808 in HttpSM::main_handler(int, void*) 
> ../../../trafficserver/proxy/http/HttpSM.cc:2674
>     #13 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #14 0x8211fd in HttpTunnel::main_handler(int, void*) 
> ../../../trafficserver/proxy/http/HttpTunnel.cc:1662
>     #15 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #16 0xae565d in write_signal_and_update 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:179
>     #17 0xae5aae in write_signal_done 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:221
>     #18 0xae7b31 in write_to_net_io(NetHandler*, UnixNetVConnection*, 
> EThread*) ../../../trafficserver/iocore/net/UnixNetVConnection.cc:552
>     #19 0xae6d92 in write_to_net(NetHandler*, UnixNetVConnection*, EThread*) 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:419
>     #20 0xad210c in NetHandler::mainNetEvent(int, Event*) 
> ../../../trafficserver/iocore/net/UnixNet.cc:542
>     #21 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #22 0xb310f2 in EThread::process_event(Event*, int) 
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
>     #23 0xb31d85 in EThread::execute() 
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
>     #24 0xb2fb6b in spawn_thread_internal 
> ../../../trafficserver/iocore/eventsystem/Thread.cc:84
>     #25 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
> previously allocated by thread T29 ([ET_NET 27]) here:
>     #0 0x5841ce in __interceptor_posix_memalign 
> (/home/y/bin64/traffic_server+0x5841ce)
>     #1 0x2ab57bd59fd4 in ats_memalign 
> ../../../trafficserver/lib/ts/ink_memory.cc:102
>     #2 0x2ab57bd5b873 in malloc_new 
> ../../../trafficserver/lib/ts/ink_queue.cc:258
>     #3 0x2ab57bd5b275 in ink_freelist_new 
> ../../../trafficserver/lib/ts/ink_queue.cc:183
>     #4 0x7134c9 in ClassAllocator<Http1ClientSession>::alloc() 
> ../../../trafficserver/lib/ts/Allocator.h:121
>     #5 0x71348a in Http1ClientSession* 
> thread_alloc_init<Http1ClientSession>(ClassAllocator<Http1ClientSession>&, 
> ProxyAllocator&) 
> ../../../trafficserver/iocore/eventsystem/I_ProxyAllocator.h:73
>     #6 0x712af4 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, 
> IOBufferReader*) ../../../trafficserver/proxy/http/HttpSessionAccept.cc:61
>     #7 0x67ca24 in ProtocolProbeTrampoline::ioCompletionEvent(int, void*) 
> ../../trafficserver/proxy/ProtocolProbeSessionAccept.cc:107
>     #8 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #9 0xae51c1 in read_signal_and_update 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:148
>     #10 0xaeb98b in UnixNetVConnection::readSignalAndUpdate(int) 
> ../../../trafficserver/iocore/net/UnixNetVConnection.cc:1030
>     #11 0xaab411 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) 
> ../../../trafficserver/iocore/net/SSLNetVConnection.cc:585
>     #12 0xad1e7b in NetHandler::mainNetEvent(int, Event*) 
> ../../../trafficserver/iocore/net/UnixNet.cc:525
>     #13 0x5ef2b4 in Continuation::handleEvent(int, void*) 
> ../../../trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #14 0xb310f2 in EThread::process_event(Event*, int) 
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:143
>     #15 0xb31d85 in EThread::execute() 
> ../../../trafficserver/iocore/eventsystem/UnixEThread.cc:270
>     #16 0xb2fb6b in spawn_thread_internal 
> ../../../trafficserver/iocore/eventsystem/Thread.cc:84
>     #17 0x2ab57cbe6aa0 in start_thread (/lib64/libpthread.so.0+0x32efa07aa0)
> Thread T29 ([ET_NET 27]) created by T0 ([TS_MAIN]) here:
>     #0 0x5257f4 in pthread_create (/home/y/bin64/traffic_server+0x5257f4)
>     #1 0xb2f6f6 in ink_thread_create 
> ../../../trafficserver/lib/ts/ink_thread.h:152
>     #2 0xb2fc95 in Thread::start(char const*, unsigned long, void* 
> (*)(void*), void*, void*) 
> ../../../trafficserver/iocore/eventsystem/Thread.cc:99
>     #3 0xb35515 in EventProcessor::start(int, unsigned long) 
> ../../../trafficserver/iocore/eventsystem/UnixEventProcessor.cc:240
>     #4 0x6501f2 in main ../../trafficserver/proxy/Main.cc:1715
>     #5 0x32ef21ed5c in __libc_start_main (/lib64/libc.so.6+0x32ef21ed5c)
> SUMMARY: AddressSanitizer: heap-use-after-free 
> ../../../trafficserver/proxy/http/Http1ClientTransaction.cc:70 
> Http1ClientTransaction::transaction_done()
> Shadow bytes around the buggy address:
>   0x0c3080c4f9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c3080c4f9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c3080c4f9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c3080c4f9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c3080c4f9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c3080c4f9f0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa fa
>   0x0c3080c4fa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c3080c4fa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c3080c4fa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c3080c4fa30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c3080c4fa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
> ==64589==ABORTING
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to