Actions
Bug #3787
closed
Rib::erase use-after-free
Start date:
Due date:
% Done:
100%
Estimated time:
Description
Triggered by Rib/TestRibManager/CommandAuthorization test case.
From http://jenkins.named-data.net/job/NFD/4374/OS=Ubuntu-16.04-64bit/consoleText
Entering test case "CommandAuthorization<N3nfd3rib5tests3Rib14TestRibManager29UnauthorizedRibManagerFixtureE>"
../tests/manager-common-fixture.cpp(38): info: check this->addIdentity(m_identityName) passed
1415684132.000000 INFO: [RibManager] Start monitoring face create/destroy events
../tests/rib/rib-manager.t.cpp(106): info: check params.getName() == "/localhost/nfd/rib" || params.getName() == "/localhop/nfd/rib" passed
=================================================================
==14509==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000cda30 at pc 0x00000052f08b bp 0x7ffeb1e1ee10 sp 0x7ffeb1e1ee00
READ of size 8 at 0x6070000cda30 thread T0
#0 0x52f08a in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:174
#1 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
#2 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
#3 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
#4 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
#5 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
#6 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
#7 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
#8 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
#9 0x7f5e4a164cb0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
#10 0x7f5e4a144995 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4a995)
#11 0x7f5e4a1451b2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4b1b2)
#12 0x7f5e4a164de1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6ade1)
#13 0x7f5e4a14c09d in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5209d)
#14 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#15 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#16 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#17 0x7f5e4a1479f5 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4d9f5)
#18 0x7f5e4a163286 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x69286)
#19 0x5beecd in main ../tests/main.cpp:112
#20 0x7f5e494b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x422358 in _start (build/unit-tests-rib+0x422358)
0x6070000cda30 is located 16 bytes inside of 72-byte region [0x6070000cda20,0x6070000cda68)
freed by thread T0 here:
#0 0x7f5e4b7f9b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x4fc528 in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::erase(std::_List_const_iterator<nfd::rib::Route>) (build/unit-tests-rib+0x4fc528)
#2 0x4f9f08 in nfd::rib::RibEntry::eraseRoute(std::_List_iterator<nfd::rib::Route>) ../rib/rib-entry.cpp:125
#3 0x52f03c in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:170
#4 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
#5 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
#6 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
#7 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
#8 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
#9 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
#10 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
#11 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
#12 0x7f5e4a164cb0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
#13 0x6030001d8adf (<unknown module>)
previously allocated by thread T0 here:
#0 0x7f5e4b7f9532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x4fae0b in __gnu_cxx::new_allocator<std::_List_node<nfd::rib::Route> >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x4fae0b in std::__cxx11::_List_base<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_get_node() /usr/include/c++/5/bits/stl_list.h:392
#3 0x4fae0b in std::_List_node<nfd::rib::Route>* std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_create_node<nfd::rib::Route const&>(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:571
#4 0x4fae0b in void std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_insert<nfd::rib::Route const&>(std::_List_iterator<nfd::rib::Route>, nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1763
#5 0x4fae0b in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::push_back(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1089
#6 0x4fae0b in nfd::rib::RibEntry::insertRoute(nfd::rib::Route const&) ../rib/rib-entry.cpp:59
#7 0x53278a in nfd::rib::Rib::insert(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:127
#8 0x502ceb in nfd::rib::RibManager::onCommandPrefixAddNextHopSuccess(ndn::Name const&, ndn::nfd::ControlParameters const&) ../rib/rib-manager.cpp:441
#9 0x516893 in void std::_Mem_fn_base<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&), true>::operator()<ndn::Name const&, ndn::nfd::ControlParameters const&, void>(nfd::rib::RibManager*, ndn::Name const&, ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:600
#10 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::__call<void, ndn::nfd::ControlParameters const&, 0ul, 1ul, 2ul>(std::tuple<ndn::nfd::ControlParameters const&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1074
#11 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::operator()<ndn::nfd::ControlParameters const&, void>(ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1133
#12 0x516893 in std::_Function_handler<void (ndn::nfd::ControlParameters const&), std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)> >::_M_invoke(std::_Any_data const&, ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1871
#13 0x7f5e4b3415c8 in std::function<void (ndn::nfd::ControlParameters const&)>::operator()(ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:2267
#14 0x7f5e4b3415c8 in ndn::nfd::Controller::processValidatedCommandResponse(ndn::Data const&, std::shared_ptr<ndn::nfd::ControlCommand> const&, std::function<void (ndn::nfd::ControlParameters const&)> const&, std::function<void (ndn::mgmt::ControlResponse const&)> const&) ../src/mgmt/nfd/controller.cpp:129
SUMMARY: AddressSanitizer: heap-use-after-free ../rib/rib.cpp:174 nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&)
Shadow bytes around the buggy address:
0x0c0e80011af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 01 fa
=>0x0c0e80011b40: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fa fa fa
0x0c0e80011b50: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0e80011b60: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
0x0c0e80011b70: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x0c0e80011b80: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e80011b90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14509==ABORTING
Updated by Davide Pesavento over 7 years ago
- Blocks Task #2589: CI: enable AddressSanitizer for unit tests added
Updated by Davide Pesavento over 7 years ago
- Subject changed from Rib/TestRibManager/CommandAuthorization triggers use-after-free to Rib::erase use-after-free
- Description updated (diff)
- Status changed from New to In Progress
- Assignee set to Davide Pesavento
Rib::erase() accesses route.faceId after route itself was destroyed by RibEntry::eraseRoute().
Updated by Davide Pesavento over 7 years ago
- Status changed from In Progress to Code review
- % Done changed from 0 to 100
Updated by Davide Pesavento over 7 years ago
- % Done changed from 100 to 50
There's another bug, this time in RibManagerFixture::clearRib().
==19400==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110008f2eb0 at pc 0x0000004a20b2 bp 0x7ffc90be3490 sp 0x7ffc90be3480
READ of size 8 at 0x6110008f2eb0 thread T0
#0 0x4a20b1 in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::empty() const /usr/include/c++/5/bits/stl_list.h:942
#1 0x4a20b1 in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
#2 0x4a20b1 in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
#3 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:300
#4 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:339
#5 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:339
#6 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
#7 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
#8 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
#9 0x7fc1ce984cb0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
#10 0x7fc1ce964995 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4a995)
#11 0x7fc1ce9651b2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4b1b2)
#12 0x7fc1ce984de1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6ade1)
#13 0x7fc1ce96c09d in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5209d)
#14 0x7fc1ce9a24ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#15 0x7fc1ce9a24ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#16 0x7fc1ce9a24ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#17 0x7fc1ce9679f5 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4d9f5)
#18 0x7fc1ce983286 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x69286)
#19 0x5beeb9 in main ../tests/main.cpp:112
#20 0x7fc1cdcd082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x422358 in _start (build/unit-tests-rib+0x422358)
0x6110008f2eb0 is located 176 bytes inside of 232-byte region [0x6110008f2e00,0x6110008f2ee8)
freed by thread T0 here:
#0 0x7fc1d0019b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x533b0d in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/5/ext/new_allocator.h:110
#2 0x533b0d in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:517
#3 0x533b0d in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/5/bits/allocated_ptr.h:72
#4 0x533b0d in std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/5/bits/shared_ptr_base.h:539
#5 0x52f359 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/5/bits/shared_ptr_base.h:167
#6 0x52f359 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/5/bits/shared_ptr_base.h:659
#7 0x52f359 in std::__shared_ptr<nfd::rib::RibEntry, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/5/bits/shared_ptr_base.h:925
#8 0x52f359 in std::shared_ptr<nfd::rib::RibEntry>::~shared_ptr() /usr/include/c++/5/bits/shared_ptr.h:93
#9 0x52f359 in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:165
#10 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:139
#11 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
#12 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:300
#13 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:339
#14 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:339
#15 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
#16 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
#17 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
#18 0x7fc1ce984cb0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
#19 0x6030001c3eff (<unknown module>)
previously allocated by thread T0 here:
#0 0x7fc1d0019532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x53a7ea in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x53a7ea in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
#3 0x53a7ea in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, (__gnu_cxx::_Lock_policy)2> >&) /usr/include/c++/5/bits/allocated_ptr.h:102
#4 0x530f4c in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::_Sp_make_shared_tag, nfd::rib::RibEntry*, std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr_base.h:615
#5 0x530f4c in std::__shared_ptr<nfd::rib::RibEntry, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::_Sp_make_shared_tag, std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr_base.h:1097
#6 0x530f4c in std::shared_ptr<nfd::rib::RibEntry>::shared_ptr<std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::_Sp_make_shared_tag, std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr.h:319
#7 0x530f4c in std::shared_ptr<nfd::rib::RibEntry> std::allocate_shared<nfd::rib::RibEntry, std::allocator<nfd::rib::RibEntry>, nfd::rib::RibEntry>(std::allocator<nfd::rib::RibEntry> const&, nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr.h:620
#8 0x530f4c in std::shared_ptr<nfd::rib::RibEntry> std::make_shared<nfd::rib::RibEntry, nfd::rib::RibEntry>(nfd::rib::RibEntry&&) /usr/include/c++/5/bits/shared_ptr.h:636
#9 0x530f4c in nfd::rib::Rib::insert(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:121
#10 0x502ceb in nfd::rib::RibManager::onCommandPrefixAddNextHopSuccess(ndn::Name const&, ndn::nfd::ControlParameters const&) ../rib/rib-manager.cpp:441
#11 0x516893 in void std::_Mem_fn_base<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&), true>::operator()<ndn::Name const&, ndn::nfd::ControlParameters const&, void>(nfd::rib::RibManager*, ndn::Name const&, ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:600
#12 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::__call<void, ndn::nfd::ControlParameters const&, 0ul, 1ul, 2ul>(std::tuple<ndn::nfd::ControlParameters const&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1074
#13 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::operator()<ndn::nfd::ControlParameters const&, void>(ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1133
#14 0x516893 in std::_Function_handler<void (ndn::nfd::ControlParameters const&), std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)> >::_M_invoke(std::_Any_data const&, ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1871
#15 0x7fc1cfb615c8 in std::function<void (ndn::nfd::ControlParameters const&)>::operator()(ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:2267
#16 0x7fc1cfb615c8 in ndn::nfd::Controller::processValidatedCommandResponse(ndn::Data const&, std::shared_ptr<ndn::nfd::ControlCommand> const&, std::function<void (ndn::nfd::ControlParameters const&)> const&, std::function<void (ndn::mgmt::ControlResponse const&)> const&) ../src/mgmt/nfd/controller.cpp:129
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/5/bits/stl_list.h:942 std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::empty() const
Shadow bytes around the buggy address:
0x0c2280116580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280116590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22801165a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22801165b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22801165c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c22801165d0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fa fa fa
0x0c22801165e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c22801165f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2280116600: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c2280116610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280116620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19400==ABORTING
Updated by Davide Pesavento over 7 years ago
- % Done changed from 50 to 100
clearRib() needs to keep a copy of shared_ptr<RibEntry> while iterating, to prevent deallocation of the RibEntry when it becomes empty in Rib::erase().
Updated by Davide Pesavento over 7 years ago
- Status changed from Code review to Closed
Actions