[jira] [Commented] (DISPATCH-2283) heap-use-after-free in system_tests_policy_oversize_compound during qdrc_endpoint_delivery_CT
[ https://issues.apache.org/jira/browse/DISPATCH-2283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17443955#comment-17443955 ] Ganesh Murthy commented on DISPATCH-2283: - Fixed by commit - [https://github.com/apache/qpid-dispatch/commit/6769203991b20ecf0fdeb28bb8d84962b73c22fd] as part of fix to https://issues.apache.org/jira/browse/DISPATCH-2262 > heap-use-after-free in system_tests_policy_oversize_compound during > qdrc_endpoint_delivery_CT > - > > Key: DISPATCH-2283 > URL: https://issues.apache.org/jira/browse/DISPATCH-2283 > Project: Qpid Dispatch > Issue Type: Bug >Affects Versions: 1.18.0 >Reporter: Jiri Daněk >Assignee: Ted Ross >Priority: Major > Fix For: 1.18.0 > > > https://github.com/jiridanek/qpid-dispatch/runs/4140877666?check_suite_focus=true#step:9:35786 > This comes from the "set memory pool max size to 0" memory poisoning > investigation. I haven't seen this fail with unmodified main branch (yet ;) > The only somewhat similar stacktrace I could find in Jira is for this leak > DISPATCH-1699. > {noformat} > 27: ==12548==ERROR: AddressSanitizer: heap-use-after-free on address > 0x611136e0 at pc 0x55f47830adb9 bp 0x7f1063183140 sp 0x7f1063183130 > 27: READ of size 8 at 0x611136e0 thread T1 > 27: #0 0x55f47830adb8 in qdrc_endpoint_delivery_CT > ../src/router_core/core_link_endpoint.c:136 > 27: #1 0x55f4783eea3b in on_timer > ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:157 > 27: #2 0x55f4783c0613 in qdr_process_tick_CT > ../src/router_core/core_timer.c:123 > 27: #3 0x55f47838fec7 in router_core_thread > ../src/router_core/router_core_thread.c:236 > 27: #4 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172 > 27: #5 0x7f1069458608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > 27: #6 0x7f106864e292 in __clone > (/lib/x86_64-linux-gnu/libc.so.6+0x122292) > 27: > 27: 0x611136e0 is located 160 bytes inside of 192-byte region > [0x61113640,0x61113700) > 27: freed by thread T1 here: > 27: #0 0x7f1069a167cf in __interceptor_free > (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) > 27: #1 0x55f4781e3b84 in qd_dealloc ../src/alloc_pool.c:497 > 27: #2 0x55f478308e1d in free_qdrc_endpoint_t > ../src/router_core/core_link_endpoint.c:35 > 27: #3 0x55f47830d34f in qdrc_endpoint_do_cleanup_CT > ../src/router_core/core_link_endpoint.c:245 > 27: #4 0x55f47830cb0f in qdrc_endpoint_do_detach_CT > ../src/router_core/core_link_endpoint.c:220 > 27: #5 0x55f478301824 in qdr_link_inbound_detach_CT > ../src/router_core/connections.c:2033 > 27: #6 0x55f47838fec7 in router_core_thread > ../src/router_core/router_core_thread.c:236 > 27: #7 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172 > 27: #8 0x7f1069458608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > 27: > 27: previously allocated by thread T1 here: > 27: #0 0x7f1069a17aa5 in posix_memalign > (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5) > 27: #1 0x55f4781df9cd in qd_alloc ../src/alloc_pool.c:393 > 27: #2 0x55f478308de5 in new_qdrc_endpoint_t > ../src/router_core/core_link_endpoint.c:35 > 27: #3 0x55f478309d28 in qdrc_endpoint_create_link_CT > ../src/router_core/core_link_endpoint.c:74 > 27: #4 0x55f4783eed7d in on_conn_event > ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:178 > 27: #5 0x55f47830823d in qdrc_event_conn_raise > ../src/router_core/core_events.c:101 > 27: #6 0x55f4783c5a14 in on_conn_event > ../src/router_core/modules/edge_router/connection_manager.c:59 > 27: #7 0x55f47830823d in qdrc_event_conn_raise > ../src/router_core/core_events.c:101 > 27: #8 0x55f4782f5fdc in qdr_connection_opened_CT > ../src/router_core/connections.c:1479 > 27: #9 0x55f47838fec7 in router_core_thread > ../src/router_core/router_core_thread.c:236 > 27: #10 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172 > 27: #11 0x7f1069458608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > 27: > 27: Thread T1 created by T0 here: > 27: #0 0x7f1069943805 in pthread_create > (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) > 27: #1 0x55f4782a2ad3 in sys_thread ../src/posix/threading.c:181 > 27: #2 0x55f47836b817 in qdr_core ../src/router_core/router_core.c:124 > 27: #3 0x55f478411c5c in qd_router_setup_late ../src/router_node.c:2127 > 27: #4 0x7f1064308ff4 (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4) > 27: #5 0x7ffdaab8945f ([stack]+0x2145f) > 27: > 27: SUMMARY: AddressSanitizer: heap-use-after-free > ../src/router_core/core_link_endpoint.c:136 in qdrc_endpoint_delivery_CT > 27: Shadow bytes around the buggy address: > 27:
[jira] [Commented] (DISPATCH-2283) heap-use-after-free in system_tests_policy_oversize_compound during qdrc_endpoint_delivery_CT
[ https://issues.apache.org/jira/browse/DISPATCH-2283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17441581#comment-17441581 ] Jiri Daněk commented on DISPATCH-2283: -- I haven't been able to reproduce this in the series of 6 GitHub actions overnight runs (dies when a test fails or when +-5hour timeout expires). See DISPATCH-2188 for issue that I managed to confirm that way. > heap-use-after-free in system_tests_policy_oversize_compound during > qdrc_endpoint_delivery_CT > - > > Key: DISPATCH-2283 > URL: https://issues.apache.org/jira/browse/DISPATCH-2283 > Project: Qpid Dispatch > Issue Type: Bug >Affects Versions: 1.18.0 >Reporter: Jiri Daněk >Priority: Major > > https://github.com/jiridanek/qpid-dispatch/runs/4140877666?check_suite_focus=true#step:9:35786 > This comes from the "set memory pool max size to 0" memory poisoning > investigation. I haven't seen this fail with unmodified main branch (yet ;) > The only somewhat similar stacktrace I could find in Jira is for this leak > DISPATCH-1699. > {noformat} > 27: ==12548==ERROR: AddressSanitizer: heap-use-after-free on address > 0x611136e0 at pc 0x55f47830adb9 bp 0x7f1063183140 sp 0x7f1063183130 > 27: READ of size 8 at 0x611136e0 thread T1 > 27: #0 0x55f47830adb8 in qdrc_endpoint_delivery_CT > ../src/router_core/core_link_endpoint.c:136 > 27: #1 0x55f4783eea3b in on_timer > ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:157 > 27: #2 0x55f4783c0613 in qdr_process_tick_CT > ../src/router_core/core_timer.c:123 > 27: #3 0x55f47838fec7 in router_core_thread > ../src/router_core/router_core_thread.c:236 > 27: #4 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172 > 27: #5 0x7f1069458608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > 27: #6 0x7f106864e292 in __clone > (/lib/x86_64-linux-gnu/libc.so.6+0x122292) > 27: > 27: 0x611136e0 is located 160 bytes inside of 192-byte region > [0x61113640,0x61113700) > 27: freed by thread T1 here: > 27: #0 0x7f1069a167cf in __interceptor_free > (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) > 27: #1 0x55f4781e3b84 in qd_dealloc ../src/alloc_pool.c:497 > 27: #2 0x55f478308e1d in free_qdrc_endpoint_t > ../src/router_core/core_link_endpoint.c:35 > 27: #3 0x55f47830d34f in qdrc_endpoint_do_cleanup_CT > ../src/router_core/core_link_endpoint.c:245 > 27: #4 0x55f47830cb0f in qdrc_endpoint_do_detach_CT > ../src/router_core/core_link_endpoint.c:220 > 27: #5 0x55f478301824 in qdr_link_inbound_detach_CT > ../src/router_core/connections.c:2033 > 27: #6 0x55f47838fec7 in router_core_thread > ../src/router_core/router_core_thread.c:236 > 27: #7 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172 > 27: #8 0x7f1069458608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > 27: > 27: previously allocated by thread T1 here: > 27: #0 0x7f1069a17aa5 in posix_memalign > (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5) > 27: #1 0x55f4781df9cd in qd_alloc ../src/alloc_pool.c:393 > 27: #2 0x55f478308de5 in new_qdrc_endpoint_t > ../src/router_core/core_link_endpoint.c:35 > 27: #3 0x55f478309d28 in qdrc_endpoint_create_link_CT > ../src/router_core/core_link_endpoint.c:74 > 27: #4 0x55f4783eed7d in on_conn_event > ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:178 > 27: #5 0x55f47830823d in qdrc_event_conn_raise > ../src/router_core/core_events.c:101 > 27: #6 0x55f4783c5a14 in on_conn_event > ../src/router_core/modules/edge_router/connection_manager.c:59 > 27: #7 0x55f47830823d in qdrc_event_conn_raise > ../src/router_core/core_events.c:101 > 27: #8 0x55f4782f5fdc in qdr_connection_opened_CT > ../src/router_core/connections.c:1479 > 27: #9 0x55f47838fec7 in router_core_thread > ../src/router_core/router_core_thread.c:236 > 27: #10 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172 > 27: #11 0x7f1069458608 in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) > 27: > 27: Thread T1 created by T0 here: > 27: #0 0x7f1069943805 in pthread_create > (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) > 27: #1 0x55f4782a2ad3 in sys_thread ../src/posix/threading.c:181 > 27: #2 0x55f47836b817 in qdr_core ../src/router_core/router_core.c:124 > 27: #3 0x55f478411c5c in qd_router_setup_late ../src/router_node.c:2127 > 27: #4 0x7f1064308ff4 (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4) > 27: #5 0x7ffdaab8945f ([stack]+0x2145f) > 27: > 27: SUMMARY: AddressSanitizer: heap-use-after-free > ../src/router_core/core_link_endpoint.c:136 in qdrc_endpoint_delivery_CT > 27: Shadow bytes around the buggy address: > 27: 0x0c227fffa680: 00 00 00 00 00 00 00 00 00