Bug #3787
Updated by Davide Pesavento about 8 years ago
Triggered by `Rib/TestRibManager/CommandAuthorization` test case.
From http://jenkins.named-data.net/job/NFD/4374/OS=Ubuntu-16.04-64bit/consoleText
```
Entering test case "CommandAuthorization<N3nfd3rib5tests3Rib14TestRibManager29UnauthorizedRibManagerFixtureE>"
../tests/manager-common-fixture.cpp(38): info: check this->addIdentity(m_identityName) passed
1415684132.000000 INFO: [RibManager] Start monitoring face create/destroy events
../tests/rib/rib-manager.t.cpp(106): info: check params.getName() == "/localhost/nfd/rib" || params.getName() == "/localhop/nfd/rib" passed
=================================================================
==14509==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000cda30 at pc 0x00000052f08b bp 0x7ffeb1e1ee10 sp 0x7ffeb1e1ee00
READ of size 8 at 0x6070000cda30 thread T0
#0 0x52f08a in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:174
#1 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
#2 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
#3 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
#4 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
#5 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
#6 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
#7 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
#8 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
#9 0x7f5e4a164cb0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
#10 0x7f5e4a144995 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4a995)
#11 0x7f5e4a1451b2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4b1b2)
#12 0x7f5e4a164de1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6ade1)
#13 0x7f5e4a14c09d in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5209d)
#14 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#15 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#16 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
#17 0x7f5e4a1479f5 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4d9f5)
#18 0x7f5e4a163286 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x69286)
#19 0x5beecd in main ../tests/main.cpp:112
#20 0x7f5e494b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x422358 in _start (build/unit-tests-rib+0x422358)
0x6070000cda30 is located 16 bytes inside of 72-byte region [0x6070000cda20,0x6070000cda68)
freed by thread T0 here:
#0 0x7f5e4b7f9b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x4fc528 in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::erase(std::_List_const_iterator<nfd::rib::Route>) (build/unit-tests-rib+0x4fc528)
#2 0x4f9f08 in nfd::rib::RibEntry::eraseRoute(std::_List_iterator<nfd::rib::Route>) ../rib/rib-entry.cpp:125
#3 0x52f03c in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:170
#4 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
#5 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
#6 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
#7 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
#8 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
#9 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
#10 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
#11 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
#12 0x7f5e4a164cb0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
#13 0x6030001d8adf (<unknown module>)
previously allocated by thread T0 here:
#0 0x7f5e4b7f9532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x4fae0b in __gnu_cxx::new_allocator<std::_List_node<nfd::rib::Route> >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x4fae0b in std::__cxx11::_List_base<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_get_node() /usr/include/c++/5/bits/stl_list.h:392
#3 0x4fae0b in std::_List_node<nfd::rib::Route>* std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_create_node<nfd::rib::Route const&>(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:571
#4 0x4fae0b in void std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_insert<nfd::rib::Route const&>(std::_List_iterator<nfd::rib::Route>, nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1763
#5 0x4fae0b in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::push_back(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1089
#6 0x4fae0b in nfd::rib::RibEntry::insertRoute(nfd::rib::Route const&) ../rib/rib-entry.cpp:59
#7 0x53278a in nfd::rib::Rib::insert(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:127
#8 0x502ceb in nfd::rib::RibManager::onCommandPrefixAddNextHopSuccess(ndn::Name const&, ndn::nfd::ControlParameters const&) ../rib/rib-manager.cpp:441
#9 0x516893 in void std::_Mem_fn_base<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&), true>::operator()<ndn::Name const&, ndn::nfd::ControlParameters const&, void>(nfd::rib::RibManager*, ndn::Name const&, ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:600
#10 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::__call<void, ndn::nfd::ControlParameters const&, 0ul, 1ul, 2ul>(std::tuple<ndn::nfd::ControlParameters const&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1074
#11 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::operator()<ndn::nfd::ControlParameters const&, void>(ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1133
#12 0x516893 in std::_Function_handler<void (ndn::nfd::ControlParameters const&), std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)> >::_M_invoke(std::_Any_data const&, ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1871
#13 0x7f5e4b3415c8 in std::function<void (ndn::nfd::ControlParameters const&)>::operator()(ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:2267
#14 0x7f5e4b3415c8 in ndn::nfd::Controller::processValidatedCommandResponse(ndn::Data const&, std::shared_ptr<ndn::nfd::ControlCommand> const&, std::function<void (ndn::nfd::ControlParameters const&)> const&, std::function<void (ndn::mgmt::ControlResponse const&)> const&) ../src/mgmt/nfd/controller.cpp:129
SUMMARY: AddressSanitizer: heap-use-after-free ../rib/rib.cpp:174 nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&)
Shadow bytes around the buggy address:
0x0c0e80011af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e80011b30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 01 fa
=>0x0c0e80011b40: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fa fa fa
0x0c0e80011b50: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0e80011b60: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
0x0c0e80011b70: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x0c0e80011b80: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x0c0e80011b90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14509==ABORTING
```