Skip to content

Memory bugs reported by ASan #6956

New issue
New issue
Closed
Closed
Memory bugs reported by ASan#6956
Milestone
2.4.2
@zouyonghao

Description

@zouyonghao
zouyonghao
opened on Apr 22, 2021

system: Ubuntu 18.04 amd64
RethinkDB version: code on next branch (commit ec80a18)

  1. stack-use-after-scope

    Server got SIGINT from pid 0, uid 0; shutting down...
=================================================================
==17041==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f40ddefe880 at pc 0x000002b2a55f bp 0x7f40ddefe5b0 sp 0x7f40ddefe5a8
WRITE of size 8 at 0x7f40ddefe880 thread T9
    #0 0x2b2a55e in epoll_event_queue_t::forget_resource(int, linux_event_callback_t*) /home/zyh/rethinkdb/src/arch/runtime/event_queue/epoll.cc:184:5
    #1 0x2ad0357 in linux_event_watcher_t::remask() /home/zyh/rethinkdb/src/arch/io/event_watcher.cc:204:54
    #2 0x2ad0aa7 in linux_event_watcher_t::stop_watching_for_errors() /home/zyh/rethinkdb/src/arch/io/event_watcher.cc:150:9
    #3 0x2ad093c in linux_event_watcher_t::~linux_event_watcher_t() /home/zyh/rethinkdb/src/arch/io/event_watcher.cc:144:5
    #4 0x2d2def6 in linux_event_fd_watcher_t::~linux_event_fd_watcher_t() /home/zyh/rethinkdb/src/containers/archive/socket_stream.cc:223:1
    #5 0x2d2e04f in linux_event_fd_watcher_t::~linux_event_fd_watcher_t() /home/zyh/rethinkdb/src/containers/archive/socket_stream.cc:221:55
    #6 0x2d0abbe in scoped_ptr_t<fd_watcher_t>::reset() /home/zyh/rethinkdb/./src/containers/scoped.hpp:73:9
    #7 0x2d0a8e8 in scoped_ptr_t<fd_watcher_t>::~scoped_ptr_t() /home/zyh/rethinkdb/./src/containers/scoped.hpp:35:9
    #8 0x2d2ee62 in socket_stream_t::~socket_stream_t() /home/zyh/rethinkdb/src/containers/archive/socket_stream.cc:247:1
    #9 0x2ccf2ab in object_buffer_t<socket_stream_t>::reset() /home/zyh/rethinkdb/./src/containers/object_buffer.hpp:81:23
    #10 0x2cce78f in extproc_worker_t::released(bool, signal_t*) /home/zyh/rethinkdb/src/extproc/extproc_worker.cc:142:19
    #11 0x2ce2d94 in extproc_job_t::~extproc_job_t() /home/zyh/rethinkdb/src/extproc/extproc_job.cc:39:37
    #12 0x2d04418 in http_job_t::~http_job_t() /home/zyh/rethinkdb/./src/extproc/http_job.hpp:13:7
    #13 0x2cfdd72 in http_runner_t::http(http_opts_t const&, http_result_t*, signal_t*) /home/zyh/rethinkdb/src/extproc/http_runner.cc:99:1
    #14 0x246a657 in ql::dispatch_http(ql::env_t*, http_opts_t const&, http_runner_t*, http_result_t*, ql::bt_rcheckable_t const*) /home/zyh/rethinkdb/src/rdb_protocol/terms/http.cc:211:17
    #15 0x387ce9e in version_checker_t::do_check(bool, auto_drainer_t::lock_t) /home/zyh/rethinkdb/src/clustering/administration/main/version_check.cc:73:9
    #16 0x3882503 in void std::__invoke_impl<void, void (version_checker_t::*&)(bool, auto_drainer_t::lock_t), version_checker_t*&, bool&, auto_drainer_t::lock_t&>(std::__invoke_memfun_deref, void (version_checker_t::*&)(bool, auto_drainer_t::lock_t), version_checker_t*&, bool&,
auto_drainer_t::lock_t&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73:14
    #17 0x3882067 in std::__invoke_result<void (version_checker_t::*&)(bool, auto_drainer_t::lock_t), version_checker_t*&, bool&, auto_drainer_t::lock_t&>::type std::__invoke<void (version_checker_t::*&)(bool, auto_drainer_t::lock_t), version_checker_t*&, bool&, auto_drainer_t::l
ock_t&>(void (version_checker_t::*&)(bool, auto_drainer_t::lock_t), version_checker_t*&, bool&, auto_drainer_t::lock_t&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #18 0x3881f4c in void std::_Bind<void (version_checker_t::* (version_checker_t*, bool, auto_drainer_t::lock_t))(bool, auto_drainer_t::lock_t)>::__call<void, 0ul, 1ul, 2ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../inc
lude/c++/9/functional:400:11
    #19 0x3881ccd in void std::_Bind<void (version_checker_t::* (version_checker_t*, bool, auto_drainer_t::lock_t))(bool, auto_drainer_t::lock_t)>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:482:17
    #20 0x3881742 in callable_action_instance_t<std::_Bind<void (version_checker_t::* (version_checker_t*, bool, auto_drainer_t::lock_t))(bool, auto_drainer_t::lock_t)> >::run_action() /home/zyh/rethinkdb/./src/arch/runtime/callable_action.hpp:32:25
    #21 0x2af7cd1 in callable_action_wrapper_t::run() /home/zyh/rethinkdb/src/arch/runtime/runtime_utils.cc:47:14
    #22 0x2afa44b in coro_t::run() /home/zyh/rethinkdb/src/arch/runtime/coroutines.cc:277:30

0x7f40ddefe880 is located 120960 bytes inside of 131072-byte region [0x7f40ddee1000,0x7f40ddf01000)
allocated by thread T9 here:
    #0 0x167d967 in posix_memalign (/home/zyh/rethinkdb/build/debug_clang_system/rethinkdb+0x167d967)

Thread T9 created by T0 here:
    #0 0x166765a in pthread_create (/home/zyh/rethinkdb/build/debug_clang_system/rethinkdb+0x166765a)
    #1 0x2aea4ed in linux_thread_pool_t::run_thread_pool(linux_thread_message_t*) /home/zyh/rethinkdb/src/arch/runtime/thread_pool.cc:227:19
    #2 0x2b12aaa in run_in_thread_pool(std::function<void ()> const&, int) /home/zyh/rethinkdb/src/arch/runtime/runtime.cc:77:17
    #3 0x380bd65 in main_rethinkdb_porcelain(int, char**) /home/zyh/rethinkdb/src/clustering/administration/main/command_line.cc:2408:9
    #4 0x2d0bab8 in main /home/zyh/rethinkdb/src/main.cc:31:16
    #5 0x7f40f29abbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: stack-use-after-scope /home/zyh/rethinkdb/src/arch/runtime/event_queue/epoll.cc:184:5 in epoll_event_queue_t::forget_resource(int, linux_event_callback_t*)
Shadow bytes around the buggy address:
0x0fe89bbd7cc0: f2 f2 f8 f8 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 f8 f2
0x0fe89bbd7cd0: f8 f8 f8 f2 f2 f2 f2 f2 f1 f1 f1 f1 00 f2 f2 f2
0x0fe89bbd7ce0: 00 04 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x0fe89bbd7cf0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x0fe89bbd7d00: f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
=>0x0fe89bbd7d10:[f8]f3 f3 f3 f2 f2 f2 f2 00 00 f2 f2 f8 f2 f2 f2
0x0fe89bbd7d20: f8 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe89bbd7d30: 00 00 00 00 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f3
0x0fe89bbd7d40: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe89bbd7d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe89bbd7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Shadow gap:              cc
==17041==ABORTING

  2. memory leak

    =================================================================
==17959==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 10048 byte(s) in 4 object(s) allocated from:
    #0 0x16ac50d in operator new(unsigned long) (/home/zyh/rethinkdb/build/debug_clang_system/rethinkdb+0x16ac50d)
    #1 0x298a81f in get_TLS_rng() /home/zyh/rethinkdb/src/random.cc:51:21
    #2 0x298aa74 in randsize(unsigned long) /home/zyh/rethinkdb/src/random.cc:65:12
    #3 0x3e50d8e in alt::eviction_bag_t::select_oldish(alt::eviction_bag_t*, unsigned long, alt::page_t**) /home/zyh/rethinkdb/src/buffer_cache/eviction_bag.cc:47:45
    #4 0x3f5c47a in alt::evicter_t::evict_if_necessary() /home/zyh/rethinkdb/src/buffer_cache/evicter.cc:200:15
    #5 0x3f5dc53 in alt::evicter_t::add_to_evictable_disk_backed(alt::page_t*) /home/zyh/rethinkdb/src/buffer_cache/evicter.cc:131:5
    #6 0x3f46ebc in alt::page_t::page_t(unsigned long, buf_ptr_t, counted_t<block_token_t> const&, alt::page_cache_t*) /home/zyh/rethinkdb/src/buffer_cache/page.cc:105:27
    #7 0x3e9a1dc in alt::current_page_t::current_page_t(unsigned long, buf_ptr_t, counted_t<block_token_t> const&, alt::page_cache_t*) /home/zyh/rethinkdb/src/buffer_cache/page_cache.cc:771:17
    #8 0x3e80f6e in alt::page_cache_t::add_read_ahead_buf(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&) /home/zyh/rethinkdb/src/buffer_cache/page_cache.cc:186:36
    #9 0x3ec96b4 in void std::__invoke_impl<void, void (alt::page_cache_t::* const&)(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&), alt::page_cache_t* const&, unsigned long const&, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> > const&, counted_t<block_token_t> const&>(std::__invoke_memfun_deref, void (alt::page_cache_t::* const&)(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&), alt::page_cache_t* const&, unsigned long const&, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> > const&, counted_t<block_token_t> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73:14
    #10 0x3ec9097 in std::__invoke_result<void (alt::page_cache_t::* const&)(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&), alt::page_cache_t* const&, unsigned long const&, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> > const&, counted_t<block_token_t> const&>::type std::__invoke<void (alt::page_cache_t::* const&)(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&), alt::page_cache_t* const&, unsigned long const&, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> > const&, counted_t<block_token_t> const&>(void (alt::page_cache_t::* const&)(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&), alt::page_cache_t* const&, unsigned long const&, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> > const&, counted_t<block_token_t> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
    #11 0x3ec8f54 in void std::_Bind<void (alt::page_cache_t::* (alt::page_cache_t*, unsigned long, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> >, counted_t<block_token_t>))(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&)>::__call_c<void, 0ul, 1ul, 2ul, 3ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul, 2ul, 3ul>) const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:410:11
    #12 0x3ec89cd in void std::_Bind<void (alt::page_cache_t::* (alt::page_cache_t*, unsigned long, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> >, counted_t<block_token_t>))(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&)>::operator()<void>() const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:493:17
    #13 0x3ec8875 in thread_doer_t<std::_Bind<void (alt::page_cache_t::* (alt::page_cache_t*, unsigned long, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> >, counted_t<block_token_t>))(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&)> >::do_perform_job() /home/zyh/rethinkdb/./src/do_on_thread.hpp:36:9
    #14 0x3ec7ddd in thread_doer_t<std::_Bind<void (alt::page_cache_t::* (alt::page_cache_t*, unsigned long, copyable_unique_t<scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))> >, counted_t<block_token_t>))(unsigned long, scoped_alloc_t<ser_buffer_t, &(void* raw_malloc_aligned<512>(unsigned long)), &(raw_free_aligned(void*))>, counted_t<block_token_t> const&)> >::on_thread_switch() /home/zyh/rethinkdb/./src/do_on_thread.hpp:53:17
    #15 0x2ae3545 in linux_message_hub_t::on_event(int) /home/zyh/rethinkdb/src/arch/runtime/message_hub.cc:170:16
    #16 0x2b27edf in epoll_event_queue_t::run() /home/zyh/rethinkdb/src/arch/runtime/event_queue/epoll.cc:115:21
    #17 0x2ae90e5 in linux_thread_pool_t::start_thread(void*) /home/zyh/rethinkdb/src/arch/runtime/thread_pool.cc:185:28
    #18 0x7f3a7b4a06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions