Project

General

Profile

Actions

Bug #3787

closed

Rib::erase use-after-free

Added by Davide Pesavento over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Category:
RIB
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:

Description

Triggered by Rib/TestRibManager/CommandAuthorization test case.

From http://jenkins.named-data.net/job/NFD/4374/OS=Ubuntu-16.04-64bit/consoleText

Entering test case "CommandAuthorization<N3nfd3rib5tests3Rib14TestRibManager29UnauthorizedRibManagerFixtureE>"
../tests/manager-common-fixture.cpp(38): info: check this->addIdentity(m_identityName) passed
1415684132.000000 INFO: [RibManager] Start monitoring face create/destroy events
../tests/rib/rib-manager.t.cpp(106): info: check params.getName() == "/localhost/nfd/rib" || params.getName() == "/localhop/nfd/rib" passed
=================================================================
==14509==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000cda30 at pc 0x00000052f08b bp 0x7ffeb1e1ee10 sp 0x7ffeb1e1ee00
READ of size 8 at 0x6070000cda30 thread T0
    #0 0x52f08a in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:174
    #1 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
    #2 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
    #3 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
    #4 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
    #5 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
    #6 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
    #7 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
    #8 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #9 0x7f5e4a164cb0  (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
    #10 0x7f5e4a144995 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4a995)
    #11 0x7f5e4a1451b2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4b1b2)
    #12 0x7f5e4a164de1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6ade1)
    #13 0x7f5e4a14c09d in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5209d)
    #14 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #15 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #16 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #17 0x7f5e4a1479f5 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4d9f5)
    #18 0x7f5e4a163286 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x69286)
    #19 0x5beecd in main ../tests/main.cpp:112
    #20 0x7f5e494b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x422358 in _start (build/unit-tests-rib+0x422358)

0x6070000cda30 is located 16 bytes inside of 72-byte region [0x6070000cda20,0x6070000cda68)
freed by thread T0 here:
    #0 0x7f5e4b7f9b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
    #1 0x4fc528 in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::erase(std::_List_const_iterator<nfd::rib::Route>) (build/unit-tests-rib+0x4fc528)
    #2 0x4f9f08 in nfd::rib::RibEntry::eraseRoute(std::_List_iterator<nfd::rib::Route>) ../rib/rib-entry.cpp:125
    #3 0x52f03c in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:170
    #4 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
    #5 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
    #6 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
    #7 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
    #8 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
    #9 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
    #10 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
    #11 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #12 0x7f5e4a164cb0  (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
    #13 0x6030001d8adf  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7f5e4b7f9532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x4fae0b in __gnu_cxx::new_allocator<std::_List_node<nfd::rib::Route> >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x4fae0b in std::__cxx11::_List_base<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_get_node() /usr/include/c++/5/bits/stl_list.h:392
    #3 0x4fae0b in std::_List_node<nfd::rib::Route>* std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_create_node<nfd::rib::Route const&>(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:571
    #4 0x4fae0b in void std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_insert<nfd::rib::Route const&>(std::_List_iterator<nfd::rib::Route>, nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1763
    #5 0x4fae0b in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::push_back(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1089
    #6 0x4fae0b in nfd::rib::RibEntry::insertRoute(nfd::rib::Route const&) ../rib/rib-entry.cpp:59
    #7 0x53278a in nfd::rib::Rib::insert(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:127
    #8 0x502ceb in nfd::rib::RibManager::onCommandPrefixAddNextHopSuccess(ndn::Name const&, ndn::nfd::ControlParameters const&) ../rib/rib-manager.cpp:441
    #9 0x516893 in void std::_Mem_fn_base<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&), true>::operator()<ndn::Name const&, ndn::nfd::ControlParameters const&, void>(nfd::rib::RibManager*, ndn::Name const&, ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:600
    #10 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::__call<void, ndn::nfd::ControlParameters const&, 0ul, 1ul, 2ul>(std::tuple<ndn::nfd::ControlParameters const&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1074
    #11 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::operator()<ndn::nfd::ControlParameters const&, void>(ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1133
    #12 0x516893 in std::_Function_handler<void (ndn::nfd::ControlParameters const&), std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)> >::_M_invoke(std::_Any_data const&, ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1871
    #13 0x7f5e4b3415c8 in std::function<void (ndn::nfd::ControlParameters const&)>::operator()(ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:2267
    #14 0x7f5e4b3415c8 in ndn::nfd::Controller::processValidatedCommandResponse(ndn::Data const&, std::shared_ptr<ndn::nfd::ControlCommand> const&, std::function<void (ndn::nfd::ControlParameters const&)> const&, std::function<void (ndn::mgmt::ControlResponse const&)> const&) ../src/mgmt/nfd/controller.cpp:129

SUMMARY: AddressSanitizer: heap-use-after-free ../rib/rib.cpp:174 nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&)
Shadow bytes around the buggy address:
  0x0c0e80011af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 01 fa
=>0x0c0e80011b40: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fa fa fa
  0x0c0e80011b50: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e80011b60: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
  0x0c0e80011b70: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0e80011b80: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e80011b90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==14509==ABORTING

Related issues 1 (0 open1 closed)

Blocks NFD - Task #2589: CI: enable AddressSanitizer for unit testsClosedDavide Pesavento

Actions
Actions #1

Updated by Davide Pesavento over 8 years ago

  • Blocks Task #2589: CI: enable AddressSanitizer for unit tests added
Actions #2

Updated by Davide Pesavento over 8 years ago

  • Subject changed from Rib/TestRibManager/CommandAuthorization triggers use-after-free to Rib::erase use-after-free
  • Description updated (diff)
  • Status changed from New to In Progress
  • Assignee set to Davide Pesavento

Rib::erase() accesses route.faceId after route itself was destroyed by RibEntry::eraseRoute().

Actions #3

Updated by Davide Pesavento over 8 years ago

  • Status changed from In Progress to Code review
  • % Done changed from 0 to 100
Actions #4

Updated by Davide Pesavento over 8 years ago

  • % Done changed from 100 to 50

There's another bug, this time in RibManagerFixture::clearRib().

==19400==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110008f2eb0 at pc 0x0000004a20b2 bp 0x7ffc90be3490 sp 0x7ffc90be3480
READ of size 8 at 0x6110008f2eb0 thread T0
    #0 0x4a20b1 in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::empty() const /usr/include/c++/5/bits/stl_list.h:942
    #1 0x4a20b1 in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
    #2 0x4a20b1 in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
    #3 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:300
    #4 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:339
    #5 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:339
    #6 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
    #7 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
    #8 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #9 0x7fc1ce984cb0  (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
    #10 0x7fc1ce964995 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4a995)
    #11 0x7fc1ce9651b2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4b1b2)
    #12 0x7fc1ce984de1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6ade1)
    #13 0x7fc1ce96c09d in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5209d)
    #14 0x7fc1ce9a24ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #15 0x7fc1ce9a24ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #16 0x7fc1ce9a24ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #17 0x7fc1ce9679f5 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4d9f5)
    #18 0x7fc1ce983286 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x69286)
    #19 0x5beeb9 in main ../tests/main.cpp:112
    #20 0x7fc1cdcd082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x422358 in _start (build/unit-tests-rib+0x422358)

0x6110008f2eb0 is located 176 bytes inside of 232-byte region [0x6110008f2e00,0x6110008f2ee8)
freed by thread T0 here:
    #0 0x7fc1d0019b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
    #1 0x533b0d in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/5/ext/new_allocator.h:110
    #2 0x533b0d in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:517
    #3 0x533b0d in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/5/bits/allocated_ptr.h:72
    #4 0x533b0d in std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/5/bits/shared_ptr_base.h:539
    #5 0x52f359 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/5/bits/shared_ptr_base.h:167
    #6 0x52f359 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/5/bits/shared_ptr_base.h:659
    #7 0x52f359 in std::__shared_ptr<nfd::rib::RibEntry, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/5/bits/shared_ptr_base.h:925
    #8 0x52f359 in std::shared_ptr<nfd::rib::RibEntry>::~shared_ptr() /usr/include/c++/5/bits/shared_ptr.h:93
    #9 0x52f359 in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:165
    #10 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:139
    #11 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
    #12 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:300
    #13 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:339
    #14 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:339
    #15 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
    #16 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
    #17 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #18 0x7fc1ce984cb0  (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
    #19 0x6030001c3eff  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7fc1d0019532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x53a7ea in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x53a7ea in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
    #3 0x53a7ea in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >&) /usr/include/c++/5/bits/allocated_ptr.h:102
    #4 0x530f4c in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::_Sp_make_shared_tag, nfd::rib::RibEntry*, std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr_base.h:615
    #5 0x530f4c in std::__shared_ptr<nfd::rib::RibEntry, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::_Sp_make_shared_tag, std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr_base.h:1097
    #6 0x530f4c in std::shared_ptr<nfd::rib::RibEntry>::shared_ptr<std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::_Sp_make_shared_tag, std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr.h:319
    #7 0x530f4c in std::shared_ptr<nfd::rib::RibEntry> std::allocate_shared<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr.h:620
    #8 0x530f4c in std::shared_ptr<nfd::rib::RibEntry> std::make_shared<nfd::rib::RibEntry, nfd::rib::RibEntry>(nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr.h:636
    #9 0x530f4c in nfd::rib::Rib::insert(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:121
    #10 0x502ceb in nfd::rib::RibManager::onCommandPrefixAddNextHopSuccess(ndn::Name const&, ndn::nfd::ControlParameters const&) ../rib/rib-manager.cpp:441
    #11 0x516893 in void std::_Mem_fn_base<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&), true>::operator()<ndn::Name const&, ndn::nfd::ControlParameters const&, void>(nfd::rib::RibManager*, ndn::Name const&, ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:600
    #12 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::__call<void, ndn::nfd::ControlParameters const&, 0ul, 1ul, 2ul>(std::tuple<ndn::nfd::ControlParameters const&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1074
    #13 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::operator()<ndn::nfd::ControlParameters const&, void>(ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1133
    #14 0x516893 in std::_Function_handler<void (ndn::nfd::ControlParameters const&), std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)> >::_M_invoke(std::_Any_data const&, ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1871
    #15 0x7fc1cfb615c8 in std::function<void (ndn::nfd::ControlParameters const&)>::operator()(ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:2267
    #16 0x7fc1cfb615c8 in ndn::nfd::Controller::processValidatedCommandResponse(ndn::Data const&, std::shared_ptr<ndn::nfd::ControlCommand> const&, std::function<void (ndn::nfd::ControlParameters const&)> const&, std::function<void (ndn::mgmt::ControlResponse const&)> const&) ../src/mgmt/nfd/controller.cpp:129

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/5/bits/stl_list.h:942 std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::empty() const
Shadow bytes around the buggy address:
  0x0c2280116580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280116590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22801165a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22801165b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22801165c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c22801165d0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fa fa fa
  0x0c22801165e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c22801165f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280116600: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c2280116610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280116620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==19400==ABORTING
Actions #5

Updated by Davide Pesavento over 8 years ago

  • % Done changed from 50 to 100

clearRib() needs to keep a copy of shared_ptr<RibEntry> while iterating, to prevent deallocation of the RibEntry when it becomes empty in Rib::erase().

Actions #6

Updated by Davide Pesavento over 8 years ago

  • Status changed from Code review to Closed
Actions

Also available in: Atom PDF