sanitizer: heap-use-after-free in checkinputs_test #18372
Description
Seeing what looks like the same issue in two Travis builds (valgrind and the thread-sanitizer) on latest master.
The failure is in the txvalidationcache checkinputs_test:
WARNING: ThreadSanitizer: heap-use-after-free (pid=27099)
Read of size 8 at 0x7d58000c54c8 by thread T4 (mutexes: write M132349):
#0 (anonymous namespace)::TipMayBeStale(Consensus::Params const&) /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/net_processing.cpp:584 (test_bitcoin+0x000000a18c85)
#1 PeerLogicValidation::CheckForStaleTipAndEvictPeers(Consensus::Params const&) /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/net_processing.cpp:3505 (test_bitcoin+0x000000a18c85)
#2 operator() /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/net_processing.cpp:1130 (test_bitcoin+0x000000a292c0)
#3 std::_Function_handler<void (), PeerLogicValidation::PeerLogicValidation(CConnman*, BanMan*, CScheduler&, CTxMemPool&)::$_0>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/functional:1871 (test_bitcoin+0x000000a292c0)
#4 std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/functional:2267 (test_bitcoin+0x000000cccf9c)
#5 Repeat(CScheduler&, std::function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >) /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/scheduler.cpp:119 (test_bitcoin+0x000000cccf9c)
#6 operator() /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/scheduler.cpp:125 (test_bitcoin+0x000000cccd12)
#7 std::_Function_handler<void (), CScheduler::scheduleEvery(std::function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >)::$_0>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/functional:1871 (test_bitcoin+0x000000cccd12)
#8 std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/functional:2267 (test_bitcoin+0x000000ccb633)
#9 CScheduler::serviceQueue() /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/scheduler.cpp:63 (test_bitcoin+0x000000ccb633)
#10 operator() /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/util/setup_common.cpp:110 (test_bitcoin+0x000000946202)
#11 boost::detail::thread_data<TestingSetup::TestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::$_0>::run() /usr/include/boost/thread/detail/thread.hpp:116 (test_bitcoin+0x000000946202)
#12 boost::this_thread::interruption_point() <null> (libboost_thread.so.1.58.0+0x0000000115d4)
Previous write of size 8 at 0x7d58000c54c8 by main thread:
[failed to restore the stack]
Mutex M132349 (0x0000013ec5a0) created at:
#0 pthread_mutex_lock <null> (test_bitcoin+0x000000499e00)
#1 __gthread_mutex_lock(pthread_mutex_t*) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/x86_64-linux-gnu/c++/5.4.0/bits/gthr-default.h:748 (test_bitcoin+0x000000c04f23)
#2 __gthread_recursive_mutex_lock(pthread_mutex_t*) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/x86_64-linux-gnu/c++/5.4.0/bits/gthr-default.h:810 (test_bitcoin+0x000000c04f23)
#3 std::recursive_mutex::lock() /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/mutex:176 (test_bitcoin+0x000000c04f23)
#4 std::unique_lock<std::recursive_mutex>::lock() /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/mutex:485 (test_bitcoin+0x000000c04f23)
#5 UniqueLock<AnnotatedMixin<std::recursive_mutex>, std::unique_lock<std::recursive_mutex> >::Enter(char const*, char const*, int) /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/./sync.h:131 (test_bitcoin+0x000000c04f23)
#6 UniqueLock /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/./sync.h:152 (test_bitcoin+0x000000c04f23)
#7 CChainState::LoadGenesisBlock(CChainParams const&) /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/validation.cpp:4614 (test_bitcoin+0x000000c04f23)
#8 LoadGenesisBlock(CChainParams const&) /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/validation.cpp:4639 (test_bitcoin+0x000000c0527b)
#9 TestingSetup /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/util/setup_common.cpp:120 (test_bitcoin+0x000000942bb7)
#10 RegTestingSetup /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/./test/util/setup_common.h:96 (test_bitcoin+0x000000943992)
#11 TestChain100Setup /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/util/setup_common.cpp:160 (test_bitcoin+0x000000943992)
#12 tx_mempool_block_doublespend /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/txvalidationcache_tests.cpp:20 (test_bitcoin+0x000000888441)
#13 txvalidationcache_tests::tx_mempool_block_doublespend_invoker() /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/txvalidationcache_tests.cpp:20 (test_bitcoin+0x000000888441)
#14 boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<void (*)()>(void (*&)()) /usr/include/boost/test/utils/callback.hpp:56 (test_bitcoin+0x0000005349d9)
#15 boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89 (test_bitcoin+0x0000005349d9)
#16 boost::unit_test::test_case_filter::test_case_filter(boost::unit_test::basic_cstring<char const>) <null> (libboost_unit_test_framework.so.1.58.0+0x00000006acb0)
#17 __libc_start_main <null> (libc.so.6+0x00000002082f)
Thread T4 (tid=27120, running) created by main thread at:
#0 pthread_create <null> (test_bitcoin+0x000000482cc6)
#1 boost::thread::start_thread_noexcept() <null> (libboost_thread.so.1.58.0+0x0000000102e8)
#2 thread<(lambda at test/util/setup_common.cpp:110:31) &> /usr/include/boost/thread/detail/thread.hpp:266 (test_bitcoin+0x000000942987)
#3 boost::thread* boost::thread_group::create_thread<TestingSetup::TestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::$_0>(TestingSetup::TestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::$_0) /usr/include/boost/thread/detail/thread_group.hpp:78 (test_bitcoin+0x000000942987)
#4 TestingSetup /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/util/setup_common.cpp:110 (test_bitcoin+0x000000942987)
#5 RegTestingSetup /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/./test/util/setup_common.h:96 (test_bitcoin+0x000000943992)
#6 TestChain100Setup /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/util/setup_common.cpp:160 (test_bitcoin+0x000000943992)
#7 checkinputs_test /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/txvalidationcache_tests.cpp:148 (test_bitcoin+0x00000088bd71)
#8 txvalidationcache_tests::checkinputs_test_invoker() /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/txvalidationcache_tests.cpp:148 (test_bitcoin+0x00000088bd71)
#9 boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<void (*)()>(void (*&)()) /usr/include/boost/test/utils/callback.hpp:56 (test_bitcoin+0x0000005349d9)
#10 boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89 (test_bitcoin+0x0000005349d9)
#11 boost::unit_test::test_case_filter::test_case_filter(boost::unit_test::basic_cstring<char const>) <null> (libboost_unit_test_framework.so.1.58.0+0x00000006acb0)
#12 __libc_start_main <null> (libc.so.6+0x00000002082f)
SUMMARY: ThreadSanitizer: heap-use-after-free /home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/net_processing.cpp:584 in (anonymous namespace)::TipMayBeStale(Consensus::Params const&)
==================
ThreadSanitizer: reported 1 warnings==25319== Thread 2:
==25319== Invalid read of size 8
==25319== at 0x703624: PeerLogicValidation::CheckForStaleTipAndEvictPeers(Consensus::Params const&) (net_processing.cpp:0)
==25319== by 0x710FEC: operator() (net_processing.cpp:1130)
==25319== by 0x710FEC: std::_Function_handler<void (), PeerLogicValidation::PeerLogicValidation(CConnman*, BanMan*, CScheduler&, CTxMemPool&)::$_0>::_M_invoke(std::_Any_data const&) (std_function.h:316)
==25319== by 0x954664: operator() (std_function.h:706)
==25319== by 0x954664: Repeat(CScheduler&, std::function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >) (scheduler.cpp:119)
==25319== by 0x954472: operator() (scheduler.cpp:125)
==25319== by 0x954472: std::_Function_handler<void (), CScheduler::scheduleEvery(std::function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >)::$_0>::_M_invoke(std::_Any_data const&) (std_function.h:316)
==25319== by 0x95358D: operator() (std_function.h:706)
==25319== by 0x95358D: CScheduler::serviceQueue() (scheduler.cpp:63)
==25319== by 0x651FAD: operator() (setup_common.cpp:110)
==25319== by 0x651FAD: boost::detail::thread_data<TestingSetup::TestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)::$_0>::run() (thread.hpp:116)
==25319== by 0x526CBCC: ??? (in /usr/lib/x86_64-linux-gnu/libboost_thread.so.1.65.1)
==25319== by 0x54876DA: start_thread (pthread_create.c:463)
==25319== by 0x709388E: clone (clone.S:95)
==25319== Address 0xc578c48 is 0 bytes after a block of size 24 free'd
==25319== at 0x4C3123B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25319== by 0x4920EF: deallocate (new_allocator.h:125)
==25319== by 0x4920EF: deallocate (alloc_traits.h:462)
==25319== by 0x4920EF: _M_deallocate (stl_vector.h:180)
==25319== by 0x4920EF: void std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > >::_M_realloc_insert<std::vector<unsigned char, std::allocator<unsigned char> > const&>(__gnu_cxx::__normal_iterator<std::vector<unsigned char, std::allocator<unsigned char> >*, std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > > >, std::vector<unsigned char, std::allocator<unsigned char> > const&) (vector.tcc:448)
==25319== by 0xB16F38: push_back (stl_vector.h:948)
==25319== by 0xB16F38: EvalScript(std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > >&, CScript const&, unsigned int, BaseSignatureChecker const&, SigVersion, ScriptError_t*) (interpreter.cpp:411)
==25319== by 0xB1BA37: VerifyScript(CScript const&, CScript const&, CScriptWitness const*, unsigned int, BaseSignatureChecker const&, ScriptError_t*) (interpreter.cpp:1553)
==25319== by 0x897862: operator() (validation.cpp:1450)
==25319== by 0x897862: CheckInputScripts(CTransaction const&, TxValidationState&, CCoinsViewCache const&, unsigned int, bool, bool, PrecomputedTransactionData&, std::vector<CScriptCheck, std::allocator<CScriptCheck> >*) (validation.cpp:1531)
==25319== by 0x53A701: txvalidationcache_tests::ValidateCheckInputsForAllFlags(CTransaction const&, unsigned int, bool) (txvalidationcache_tests.cpp:126)
==25319== by 0x5371A7: txvalidationcache_tests::checkinputs_test::test_method() (txvalidationcache_tests.cpp:353)
==25319== by 0x530F3E: txvalidationcache_tests::checkinputs_test_invoker() (txvalidationcache_tests.cpp:148)
==25319== by 0x1CCB3F: boost::detail::function::void_function_invoker0<void (*)(), void>::invoke(boost::detail::function::function_buffer&) (function_template.hpp:118)
==25319== by 0x56EA2CD: boost::detail::function::function_obj_invoker0<boost::detail::forward, int>::invoke(boost::detail::function::function_buffer&) (in /usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1)
==25319== by 0x56E977C: boost::execution_monitor::catch_signals(boost::function<int ()> const&) (in /usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1)
==25319== by 0x56E9860: boost::execution_monitor::execute(boost::function<int ()> const&) (in /usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1)
==25319== Block was alloc'd at
==25319== at 0x4C3017F: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25319== by 0x491F3C: allocate (new_allocator.h:111)
==25319== by 0x491F3C: allocate (alloc_traits.h:436)
==25319== by 0x491F3C: _M_allocate (stl_vector.h:172)
==25319== by 0x491F3C: void std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > >::_M_realloc_insert<std::vector<unsigned char, std::allocator<unsigned char> > const&>(__gnu_cxx::__normal_iterator<std::vector<unsigned char, std::allocator<unsigned char> >*, std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > > >, std::vector<unsigned char, std::allocator<unsigned char> > const&) (vector.tcc:406)
==25319== by 0xB16F38: push_back (stl_vector.h:948)
==25319== by 0xB16F38: EvalScript(std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > >&, CScript const&, unsigned int, BaseSignatureChecker const&, SigVersion, ScriptError_t*) (interpreter.cpp:411)
==25319== by 0xB1BA37: VerifyScript(CScript const&, CScript const&, CScriptWitness const*, unsigned int, BaseSignatureChecker const&, ScriptError_t*) (interpreter.cpp:1553)
==25319== by 0x897862: operator() (validation.cpp:1450)
==25319== by 0x897862: CheckInputScripts(CTransaction const&, TxValidationState&, CCoinsViewCache const&, unsigned int, bool, bool, PrecomputedTransactionData&, std::vector<CScriptCheck, std::allocator<CScriptCheck> >*) (validation.cpp:1531)
==25319== by 0x53A701: txvalidationcache_tests::ValidateCheckInputsForAllFlags(CTransaction const&, unsigned int, bool) (txvalidationcache_tests.cpp:126)
==25319== by 0x5371A7: txvalidationcache_tests::checkinputs_test::test_method() (txvalidationcache_tests.cpp:353)
==25319== by 0x530F3E: txvalidationcache_tests::checkinputs_test_invoker() (txvalidationcache_tests.cpp:148)
==25319== by 0x1CCB3F: boost::detail::function::void_function_invoker0<void (*)(), void>::invoke(boost::detail::function::function_buffer&) (function_template.hpp:118)
==25319== by 0x56EA2CD: boost::detail::function::function_obj_invoker0<boost::detail::forward, int>::invoke(boost::detail::function::function_buffer&) (in /usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1)
==25319== by 0x56E977C: boost::execution_monitor::catch_signals(boost::function<int ()> const&) (in /usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1)
==25319== by 0x56E9860: boost::execution_monitor::execute(boost::function<int ()> const&) (in /usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.65.1)
==25319==
{
<insert_a_suppression_name_here>
Memcheck:Addr8
fun:_ZN19PeerLogicValidation29CheckForStaleTipAndEvictPeersERKN9Consensus6ParamsE
fun:operator()
fun:_ZNSt17_Function_handlerIFvvEZN19PeerLogicValidationC1EP8CConnmanP6BanManR10CSchedulerR10CTxMemPoolE3$_0E9_M_invokeERKSt9_Any_data
fun:operator()
fun:_ZL6RepeatR10CSchedulerSt8functionIFvvEENSt6chrono8durationIlSt5ratioILl1ELl1000EEEE
fun:operator()
fun:_ZNSt17_Function_handlerIFvvEZN10CScheduler13scheduleEveryESt8functionIS0_ENSt6chrono8durationIlSt5ratioILl1ELl1000EEEEE3$_0E9_M_invokeERKSt9_Any_data
fun:operator()
fun:_ZN10CScheduler12serviceQueueEv
fun:operator()
fun:_ZN5boost6detail11thread_dataIZN12TestingSetupC1ERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEE3$_0E3runEv
obj:/usr/lib/x86_64-linux-gnu/libboost_thread.so.1.65.1
fun:start_thread
fun:clone
}