Heap used after free with -f -F option

```
==26297==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000043548 at pc 0x000000768d8e bp 0x7fdf86b9c450 sp 0x7fdf86b9c440
READ of size 8 at 0x619000043548 thread T2 ([ET_NET 0])
    #0 0x768d8d in HttpVCTable::remove_entry(HttpVCTableEntry*) /root/trafficserver/proxy/http/HttpSM.cc:197
    #1 0x7696cf in HttpVCTable::cleanup_entry(HttpVCTableEntry*) /root/trafficserver/proxy/http/HttpSM.cc:249
    #2 0x769776 in HttpVCTable::cleanup_all() /root/trafficserver/proxy/http/HttpSM.cc:257
    #3 0x7b5031 in HttpSM::kill_this() /root/trafficserver/proxy/http/HttpSM.cc:6838
    #4 0x785cd7 in HttpSM::main_handler(int, void*) /root/trafficserver/proxy/http/HttpSM.cc:2617
    #5 0x63c65d in Continuation::handleEvent(int, void*) /root/trafficserver/iocore/eventsystem/I_Continuation.h:190
    #6 0x88aa89 in HttpTunnel::main_handler(int, void*) /root/trafficserver/proxy/http/HttpTunnel.cc:1643
    #7 0x63c65d in Continuation::handleEvent(int, void*) /root/trafficserver/iocore/eventsystem/I_Continuation.h:190
    #8 0xb1f069 in CacheVC::calluser(int) /root/trafficserver/iocore/cache/P_CacheInternal.h:628
    #9 0xb3cf0a in CacheVC::openWriteMain(int, Event*) /root/trafficserver/iocore/cache/CacheWrite.cc:1392
    #10 0x63c65d in Continuation::handleEvent(int, void*) /root/trafficserver/iocore/eventsystem/I_Continuation.h:190
    #11 0xcfe73f in EThread::process_event(Event*, int) /root/trafficserver/iocore/eventsystem/UnixEThread.cc:132
    #12 0xcfecd8 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /root/trafficserver/iocore/eventsystem/UnixEThread.cc:171
    #13 0xcff457 in EThread::execute_regular() /root/trafficserver/iocore/eventsystem/UnixEThread.cc:232
    #14 0xd00305 in EThread::execute() /root/trafficserver/iocore/eventsystem/UnixEThread.cc:335
    #15 0xcfc8a5 in spawn_thread_internal /root/trafficserver/iocore/eventsystem/Thread.cc:92
    #16 0x7fdf8cf276b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #17 0x7fdf8c1b041c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x619000043548 is located 456 bytes inside of 912-byte region [0x619000043380,0x619000043710)
freed by thread T2 ([ET_NET 0]) here:
    #0 0x7fdf8ed20588 in free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde588)
    #1 0x7fdf8e889469 in ats_memalign_free /root/trafficserver/src/tscore/ink_memory.cc:138
    #2 0x7fdf8e8aaca5 in jearena::JemallocNodumpAllocator::deallocate(_InkFreeList*, void*) /root/trafficserver/src/tscore/JeAllocator.cc:139
    #3 0x7fdf8e88bcd4 in malloc_free /root/trafficserver/src/tscore/ink_queue.cc:323
    #4 0x7fdf8e88b6f2 in ink_freelist_free /root/trafficserver/src/tscore/ink_queue.cc:277
    #5 0xc8e3aa in ClassAllocator<UnixNetVConnection>::free(UnixNetVConnection*) ../../include/tscore/Allocator.h:145
    #6 0xc8ad14 in UnixNetVConnection::free(EThread*) /root/trafficserver/iocore/net/UnixNetVConnection.cc:1346
    #7 0xc68b42 in NetHandler::free_netvc(UnixNetVConnection*) /root/trafficserver/iocore/net/UnixNet.cc:347
    #8 0xc80c03 in write_signal_and_update /root/trafficserver/iocore/net/UnixNetVConnection.cc:133
    #9 0xc80d52 in write_signal_done /root/trafficserver/iocore/net/UnixNetVConnection.cc:156
    #10 0xc80e48 in write_signal_error /root/trafficserver/iocore/net/UnixNetVConnection.cc:175
    #11 0xc82ea6 in write_to_net_io(NetHandler*, UnixNetVConnection*, EThread*) /root/trafficserver/iocore/net/UnixNetVConnection.cc:483
    #12 0xc81f47 in write_to_net(NetHandler*, UnixNetVConnection*, EThread*) /root/trafficserver/iocore/net/UnixNetVConnection.cc:341
    #13 0xc69395 in NetHandler::process_ready_list() /root/trafficserver/iocore/net/UnixNet.cc:412
    #14 0xc6aa07 in NetHandler::waitForActivity(long) /root/trafficserver/iocore/net/UnixNet.cc:528
    #15 0xcffad0 in EThread::execute_regular() /root/trafficserver/iocore/eventsystem/UnixEThread.cc:274
    #16 0xd00305 in EThread::execute() /root/trafficserver/iocore/eventsystem/UnixEThread.cc:335
    #17 0xcfc8a5 in spawn_thread_internal /root/trafficserver/iocore/eventsystem/Thread.cc:92
    #18 0x7fdf8cf276b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T6 ([ACCEPT 0:8080]) here:
    #0 0x7fdf8ed21570 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdf570)
    #1 0x7fdf8e889224 in ats_memalign /root/trafficserver/src/tscore/ink_memory.cc:102
    #2 0x7fdf8e8aac22 in jearena::JemallocNodumpAllocator::allocate(_InkFreeList*) /root/trafficserver/src/tscore/JeAllocator.cc:118
    #3 0x7fdf8e88b5b6 in malloc_new /root/trafficserver/src/tscore/ink_queue.cc:264
    #4 0x7fdf8e88a7de in ink_freelist_new /root/trafficserver/src/tscore/ink_queue.cc:187
    #5 0xc7e727 in ClassAllocator<UnixNetVConnection>::alloc() ../../include/tscore/Allocator.h:131
    #6 0xc7d85f in UnixNetProcessor::allocate_vc(EThread*) /root/trafficserver/iocore/net/UnixNetProcessor.cc:362
    #7 0xc755e7 in NetAccept::do_blocking_accept(EThread*) /root/trafficserver/iocore/net/UnixNetAccept.cc:340
    #8 0xc778ee in NetAccept::acceptLoopEvent(int, Event*) /root/trafficserver/iocore/net/UnixNetAccept.cc:542
    #9 0x63c65d in Continuation::handleEvent(int, void*) /root/trafficserver/iocore/eventsystem/I_Continuation.h:190
    #10 0xd001bd in EThread::execute() /root/trafficserver/iocore/eventsystem/UnixEThread.cc:319
    #11 0xcfc8a5 in spawn_thread_internal /root/trafficserver/iocore/eventsystem/Thread.cc:92
    #12 0x7fdf8cf276b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T2 ([ET_NET 0]) created by T0 ([TS_MAIN]) here:
    #0 0x7fdf8ec79aff in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37aff)
    #1 0xcfc174 in ink_thread_create ../../include/tscore/ink_thread.h:159
    #2 0xcfc9d3 in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /root/trafficserver/iocore/eventsystem/Thread.cc:109
    #3 0xd04f18 in EventProcessor::spawn_event_threads(int, int, unsigned long) /root/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:382
    #4 0xd058e5 in EventProcessor::start(int, unsigned long) /root/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:449
    #5 0x6be712 in main traffic_server/traffic_server.cc:1837
    #6 0x7fdf8c0c982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T6 ([ACCEPT 0:8080]) created by T0 ([TS_MAIN]) here:
    #0 0x7fdf8ec79aff in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37aff)
    #1 0xcfc174 in ink_thread_create ../../include/tscore/ink_thread.h:159
    #2 0xcfc9d3 in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /root/trafficserver/iocore/eventsystem/Thread.cc:109
    #3 0xd05e50 in EventProcessor::spawn_thread(Continuation*, char const*, unsigned long) /root/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:491
    #4 0xc73d15 in NetAccept::init_accept_loop() /root/trafficserver/iocore/net/UnixNetAccept.cc:188
    #5 0xc7bcfa in UnixNetProcessor::accept_internal(Continuation*, int, NetProcessor::AcceptOptions const&) /root/trafficserver/iocore/net/UnixNetProcessor.cc:151
    #6 0xc7aa7d in NetProcessor::main_accept(Continuation*, int, NetProcessor::AcceptOptions const&) /root/trafficserver/iocore/net/UnixNetProcessor.cc:85
    #7 0x764a51 in start_HttpProxyServer() /root/trafficserver/proxy/http/HttpProxyServerMain.cc:346
    #8 0x6bf2b4 in main traffic_server/traffic_server.cc:1961
    #9 0x7fdf8c0c982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /root/trafficserver/proxy/http/HttpSM.cc:197 in HttpVCTable::remove_entry(HttpVCTableEntry*)
Shadow bytes around the buggy address:
  0x0c3280000650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280000660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280000670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3280000680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3280000690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c32800006a0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c32800006b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800006c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800006d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800006e0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800006f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Heap used after free with -f -F option #4871

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Heap used after free with -f -F option #4871

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions