Actions
Bug #4176
closed
Net/TestNetworkMonitor/DestructWhileEnumerating heap-use-after-free
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Network
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Tags:
Description
Steps to reproduce:
./waf configure --enable-static --disable-shared --with-tests --with-sanitizer=address,undefined # on macOS, append: --without-osx-keychain
./waf
./build/unit-tests -t Net/TestNetworkMonitor/DestructWhileEnumerating
Updated by Junxiao Shi almost 7 years ago
Ubuntu 16.04 32-bit¶
ubuntu@m0213:~/san-ndn-cxx$ build/unit-tests -t Net/TestNetworkMonitor/DestructWhileEnumerating
Running 1 test case...
=================================================================
==9039==ERROR: AddressSanitizer: heap-use-after-free on address 0xb3005200 at pc 0x0bb6aaa1 bp 0xbfc2f4f8 sp 0xbfc2f4e8
READ of size 4 at 0xb3005200 thread T0
#0 0xbb6aaa0 in boost::asio::detail::thread_info_base::deallocate(boost::asio::detail::thread_info_base*, void*, unsigned int) /usr/include/boost/asio/detail/thread_info_base.hpp:71
#1 0xbb6aaa0 in boost::asio::asio_handler_deallocate(void*, unsigned int, ...) /usr/include/boost/asio/impl/handler_alloc_hook.ipp:67
#2 0xbb6aaa0 in void boost_asio_handler_alloc_helpers::deallocate<std::_Bind<std::_Mem_fn<void (ndn::net::NetworkMonitorImplRtnl::*)(boost::system::error_code const&, unsigned int, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> > const&)> (ndn::net::NetworkMonitorImplRtnl*, std::_Placeholder<1>, std::_Placeholder<2>, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> >)> >(void*, unsigned int, std::_Bind<std::_Mem_fn<void (ndn::net::NetworkMonitorImplRtnl::*)(boost::system::error_code const&, unsigned int, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> > const&)> (ndn::net::NetworkMonitorImplRtnl*, std::_Placeholder<1>, std::_Placeholder<2>, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> >)>&) /usr/include/boost/asio/detail/handler_alloc_helpers.hpp:48
#3 0xbb6aaa0 in boost::asio::detail::descriptor_read_op<boost::asio::mutable_buffers_1, std::_Bind<std::_Mem_fn<void (ndn::net::NetworkMonitorImplRtnl::*)(boost::system::error_code const&, unsigned int, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> > const&)> (ndn::net::NetworkMonitorImplRtnl*, std::_Placeholder<1>, std::_Placeholder<2>, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> >)> >::ptr::reset() /usr/include/boost/asio/detail/descriptor_read_op.hpp:68
#4 0xbb6aaa0 in boost::asio::detail::descriptor_read_op<boost::asio::mutable_buffers_1, std::_Bind<std::_Mem_fn<void (ndn::net::NetworkMonitorImplRtnl::*)(boost::system::error_code const&, unsigned int, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> > const&)> (ndn::net::NetworkMonitorImplRtnl*, std::_Placeholder<1>, std::_Placeholder<2>, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> >)> >::ptr::~ptr() /usr/include/boost/asio/detail/descriptor_read_op.hpp:68
#5 0xbb6aaa0 in boost::asio::detail::descriptor_read_op<boost::asio::mutable_buffers_1, std::_Bind<std::_Mem_fn<void (ndn::net::NetworkMonitorImplRtnl::*)(boost::system::error_code const&, unsigned int, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> > const&)> (ndn::net::NetworkMonitorImplRtnl*, std::_Placeholder<1>, std::_Placeholder<2>, std::shared_ptr<boost::asio::posix::basic_stream_descriptor<boost::asio::posix::stream_descriptor_service> >)> >::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned int) /usr/include/boost/asio/detail/descriptor_read_op.hpp:84
#6 0x8e18d4c in boost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned int) /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
#7 0x8e18d4c in boost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:372
#8 0x8e18d4c in boost::asio::detail::task_io_service::run(boost::system::error_code&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:149
#9 0x8f24d07 in boost::asio::io_service::run() /usr/include/boost/asio/impl/io_service.ipp:59
#10 0x8f24d07 in ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method() ../tests/unit-tests/net/network-monitor.t.cpp:64
#11 0x8f27519 in DestructWhileEnumerating_invoker ../tests/unit-tests/net/network-monitor.t.cpp:50
#12 0x827c4bb in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<void (*)()>(void (*&)()) /usr/include/boost/test/utils/callback.hpp:56
#13 0x827c4bb in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#14 0xb6f5aea5 (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5fea5)
#15 0xb6f3ac00 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x3fc00)
#16 0xb6f3b38a in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4038a)
#17 0xb6f5b025 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x60025)
#18 0xb6f421e0 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x471e0)
#19 0xb6f799bc in boost::unit_test::traverse_test_tree(boost::unit_test::test_case const&, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7e9bc)
#20 0xb6f79a03 in boost::unit_test::traverse_test_tree(unsigned long, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7ea03)
#21 0xb6f79aaa in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7eaaa)
#22 0xb6f79a2b in boost::unit_test::traverse_test_tree(unsigned long, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7ea2b)
#23 0xb6f79aaa in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7eaaa)
#24 0xb6f79a2b in boost::unit_test::traverse_test_tree(unsigned long, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7ea2b)
#25 0xb6f79aaa in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7eaaa)
#26 0xb6f79a2b in boost::unit_test::traverse_test_tree(unsigned long, boost::unit_test::test_tree_visitor&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x7ea2b)
#27 0xb6f3db34 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x42b34)
#28 0xb6f59457 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5e457)
#29 0x8117def in main ../tests/main.cpp:109
#30 0xb6041636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#31 0x82009c2 (/home/ubuntu/san-ndn-cxx/build/unit-tests+0x82009c2)
0xb3005200 is located 0 bytes inside of 16512-byte region [0xb3005200,0xb3009280)
freed by thread T0 here:
#0 0xb72cc2a4 in operator delete(void*) (/usr/lib/i386-linux-gnu/libasan.so.2+0x982a4)
#1 0x8f1c5bc in std::default_delete<ndn::net::NetworkMonitorImpl>::operator()(ndn::net::NetworkMonitorImpl*) const /usr/include/c++/5/bits/unique_ptr.h:76
#2 0x8f1c5bc in std::unique_ptr<ndn::net::NetworkMonitorImpl, std::default_delete<ndn::net::NetworkMonitorImpl> >::~unique_ptr() /usr/include/c++/5/bits/unique_ptr.h:236
#3 0x8f1c5bc in ndn::net::NetworkMonitor::~NetworkMonitor() /home/ubuntu/san-ndn-cxx/src/net/network-monitor.hpp:54
#4 0x8f1c5bc in std::default_delete<ndn::net::NetworkMonitor>::operator()(ndn::net::NetworkMonitor*) const /usr/include/c++/5/bits/unique_ptr.h:76
#5 0x8f1c5bc in std::unique_ptr<ndn::net::NetworkMonitor, std::default_delete<ndn::net::NetworkMonitor> >::reset(ndn::net::NetworkMonitor*) /usr/include/c++/5/bits/unique_ptr.h:344
#6 0x8f1c5bc in operator() ../tests/unit-tests/net/network-monitor.t.cpp:57
#7 0x8f1c5bc in asio_handler_invoke<ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method()::<lambda(const std::shared_ptr<const ndn::net::NetworkInterface>&)>::<lambda()> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
#8 0x8f1c5bc in invoke<ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method()::<lambda(const std::shared_ptr<const ndn::net::NetworkInterface>&)>::<lambda()>, ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method()::<lambda(const std::shared_ptr<const ndn::net::NetworkInterface>&)>::<lambda()> > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
#9 0x8f1c5bc in do_complete /usr/include/boost/asio/detail/completion_handler.hpp:68
#10 0x8e18d4c in boost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned int) /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
#11 0x8e18d4c in boost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:372
#12 0x8e18d4c in boost::asio::detail::task_io_service::run(boost::system::error_code&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:149
#13 0x8f24d07 in boost::asio::io_service::run() /usr/include/boost/asio/impl/io_service.ipp:59
#14 0x8f24d07 in ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method() ../tests/unit-tests/net/network-monitor.t.cpp:64
#15 0x8f27519 in DestructWhileEnumerating_invoker ../tests/unit-tests/net/network-monitor.t.cpp:50
#16 0x827c4bb in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<void (*)()>(void (*&)()) /usr/include/boost/test/utils/callback.hpp:56
#17 0x827c4bb in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#18 0xb6f5aea5 (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5fea5)
#19 0xb6f3b38a in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4038a)
#20 0xb6f5b025 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x60025)
#21 0xb6f421e0 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x471e0)
previously allocated by thread T0 here:
#0 0xb72cbcd6 in operator new(unsigned int) (/usr/lib/i386-linux-gnu/libasan.so.2+0x97cd6)
#1 0xabe0d3a in std::unique_ptr<ndn::net::NetworkMonitorImplRtnl, std::default_delete<ndn::net::NetworkMonitorImplRtnl> > ndn::make_unique<ndn::net::NetworkMonitorImplRtnl, boost::asio::io_service&>(boost::asio::io_service&) ../src/net/../util/backports.hpp:40
#2 0xabe0d3a in ndn::net::NetworkMonitor::NetworkMonitor(boost::asio::io_service&) ../src/net/network-monitor.cpp:43
#3 0x8f23b75 in std::unique_ptr<ndn::net::NetworkMonitor, std::default_delete<ndn::net::NetworkMonitor> > ndn::make_unique<ndn::net::NetworkMonitor, boost::asio::io_service&>(boost::asio::io_service&) /home/ubuntu/san-ndn-cxx/src/net/../util/backports.hpp:40
#4 0x8f23b75 in ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method() ../tests/unit-tests/net/network-monitor.t.cpp:53
#5 0x8f27519 in DestructWhileEnumerating_invoker ../tests/unit-tests/net/network-monitor.t.cpp:50
#6 0x827c4bb in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<void (*)()>(void (*&)()) /usr/include/boost/test/utils/callback.hpp:56
#7 0x827c4bb in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#8 0xb6f5aea5 (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5fea5)
#9 0xb6f3b38a in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4038a)
#10 0xb6f5b025 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x60025)
#11 0xb6f421e0 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/i386-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x471e0)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/boost/asio/detail/thread_info_base.hpp:71 boost::asio::detail::thread_info_base::deallocate(boost::asio::detail::thread_info_base*, void*, unsigned int)
Shadow bytes around the buggy address:
0x366009f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36600a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36600a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36600a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36600a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36600a40:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36600a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36600a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36600a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36600a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x36600a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==9039==ABORTING
macOS 10.12.5¶
monaco:ndn-cxx-dev shijunxiao$ sudo build/unit-tests build/unit-tests -t Net/TestNetworkMonitor/DestructWhileEnumerating
Password:
Boost.Test WARNING: token "build/unit-tests" does not correspond to the Boost.Test argument
and should be placed after all Boost.Test arguments and the -- separator.
For example: unit-tests --random -- build/unit-tests
Running 1 test case...
=================================================================
==42724==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000495a at pc 0x00010b972f19 bp 0x7fff5cf7ae50 sp 0x7fff5cf7a5f8
READ of size 11 at 0x60200000495a thread T0
#0 0x10b972f18 in wrap_strlen (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x10f18)
#1 0x1050d54e7 in ndn::net::convertToStdString(__CFString const*) string:644
#2 0x1050d5124 in ndn::net::NetworkMonitorImplOsx::getInterfaceNames() network-monitor-impl-osx.cpp:226
#3 0x1050d4442 in ndn::net::NetworkMonitorImplOsx::enumerateInterfaces() network-monitor-impl-osx.cpp:193
#4 0x1050de648 in boost::asio::detail::completion_handler<ndn::net::NetworkMonitorImplOsx::NetworkMonitorImplOsx(boost::asio::io_service&)::$_0>::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) network-monitor-impl-osx.cpp:98
#5 0x1035cd008 in boost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) task_io_service_operation.hpp:38
#6 0x1035cb7b8 in boost::asio::detail::task_io_service::run(boost::system::error_code&) task_io_service.ipp:149
#7 0x1035bb432 in boost::asio::io_service::run() io_service.ipp:59
#8 0x10369ef55 in ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method() network-monitor.t.cpp:64
#9 0x10369e10e in ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating_invoker() network-monitor.t.cpp:50
#10 0x10b3069de in boost::detail::function::function_obj_invoker0<boost::detail::forward, int>::invoke(boost::detail::function::function_buffer&) (libboost_unit_test_framework-mt.dylib:x86_64+0xb9de)
#11 0x10b30436e in boost::execution_monitor::catch_signals(boost::function<int ()> const&) (libboost_unit_test_framework-mt.dylib:x86_64+0x936e)
#12 0x10b30452c in boost::execution_monitor::execute(boost::function<int ()> const&) (libboost_unit_test_framework-mt.dylib:x86_64+0x952c)
#13 0x10b305baa in boost::execution_monitor::vexecute(boost::function<void ()> const&) (libboost_unit_test_framework-mt.dylib:x86_64+0xabaa)
#14 0x10b328319 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::function<void ()> const&, unsigned int) (libboost_unit_test_framework-mt.dylib:x86_64+0x2d319)
#15 0x10b30d494 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12494)
#16 0x10b30d594 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12594)
#17 0x10b30d594 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12594)
#18 0x10b30d594 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12594)
#19 0x10b30c406 in boost::unit_test::framework::run(unsigned long, bool) (libboost_unit_test_framework-mt.dylib:x86_64+0x11406)
#20 0x10b32721d in boost::unit_test::unit_test_main(bool (*)(), int, char**) (libboost_unit_test_framework-mt.dylib:x86_64+0x2c21d)
#21 0x7fffd6e80234 in start (libdyld.dylib:x86_64+0x5234)
0x60200000495a is located 0 bytes to the right of 10-byte region [0x602000004950,0x60200000495a)
allocated by thread T0 here:
#0 0x10b9bf10b in wrap__Znam (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d10b)
#1 0x1050d54b4 in ndn::net::convertToStdString(__CFString const*) network-monitor-impl-osx.cpp:208
#2 0x1050d5124 in ndn::net::NetworkMonitorImplOsx::getInterfaceNames() network-monitor-impl-osx.cpp:226
#3 0x1050d4442 in ndn::net::NetworkMonitorImplOsx::enumerateInterfaces() network-monitor-impl-osx.cpp:193
#4 0x1050de648 in boost::asio::detail::completion_handler<ndn::net::NetworkMonitorImplOsx::NetworkMonitorImplOsx(boost::asio::io_service&)::$_0>::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) network-monitor-impl-osx.cpp:98
#5 0x1035cd008 in boost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) task_io_service_operation.hpp:38
#6 0x1035cb7b8 in boost::asio::detail::task_io_service::run(boost::system::error_code&) task_io_service.ipp:149
#7 0x1035bb432 in boost::asio::io_service::run() io_service.ipp:59
#8 0x10369ef55 in ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating::test_method() network-monitor.t.cpp:64
#9 0x10369e10e in ndn::net::tests::Net::TestNetworkMonitor::DestructWhileEnumerating_invoker() network-monitor.t.cpp:50
#10 0x10b3069de in boost::detail::function::function_obj_invoker0<boost::detail::forward, int>::invoke(boost::detail::function::function_buffer&) (libboost_unit_test_framework-mt.dylib:x86_64+0xb9de)
#11 0x10b30436e in boost::execution_monitor::catch_signals(boost::function<int ()> const&) (libboost_unit_test_framework-mt.dylib:x86_64+0x936e)
#12 0x10b30452c in boost::execution_monitor::execute(boost::function<int ()> const&) (libboost_unit_test_framework-mt.dylib:x86_64+0x952c)
#13 0x10b305baa in boost::execution_monitor::vexecute(boost::function<void ()> const&) (libboost_unit_test_framework-mt.dylib:x86_64+0xabaa)
#14 0x10b328319 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::function<void ()> const&, unsigned int) (libboost_unit_test_framework-mt.dylib:x86_64+0x2d319)
#15 0x10b30d494 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12494)
#16 0x10b30d594 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12594)
#17 0x10b30d594 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12594)
#18 0x10b30d594 in boost::unit_test::framework::state::execute_test_tree(unsigned long, unsigned int, boost::unit_test::framework::state::random_generator_helper const*) (libboost_unit_test_framework-mt.dylib:x86_64+0x12594)
#19 0x10b30c406 in boost::unit_test::framework::run(unsigned long, bool) (libboost_unit_test_framework-mt.dylib:x86_64+0x11406)
#20 0x10b32721d in boost::unit_test::unit_test_main(bool (*)(), int, char**) (libboost_unit_test_framework-mt.dylib:x86_64+0x2c21d)
#21 0x7fffd6e80234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x10f18) in wrap_strlen
Shadow bytes around the buggy address:
0x1c04000008d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c04000008e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c04000008f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400000920: fa fa fa fa fa fa fa fa fa fa 00[02]fa fa fd fa
0x1c0400000930: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x1c0400000940: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x1c0400000950: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x1c0400000960: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 00
0x1c0400000970: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 03 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==42724==ABORTING
==42724==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff5cf7d000; bottom 0x00010f11a000; size: 0x7ffe4de63000 (140730205351936)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
unknown location:0: fatal error: in "Net/TestNetworkMonitor/DestructWhileEnumerating": signal: SIGABRT (application abort requested)
../tests/unit-tests/net/network-monitor.t.cpp:50: last checkpoint: "DestructWhileEnumerating" entry.
*** 1 failure is detected (7 failures are expected) in the test module "ndn-cxx Tests"
Updated by Davide Pesavento almost 7 years ago
- Subject changed from NetworkMonitor/DestructWhileEnumerating heap-use-after-free to Net/TestNetworkMonitor/DestructWhileEnumerating heap-use-after-free
- Description updated (diff)
- Start date deleted (
07/09/2017)
Why isn't this caught by jenkins or travis?
Updated by Davide Pesavento almost 7 years ago
- Assignee deleted (
Davide Pesavento)
In the Linux case, I don't understand what's going on. I get a slightly different stack trace on my machine, but in any case the ASan error happens before our code is called, in particular it seems to happen while the bind object containing handleRead and the bound arguments is being destructed. It's as if the destructors are run twice. handleRead is already protected against destruction of the NetworkMonitor instance, but as I said, that code is never reached.
I suspect the interaction between ASan and UBSan is either causing a miscompilation or just doing weird things by itself. Moreover, I cannot reproduce with clang, or with ASan alone.
I won't investigate the error on macOS.
Updated by Davide Pesavento about 6 years ago
As noted in signal::Signal documentation, "destructing the Signal object during signal emission is undefined behavior". So the test case is invalid.
Updated by Davide Pesavento about 6 years ago
Actually, disregard my previous comment. The reset() call is wrapped in io.post(), which guarantees that it can't be called directly from the current function.
Updated by Davide Pesavento 3 months ago
- Status changed from New to Closed
I've been trying to reproduce this error several times over the past year or two, to no avail. In fact, the entire ndn-cxx unit test suite with UBSAN has been passing without false positives for me for a long time now. We might even want to consider adding UBSAN to our CI as well.
Therefore, I think it's time to close this (non-)issue. It was probably a false positive or some other bug in GCC's implementation of the sanitizers.
Actions