Project

General

Profile

Actions
Copy link

Bug #2149

closed

Heap-use-after-free in InMemoryStorage

Added by Davide Pesavento about 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jiewen Tan
Category:
Utils
Target version:
v0.3
Start date:
Due date:
% Done:

100%

Estimated time:

Description

On a 64-bit Ubuntu 14.10 virtual machine, while running unit tests. ndn-cxx is at commit 4e9b069bb844545d7e352b98821c5a11520f1b58.

==20954==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004fbce8 at pc 0xa854be bp 0x7fff9d77e7d0 sp 0x7fff9d77e7c0
READ of size 8 at 0x6030004fbce8 thread T0
    #0 0xa854bd in boost::multi_index::detail::ordered_index_node_impl<std::allocator<char> >::increment(boost::multi_index::detail::ordered_index_node_impl<std::allocator<char> >*&) /usr/include/boost/multi_index/detail/ord_index_node.hpp:252
    #1 0xa854bd in boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > >::increment(boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > >*&) /usr/include/boost/multi_index/detail/ord_index_node.hpp:632
    #2 0xa854bd in boost::multi_index::detail::bidir_node_iterator<boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > > >::operator++() /usr/include/boost/multi_index/detail/bidir_node_iterator.hpp:54
    #3 0xa854bd in operator++ /usr/include/boost/operators.hpp:277
    #4 0xa854bd in ndn::util::InMemoryStorage::~InMemoryStorage() ../src/util/in-memory-storage.cpp:108
    #5 0xa7f25b in ndn::util::InMemoryStoragePersistent::~InMemoryStoragePersistent() ../src/util/in-memory-storage-persistent.cpp:32
    #6 0x7627e7 in ndn::util::UtilInMemoryStorage::Common::Insertion<ndn::util::InMemoryStoragePersistent>::test_method() ../tests/unit-tests/util/test-in-memory-storage-common.cpp:47
    #7 0x762916 in run<ndn::util::InMemoryStoragePersistent> ../tests/unit-tests/util/test-in-memory-storage-common.cpp:43
    #8 0x762916 in boost::unit_test::ut_detail::test_case_template_invoker<ndn::util::UtilInMemoryStorage::Common::Insertion_invoker, ndn::util::InMemoryStoragePersistent>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
    #9 0x762916 in invoke<boost::unit_test::ut_detail::test_case_template_invoker<ndn::util::UtilInMemoryStorage::Common::Insertion_invoker, ndn::util::InMemoryStoragePersistent> > /usr/include/boost/test/utils/callback.hpp:56
    #10 0x762916 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<ndn::util::UtilInMemoryStorage::Common::Insertion_invoker, ndn::util::InMemoryStoragePersistent> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #11 0x7f7174d355a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
    #12 0x7f7174d10865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
    #13 0x7f7174d110a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
    #14 0x7f7174d356a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
    #15 0x7f7174d1f2f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
    #16 0x7f7174d4e2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #17 0x7f7174d4e2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #18 0x7f7174d4e2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #19 0x7f7174d1a819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
    #20 0x7f7174d33283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
    #21 0x81f1cc in main /usr/include/boost/test/unit_test.hpp:59
    #22 0x7f7173824ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #23 0x43a6b8 (/home/davide/ndn-cxx/build/unit-tests+0x43a6b8)

0x6030004fbce8 is located 24 bytes inside of 32-byte region [0x6030004fbcd0,0x6030004fbcf0)
freed by thread T0 here:
    #0 0x7f7175af663f in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5863f)
    #1 0xa8535c in __gnu_cxx::new_allocator<boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > > >::deallocate(boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > >*, unsigned long) /usr/include/c++/4.9/ext/new_allocator.h:110
    #2 0xa8535c in boost::multi_index::multi_index_container<ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >::deallocate_node(boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > >*) /usr/include/boost/multi_index_container.hpp:577
    #3 0xa8535c in boost::multi_index::multi_index_container<ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >::erase_(boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > >*) /usr/include/boost/multi_index_container.hpp:818
    #4 0xa8535c in boost::multi_index::detail::index_base<ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >::final_erase_(boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > >*) /usr/include/boost/multi_index/detail/index_base.hpp:233
    #5 0xa8535c in boost::multi_index::detail::ordered_index<boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name>, boost::multi_index::detail::nth_layer<1, ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >, boost::mpl::v_item<ndn::util::InMemoryStorage::byFullName, boost::mpl::vector0<mpl_::na>, 0>, boost::multi_index::detail::ordered_unique_tag>::erase(boost::multi_index::detail::bidir_node_iterator<boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > > >) /usr/include/boost/multi_index/ordered_index.hpp:362
    #6 0xa8535c in ndn::util::InMemoryStorage::freeEntry(boost::multi_index::detail::bidir_node_iterator<boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > > >) ../src/util/in-memory-storage.cpp:328

previously allocated by thread T0 here:
    #0 0x7f7175af613f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5813f)
    #1 0xa87a6c in __gnu_cxx::new_allocator<boost::multi_index::detail::ordered_index_node<boost::multi_index::detail::index_node_base<ndn::util::InMemoryStorageEntry*, std::allocator<ndn::util::InMemoryStorageEntry*> > > >::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
    #2 0xa87a6c in boost::multi_index::multi_index_container<ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >::allocate_node() /usr/include/boost/multi_index_container.hpp:571
    #3 0xa87a6c in insert_<boost::multi_index::detail::lvalue_tag> /usr/include/boost/multi_index_container.hpp:598
    #4 0xa87a6c in boost::multi_index::multi_index_container<ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >::insert_(ndn::util::InMemoryStorageEntry* const&) /usr/include/boost/multi_index_container.hpp:619
    #5 0xa87a6c in boost::multi_index::detail::index_base<ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >::final_insert_(ndn::util::InMemoryStorageEntry* const&) /usr/include/boost/multi_index/detail/index_base.hpp:200
    #6 0xa87a6c in boost::multi_index::detail::ordered_index<boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name>, boost::multi_index::detail::nth_layer<1, ndn::util::InMemoryStorageEntry*, boost::multi_index::indexed_by<boost::multi_index::ordered_unique<boost::multi_index::tag<ndn::util::InMemoryStorage::byFullName, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, boost::multi_index::const_mem_fun<ndn::util::InMemoryStorageEntry, ndn::Name const&, &(ndn::util::InMemoryStorageEntry::getFullName() const)>, std::less<ndn::Name> >, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>, std::allocator<ndn::util::InMemoryStorageEntry*> >, boost::mpl::v_item<ndn::util::InMemoryStorage::byFullName, boost::mpl::vector0<mpl_::na>, 0>, boost::multi_index::detail::ordered_unique_tag>::insert(ndn::util::InMemoryStorageEntry* const&) /usr/include/boost/multi_index/ordered_index.hpp:306
    #7 0xa87a6c in ndn::util::InMemoryStorage::insert(ndn::Data const&) ../src/util/in-memory-storage.cpp:177
    #8 0x3ffffff

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/boost/multi_index/detail/ord_index_node.hpp:252 boost::multi_index::detail::ordered_index_node_impl<std::allocator<char> >::increment(boost::multi_index::detail::ordered_index_node_impl<std::allocator<char> >*&)
Shadow bytes around the buggy address:
  0x0c0680097740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680097750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680097760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680097770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680097780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0680097790: fa fa fa fa fa fa fa fa fa fa fd fd fd[fd]fa fa
  0x0c06800977a0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
  0x0c06800977b0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c06800977c0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c06800977d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c06800977e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==20954==ABORTING

Related issues 2 (0 open2 closed)

Related to ndn-cxx - Bug #2301: InMemoryStorage incorrectly iterates over entries ClosedAlex Afanasyev12/15/2014

Actions
Blocks NFD - Task #2589: CI: enable AddressSanitizer for unit testsClosedDavide Pesavento

Actions
Actions
Copy link
 #1

Updated by Davide Pesavento about 10 years ago

  • Subject changed from Heap use-after-free in InMemoryStorage to Heap-use-after-free in InMemoryStorage
Actions
Copy link
 #2

Updated by Junxiao Shi about 10 years ago

  • Category set to Utils
  • Assignee set to Jiewen Tan
  • Target version set to v0.3
Actions
Copy link
 #3

Updated by Jiewen Tan about 10 years ago

Noticed.

Actions
Copy link
 #4

Updated by Alex Afanasyev almost 10 years ago

  • Related to Bug #2301: InMemoryStorage incorrectly iterates over entries added
Actions
Copy link
 #5

Updated by Alex Afanasyev almost 10 years ago

Davide, can you check that this error is gone?

Actions
Copy link
 #6

Updated by Davide Pesavento almost 10 years ago

  • Status changed from New to Resolved
  • Start date deleted (11/06/2014)

Yes, it's fixed as of ndn-cxx commit 8e131fd1d31a89b8e6e95a2728457463f0b02e58

Actions
Copy link
 #7

Updated by Davide Pesavento almost 10 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #8

Updated by Davide Pesavento over 9 years ago

  • Blocks Task #2589: CI: enable AddressSanitizer for unit tests added
Actions
Copy link

Also available in: Atom PDF