Project

General

Profile

Feature #4692 » heap-free-after-use.txt

Ashlesh Gawande, 09/01/2018 09:05 PM

 
./build/unit-tests -t Util/TestSegmentFetcher/StatusR
Running 1 test case...
1415684132.000000 DEBUG: [ndn.SegmentFetcher] Pending interest 0x619000003c90
1415684132.000000 DEBUG: [ndn.SegmentFetcher] Scheduled timeout for 0x607000004e10
1415684132.500000 DEBUG: [ndn.Face] <I /localhost/nfd/faces/list?ndn.MustBeFresh=true&ndn.Nonce=2725979671
1415684133.000000 DEBUG: [ndn.SegmentFetcher] afterTimeoutCb
1415684133.000000 DEBUG: [ndn.SegmentFetcher] afterNackOrTimeout
1415684133.000000 DEBUG: [ndn.SegmentFetcher] Removing 0x619000003c90
1415684133.000000 DEBUG: [ndn.Face] Removing pending interest 0x619000003c90
1415684133.000000 DEBUG: [ndn.SegmentFetcher] Segment fetcher dtor
==25870==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000003928 at pc 0x7fc78c23e21c bp 0x7ffecbc021e0 sp 0x7ffecbc021d0
READ of size 8 at 0x619000003928 thread T0
#0 0x7fc78c23e21b in std::multiset<std::shared_ptr<ndn::util::scheduler::EventInfo>, ndn::util::scheduler::EventQueueCompare, std::allocator<std::shared_ptr<ndn::util::scheduler::EventInfo> > >::empty() const /usr/include/c++/7/bits/stl_multiset.h:401
#1 0x7fc78c23e21b in ndn::util::scheduler::Scheduler::executeEvent(boost::system::error_code const&) ../src/util/scheduler.cpp:153
#2 0x7fc78c23e524 in operator()<boost::system::error_code> ../src/util/scheduler.cpp:133
#3 0x7fc78c23e524 in operator() /usr/include/boost/asio/detail/bind_handler.hpp:47
#4 0x7fc78c23e524 in asio_handler_invoke<boost::asio::detail::binder1<ndn::util::scheduler::Scheduler::scheduleNext()::<lambda(const auto:1&)>, boost::system::error_code> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
#5 0x7fc78c23e524 in invoke<boost::asio::detail::binder1<ndn::util::scheduler::Scheduler::scheduleNext()::<lambda(const auto:1&)>, boost::system::error_code>, ndn::util::scheduler::Scheduler::scheduleNext()::<lambda(const auto:1&)> > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
#6 0x7fc78c23e524 in do_complete /usr/include/boost/asio/detail/wait_handler.hpp:70
#7 0x55f2990045e0 in boost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
#8 0x55f2990045e0 in boost::asio::detail::task_io_service::do_poll_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:436
#9 0x55f2990045e0 in boost::asio::detail::task_io_service::poll(boost::system::error_code&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:198
#10 0x55f2990045e0 in boost::asio::io_service::poll() /usr/include/boost/asio/impl/io_service.ipp:85
#11 0x55f2990045e0 in ndn::tests::UnitTestTimeFixture::advanceClocks(boost::chrono::duration<long, boost::ratio<1l, 1000000000l> > const&, boost::chrono::duration<long, boost::ratio<1l, 1000000000l> > const&) ../tests/unit-tests/util/../unit-test-time-fixture.hpp:93
#12 0x55f2990045e0 in ndn::tests::UnitTestTimeFixture::advanceClocks(boost::chrono::duration<long, boost::ratio<1l, 1000000000l> > const&, unsigned long) ../tests/unit-tests/util/../unit-test-time-fixture.hpp:60
#13 0x55f29936ad32 in ndn::util::tests::Util::TestSegmentFetcher::StatusR::test_method() ../tests/unit-tests/util/segment-fetcher.t.cpp:183
#14 0x55f2993da9c5 in StatusR_invoker ../tests/unit-tests/util/segment-fetcher.t.cpp:172
#15 0x7fc78b1a72cd in boost::detail::function::function_obj_invoker0<boost::detail::forward, int>::invoke(boost::detail::function::function_buffer&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x4b2cd)
#16 0x7fc78b1a677c in boost::execution_monitor::catch_signals(boost::function<int ()> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x4a77c)
#17 0x7fc78b1a6860 in boost::execution_monitor::execute(boost::function<int ()> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x4a860)
#18 0x7fc78b1a6fdc in boost::execution_monitor::vexecute(boost::function<void ()> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x4afdc)
#19 0x7fc78b1d58d0 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::function<void ()> const&, unsigned int) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x798d0)
#20 0x7fc78b1b1c6a in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x55c6a)
#21 0x7fc78b1b1e50 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x55e50)
#22 0x7fc78b1b1e50 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x55e50)
#23 0x7fc78b1b1e50 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x55e50)
#24 0x7fc78b1aacc7 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x4ecc7)
#25 0x7fc78b1d313e in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x7713e)
#26 0x7fc78a5c7b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#27 0x55f298f9d499 in _start (/home/ashlesh/ndn-src/2ndn-cxx/build/unit-tests+0x83499)

0x619000003928 is located 424 bytes inside of 936-byte region [0x619000003780,0x619000003b28)
freed by thread T0 here:
#0 0x7fc78c5bd9d8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19d8)
#1 0x7fc78c255896 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/7/bits/shared_ptr_base.h:154
#2 0x7fc78c255896 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/7/bits/shared_ptr_base.h:684
#3 0x7fc78c255896 in std::__shared_ptr<ndn::util::SegmentFetcher, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/7/bits/shared_ptr_base.h:1123
#4 0x7fc78c255896 in std::__shared_ptr<ndn::util::SegmentFetcher, (__gnu_cxx::_Lock_policy)2>::reset() /usr/include/c++/7/bits/shared_ptr_base.h:1235
#5 0x7fc78c255896 in ndn::util::SegmentFetcher::signalError(unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/util/segment-fetcher.cpp:503
#6 0x7fc78c257c36 in ndn::util::SegmentFetcher::afterNackOrTimeout(ndn::Interest const&) ../src/util/segment-fetcher.cpp:399
#7 0x7fc78c258647 in ndn::util::SegmentFetcher::afterTimeoutCb(ndn::Interest const&) ../src/util/segment-fetcher.cpp:387
#8 0x7fc78c267f68 in void std::__invoke_impl<void, void (ndn::util::SegmentFetcher::*&)(ndn::Interest const&), ndn::util::SegmentFetcher*&, ndn::Interest&>(std::__invoke_memfun_deref, void (ndn::util::SegmentFetcher::*&)(ndn::Interest const&), ndn::util::SegmentFetcher*&, ndn::Interest&) /usr/include/c++/7/bits/invoke.h:73
#9 0x7fc78c267f68 in std::__invoke_result<void (ndn::util::SegmentFetcher::*&)(ndn::Interest const&), ndn::util::SegmentFetcher*&, ndn::Interest&>::type std::__invoke<void (ndn::util::SegmentFetcher::*&)(ndn::Interest const&), ndn::util::SegmentFetcher*&, ndn::Interest&>(void (ndn::util::SegmentFetcher::*&)(ndn::Interest const&), ndn::util::SegmentFetcher*&, ndn::Interest&) /usr/include/c++/7/bits/invoke.h:95
#10 0x7fc78c267f68 in void std::_Bind<void (ndn::util::SegmentFetcher::*(ndn::util::SegmentFetcher*, ndn::Interest))(ndn::Interest const&)>::__call<void, , 0ul, 1ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/7/functional:467
#11 0x7fc78c267f68 in void std::_Bind<void (ndn::util::SegmentFetcher::*(ndn::util::SegmentFetcher*, ndn::Interest))(ndn::Interest const&)>::operator()<, void>() /usr/include/c++/7/functional:551
#12 0x7fc78c267f68 in std::_Function_handler<void (), std::_Bind<void (ndn::util::SegmentFetcher::*(ndn::util::SegmentFetcher*, ndn::Interest))(ndn::Interest const&)> >::_M_invoke(std::_Any_data const&) /usr/include/c++/7/bits/std_function.h:316
#13 0x7fc78c23d869 in std::function<void ()>::operator()() const /usr/include/c++/7/bits/std_function.h:706
#14 0x7fc78c23d869 in ndn::util::scheduler::Scheduler::executeEvent(boost::system::error_code const&) ../src/util/scheduler.cpp:162
#15 0x7fc78c23e524 in operator()<boost::system::error_code> ../src/util/scheduler.cpp:133
#16 0x7fc78c23e524 in operator() /usr/include/boost/asio/detail/bind_handler.hpp:47
#17 0x7fc78c23e524 in asio_handler_invoke<boost::asio::detail::binder1<ndn::util::scheduler::Scheduler::scheduleNext()::<lambda(const auto:1&)>, boost::system::error_code> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
#18 0x7fc78c23e524 in invoke<boost::asio::detail::binder1<ndn::util::scheduler::Scheduler::scheduleNext()::<lambda(const auto:1&)>, boost::system::error_code>, ndn::util::scheduler::Scheduler::scheduleNext()::<lambda(const auto:1&)> > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
#19 0x7fc78c23e524 in do_complete /usr/include/boost/asio/detail/wait_handler.hpp:70
#20 0x55f2990045e0 in boost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
#21 0x55f2990045e0 in boost::asio::detail::task_io_service::do_poll_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:436
#22 0x55f2990045e0 in boost::asio::detail::task_io_service::poll(boost::system::error_code&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:198
#23 0x55f2990045e0 in boost::asio::io_service::poll() /usr/include/boost/asio/impl/io_service.ipp:85
#24 0x55f2990045e0 in ndn::tests::UnitTestTimeFixture::advanceClocks(boost::chrono::duration<long, boost::ratio<1l, 1000000000l> > const&, boost::chrono::duration<long, boost::ratio<1l, 1000000000l> > const&) ../tests/unit-tests/util/../unit-test-time-fixture.hpp:93
#25 0x55f2990045e0 in ndn::tests::UnitTestTimeFixture::advanceClocks(boost::chrono::duration<long, boost::ratio<1l, 1000000000l> > const&, unsigned long) ../tests/unit-tests/util/../unit-test-time-fixture.hpp:60
#26 0x55f29936ad32 in ndn::util::tests::Util::TestSegmentFetcher::StatusR::test_method() ../tests/unit-tests/util/segment-fetcher.t.cpp:183
#27 0x55f2993da9c5 in StatusR_invoker ../tests/unit-tests/util/segment-fetcher.t.cpp:172
#28 0x7fc78b1a72cd in boost::detail::function::function_obj_invoker0<boost::detail::forward, int>::invoke(boost::detail::function::function_buffer&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x4b2cd)

previously allocated by thread T0 here:
#0 0x7fc78c5bc458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
#1 0x7fc78c2531f2 in ndn::util::SegmentFetcher::start(ndn::Face&, ndn::Interest const&, ndn::security::v2::Validator&, ndn::util::SegmentFetcher::Options const&) ../src/util/segment-fetcher.cpp:99
#2 0x55f29936ab81 in ndn::util::tests::Util::TestSegmentFetcher::StatusR::test_method() ../tests/unit-tests/util/segment-fetcher.t.cpp:180
#3 0x55f2993da9c5 in StatusR_invoker ../tests/unit-tests/util/segment-fetcher.t.cpp:172
#4 0x7fc78b1a72cd in boost::detail::function::function_obj_invoker0<boost::detail::forward, int>::invoke(boost::detail::function::function_buffer&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1+0x4b2cd)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/7/bits/stl_multiset.h:401 in std::multiset<std::shared_ptr<ndn::util::scheduler::EventInfo>, ndn::util::scheduler::EventQueueCompare, std::allocator<std::shared_ptr<ndn::util::scheduler::EventInfo> > >::empty() const
Shadow bytes around the buggy address:
0x0c327fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c327fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff86f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff8720: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c327fff8730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8760: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25870==ABORTING

(1-1/2)