==2105==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000190950 at pc 0x00000087fea4 bp 0x2afd553ef7d0 sp 0x2afd553ef7c0
READ of size 8 at 0x619000190950 thread T9 ([ET_NET 7])
#0 0x87fea3 in Http2Stream::send_response_body(bool) ../../../../trafficserver/proxy/http2/Http2Stream.cc:693
#1 0x87e5bc in Http2Stream::restart_sending() ../../../../trafficserver/proxy/http2/Http2Stream.cc:525
#2 0x8a7248 in rcv_window_update_frame ../../../../trafficserver/proxy/http2/Http2ConnectionState.cc:736
#3 0x8a9027 in Http2ConnectionState::main_event_handler(int, void*) ../../../../trafficserver/proxy/http2/Http2ConnectionState.cc:922
#4 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#5 0x8943df in send_connection_event ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:58
#6 0x89a53b in Http2ClientSession::do_complete_frame_read() ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:496
#7 0x89aadc in Http2ClientSession::state_process_frame_read(int, VIO*, bool) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:533
#8 0x899100 in Http2ClientSession::state_start_frame_read(int, void*) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:426
#9 0x897ce5 in Http2ClientSession::main_event_handler(int, void*) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:312
#10 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#11 0xba5963 in read_signal_and_update ../../../../trafficserver/iocore/net/UnixNetVConnection.cc:83
#12 0xbace27 in UnixNetVConnection::readSignalAndUpdate(int) ../../../../trafficserver/iocore/net/UnixNetVConnection.cc:1047
#13 0xb4e6da in SSLNetVConnection::net_read_io(NetHandler*, EThread*) ../../../../trafficserver/iocore/net/SSLNetVConnection.cc:608
#14 0xb8dc2b in NetHandler::process_ready_list() ../../../../trafficserver/iocore/net/UnixNet.cc:395
#15 0xb8f34f in NetHandler::waitForActivity(long) ../../../../trafficserver/iocore/net/UnixNet.cc:528
#16 0xc11591 in EThread::execute_regular() ../../../../trafficserver/iocore/eventsystem/UnixEThread.cc:272
#17 0xc11cc3 in EThread::execute() ../../../../trafficserver/iocore/eventsystem/UnixEThread.cc:325
#18 0xc0e7f5 in spawn_thread_internal ../../../../trafficserver/iocore/eventsystem/Thread.cc:85
#19 0x2afd4cd64dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
#20 0x2afd4dc9b76c in clone (/lib64/libc.so.6+0xf776c)
0x619000190950 is located 976 bytes inside of 1024-byte region [0x619000190580,0x619000190980)
freed by thread T9 ([ET_NET 7]) here:
#0 0x614638 in __interceptor_free (/home/y/bin64/traffic_server+0x614638)
#1 0x2afd4b24b96b in ats_memalign_free ../../../../trafficserver/lib/ts/ink_memory.cc:138
#2 0x2afd4b26aef7 in jearena::JemallocNodumpAllocator::deallocate(_InkFreeList*, void*) ../../../../trafficserver/lib/ts/JeAllocator.cc:139
#3 0x2afd4b24daf2 in malloc_free ../../../../trafficserver/lib/ts/ink_queue.cc:330
#4 0x2afd4b24d737 in ink_freelist_free ../../../../trafficserver/lib/ts/ink_queue.cc:284
#5 0x883b3f in ClassAllocator<Http2Stream>::free(Http2Stream*) /home/bcall/dev/yahoo/build_8/_build/asan_build/../../trafficserver/lib/ts/Allocator.h:147
#6 0x883acc in void thread_free<Http2Stream>(ClassAllocator<Http2Stream>&, Http2Stream*) (/home/y/bin64/traffic_server+0x883acc)
#7 0x880c0b in Http2Stream::destroy() ../../../../trafficserver/proxy/http2/Http2Stream.cc:755
#8 0x87c477 in Http2Stream::terminate_if_possible() ../../../../trafficserver/proxy/http2/Http2Stream.cc:380
#9 0x87c1f4 in Http2Stream::transaction_done() ../../../../trafficserver/proxy/http2/Http2Stream.cc:369
#10 0x76bca3 in HttpSM::kill_this() ../../../../trafficserver/proxy/http/HttpSM.cc:6826
#11 0x73f611 in HttpSM::main_handler(int, void*) ../../../../trafficserver/proxy/http/HttpSM.cc:2562
#12 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#13 0x830b3b in HttpTunnel::main_handler(int, void*) ../../../../trafficserver/proxy/http/HttpTunnel.cc:1643
#14 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#15 0x87fa8c in Http2Stream::signal_write_event(bool) ../../../../trafficserver/proxy/http2/Http2Stream.cc:662
#16 0x87fe52 in Http2Stream::send_response_body(bool) ../../../../trafficserver/proxy/http2/Http2Stream.cc:691
#17 0x87e5bc in Http2Stream::restart_sending() ../../../../trafficserver/proxy/http2/Http2Stream.cc:525
#18 0x8a7248 in rcv_window_update_frame ../../../../trafficserver/proxy/http2/Http2ConnectionState.cc:736
#19 0x8a9027 in Http2ConnectionState::main_event_handler(int, void*) ../../../../trafficserver/proxy/http2/Http2ConnectionState.cc:922
#20 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#21 0x8943df in send_connection_event ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:58
#22 0x89a53b in Http2ClientSession::do_complete_frame_read() ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:496
#23 0x89aadc in Http2ClientSession::state_process_frame_read(int, VIO*, bool) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:533
#24 0x899100 in Http2ClientSession::state_start_frame_read(int, void*) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:426
#25 0x897ce5 in Http2ClientSession::main_event_handler(int, void*) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:312
#26 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#27 0xba5963 in read_signal_and_update ../../../../trafficserver/iocore/net/UnixNetVConnection.cc:83
#28 0xbace27 in UnixNetVConnection::readSignalAndUpdate(int) ../../../../trafficserver/iocore/net/UnixNetVConnection.cc:1047
#29 0xb4e6da in SSLNetVConnection::net_read_io(NetHandler*, EThread*) ../../../../trafficserver/iocore/net/SSLNetVConnection.cc:608
previously allocated by thread T9 ([ET_NET 7]) here:
#0 0x615620 in posix_memalign (/home/y/bin64/traffic_server+0x615620)
#1 0x2afd4b24b71e in ats_memalign ../../../../trafficserver/lib/ts/ink_memory.cc:102
#2 0x2afd4b26ae74 in jearena::JemallocNodumpAllocator::allocate(_InkFreeList*) ../../../../trafficserver/lib/ts/JeAllocator.cc:118
#3 0x2afd4b24d682 in malloc_new ../../../../trafficserver/lib/ts/ink_queue.cc:269
#4 0x2afd4b24cd16 in ink_freelist_new ../../../../trafficserver/lib/ts/ink_queue.cc:192
#5 0x8b9921 in ClassAllocator<Http2Stream>::alloc() /home/bcall/dev/yahoo/build_8/_build/asan_build/../../trafficserver/lib/ts/Allocator.h:133
#6 0x8b7c31 in Http2Stream* thread_alloc_init<Http2Stream>(ClassAllocator<Http2Stream>&, ProxyAllocator&) /home/bcall/dev/yahoo/build_8/_build/asan_build/../../trafficserver/iocore/eventsystem/I_ProxyAllocator.h:73
#7 0x8aa5e9 in Http2ConnectionState::create_stream(unsigned int, Http2Error&) ../../../../trafficserver/proxy/http2/Http2ConnectionState.cc:1062
#8 0x89ffa9 in rcv_headers_frame ../../../../trafficserver/proxy/http2/Http2ConnectionState.cc:225
#9 0x8a9027 in Http2ConnectionState::main_event_handler(int, void*) ../../../../trafficserver/proxy/http2/Http2ConnectionState.cc:922
#10 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#11 0x8943df in send_connection_event ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:58
#12 0x89a53b in Http2ClientSession::do_complete_frame_read() ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:496
#13 0x89aadc in Http2ClientSession::state_process_frame_read(int, VIO*, bool) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:533
#14 0x899100 in Http2ClientSession::state_start_frame_read(int, void*) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:426
#15 0x897ce5 in Http2ClientSession::main_event_handler(int, void*) ../../../../trafficserver/proxy/http2/Http2ClientSession.cc:312
#16 0x6677e4 in Continuation::handleEvent(int, void*) ../../../../trafficserver/iocore/eventsystem/I_Continuation.h:160
#17 0xba5963 in read_signal_and_update ../../../../trafficserver/iocore/net/UnixNetVConnection.cc:83
#18 0xbace27 in UnixNetVConnection::readSignalAndUpdate(int) ../../../../trafficserver/iocore/net/UnixNetVConnection.cc:1047
#19 0xb4e6da in SSLNetVConnection::net_read_io(NetHandler*, EThread*) ../../../../trafficserver/iocore/net/SSLNetVConnection.cc:608
#20 0xb8dc2b in NetHandler::process_ready_list() ../../../../trafficserver/iocore/net/UnixNet.cc:395
#21 0xb8f34f in NetHandler::waitForActivity(long) ../../../../trafficserver/iocore/net/UnixNet.cc:528
#22 0xc11591 in EThread::execute_regular() ../../../../trafficserver/iocore/eventsystem/UnixEThread.cc:272
#23 0xc11cc3 in EThread::execute() ../../../../trafficserver/iocore/eventsystem/UnixEThread.cc:325
#24 0xc0e7f5 in spawn_thread_internal ../../../../trafficserver/iocore/eventsystem/Thread.cc:85
#25 0x2afd4cd64dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
Thread T9 ([ET_NET 7]) created by T0 ([TS_MAIN]) here:
#0 0x56dbcf in pthread_create (/home/y/bin64/traffic_server+0x56dbcf)
#1 0xc0e266 in ink_thread_create /home/bcall/dev/yahoo/build_8/_build/asan_build/../../trafficserver/lib/ts/ink_thread.h:155
#2 0xc0e923 in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) ../../../../trafficserver/iocore/eventsystem/Thread.cc:102
#3 0xc17900 in EventProcessor::spawn_event_threads(int, int, unsigned long) ../../../../trafficserver/iocore/eventsystem/UnixEventProcessor.cc:382
#4 0xc181d0 in EventProcessor::start(int, unsigned long) ../../../../trafficserver/iocore/eventsystem/UnixEventProcessor.cc:446
#5 0x6b926a in main ../../../trafficserver/src/traffic_server/traffic_server.cc:1822
#6 0x2afd4dbc5b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../trafficserver/proxy/http2/Http2Stream.cc:693 in Http2Stream::send_response_body(bool)
Shadow bytes around the buggy address:
0x0c328002a0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c328002a0e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c328002a0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c328002a100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c328002a110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c328002a120: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c328002a130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c328002a140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c328002a150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c328002a160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c328002a170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2105==ABORTING
