Actions
Bug #2523
closed
UtilSignal/DisconnectSelfInHandler use-after-free
Start date:
Due date:
% Done:
100%
Estimated time:
0.50 h
Description
Looks like #2302 was not really fixed... or maybe it's something else.
==12651==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030008aaea8 at pc 0x79ecea bp 0x7fffd51f71d0 sp 0x7fffd51f71c0
READ of size 8 at 0x6030008aaea8 thread T0
#0 0x79ece9 in operator() ../tests/unit-tests/util/signal.cpp:388
#1 0x79ece9 in __call<void, 0ul> /usr/include/c++/4.9/functional:1264
#2 0x79ece9 in operator()<, void> /usr/include/c++/4.9/functional:1323
#3 0x79ece9 in _M_invoke /usr/include/c++/4.9/functional:2039
#4 0x78b1e1 in std::function<void ()>::operator()() const /usr/include/c++/4.9/functional:2439
#5 0x7aca4f in ndn::util::signal::Signal<ndn::util::signal::tests::UtilSignal::SignalOwner0>::operator()() /home/davide/ndn-cxx/src/util/signal-signal.hpp:232
#6 0x7a4976 in ndn::util::signal::Signal<ndn::util::signal::tests::UtilSignal::SignalOwner0>::operator()(ndn::util::signal::DummyExtraArg const&) /home/davide/ndn-cxx/src/util/signal-signal.hpp:246
#7 0x7a4976 in emit_sig<ndn::util::signal::DummyExtraArg> ../tests/unit-tests/util/signal.cpp:39
#8 0x7a4976 in ndn::util::signal::tests::UtilSignal::DisconnectSelfInHandler::test_method() ../tests/unit-tests/util/signal.cpp:394
#9 0x7a4f52 in DisconnectSelfInHandler_invoker ../tests/unit-tests/util/signal.cpp:377
#10 0x44b018 in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
#11 0x44b018 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#12 0x7fbf4996b5a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
#13 0x7fbf49946865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
#14 0x7fbf499470a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
#15 0x7fbf4996b6a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
#16 0x7fbf499552f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
#17 0x7fbf499842d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#18 0x7fbf499842d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#19 0x7fbf49950819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
#20 0x7fbf49969283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
#21 0x43e8eb in main /usr/include/boost/test/unit_test.hpp:59
#22 0x7fbf4845aec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#23 0x43e2c8 (/home/davide/ndn-cxx/build/unit-tests+0x43e2c8)
0x6030008aaea8 is located 8 bytes inside of 24-byte region [0x6030008aaea0,0x6030008aaeb8)
freed by thread T0 here:
#0 0x7fbf4a72c63f in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5863f)
#1 0x79c650 in _M_destroy /usr/include/c++/4.9/functional:1894
#2 0x79c650 in _M_manager /usr/include/c++/4.9/functional:1918
previously allocated by thread T0 here:
#0 0x7fbf4a72c13f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5813f)
#1 0x79c59b in _M_clone /usr/include/c++/4.9/functional:1878
#2 0x79c59b in _M_manager /usr/include/c++/4.9/functional:1914
SUMMARY: AddressSanitizer: heap-use-after-free ../tests/unit-tests/util/signal.cpp:388 operator()
Shadow bytes around the buggy address:
0x0c068010d580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068010d590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068010d5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068010d5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068010d5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
=>0x0c068010d5d0: fd fd fa fa fd[fd]fd fa fa fa fd fd fd fa fa fa
0x0c068010d5e0: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fd
0x0c068010d5f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c068010d600: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c068010d610: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
0x0c068010d620: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==12651==ABORTING
Updated by 
Updated by 
Updated by
Actions