Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-42842

ASan heap use after free in CB3ExecutorPool::cancel

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Critical
    • None
    • Cheshire-Cat
    • couchbase-bucket
    • Triaged
    • 1
    • Unknown
    • KV-Engine 2021-Jan

    Description

      seen in
      http://cv.jenkins.couchbase.com/job/kv_engine.ASan-UBSan/job/master/15098/consoleFull#1852931344b106e815-6d27-4a01-8b14-4b94513c99be

         4/394 Test #231: ep_testsuite.value_eviction.comp_passive ....................................................................Child aborted***Exception: 132.28 sec
      		 
      ....
      		 
       Running [0144/0158]: multi_bucket set/get ...=================================================================
      		 
      ==54159==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000f3e6bc at pc 0x7feacd508278 bp 0x7feab1154070 sp 0x7feab1154068
      		 
       READ of size 4 at 0x61d000f3e6bc thread T4243 (mc:Writer_2)
      		 
           #0 0x7feacd508277 in std::__atomic_base<unsigned int>::load(std::memory_order) const /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:396:9
      		 
           #1 0x7feacd508277 in cb::RelaxedAtomic<unsigned int>::load() const /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../platform/include/relaxed_atomic.h:49:22
      		 
           #2 0x7feacd74a7a5 in cb::RelaxedAtomic<unsigned int>::operator=(cb::RelaxedAtomic<unsigned int> const&) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../platform/include/relaxed_atomic.h:65:19
      		 
           #3 0x7feacd733926 in cb::ArenaMallocClient::operator=(cb::ArenaMallocClient const&) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../platform/include/platform/cb_arena_malloc_client.h:54:28
      		 
           #4 0x7feacda4ecce in ObjectRegistry::onSwitchThread(EventuallyPersistentEngine*, bool) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/engines/ep/src/objectregistry.cc:153:9
      		 
           #5 0x7feacda4ee1a in BucketAllocationGuard::BucketAllocationGuard(EventuallyPersistentEngine*) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/engines/ep/src/objectregistry.cc:169:16
      		 
           #6 0x7feacd377792 in CB3ExecutorPool::cancel(unsigned long, bool) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/engines/ep/src/cb3_executorpool.cc:251:31
      		 
           #7 0x7feacd3c3979 in CB3ExecutorThread::run() /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/engines/ep/src/cb3_executorthread.cc:196:17
      		 
           #8 0x7feac68a6319 in CouchbaseThread::run() /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../platform/src/cb_pthreads.cc:58:9
      		 
           #9 0x7feac68a3e87 in platform_thread_wrap(void*) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../platform/src/cb_pthreads.cc:71:14
      		 
           #10 0x7feac54e46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
      		 
           #11 0x7feac4dee71e in clone /build/glibc-S7xCS9/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      		 
       
       0x61d000f3e6bc is located 2108 bytes inside of 2120-byte region [0x61d000f3de80,0x61d000f3e6c8)
      		 
       freed by thread T0 here:
      		 
           #0 0x69d612 in operator delete(void*, unsigned long) (/home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/kv_engine/ep_testsuite+0x69d612)
      		 
           #1 0x7feacd6c5cd7 in EventuallyPersistentEngine::destroy(bool) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/engines/ep/src/ep_engine.cc:210:5
      		 
           #2 0x8c28ec in MockEngine::destroy(bool) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/programs/engine_testapp/mock_engine.cc:164:17
      		 
           #3 0x6fd06a in MockTestHarness::destroy_bucket(EngineIface*, bool) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/programs/engine_testapp/engine_testapp.cc:226:17
      		 
           #4 0x6ac10f in destroy_buckets(std::vector<BucketHolder, std::allocator<BucketHolder> >&) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/engines/ep/tests/ep_testsuite_common.cc:499:22
      		 
           #5 0x7c64c2 in test_multi_bucket_set_get(test*) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/engines/ep/tests/ep_testsuite.cc:6399:5
      		 
           #6 0x6fac51 in execute_test(test, char const*, char const*) /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/programs/engine_testapp/engine_testapp.cc:397:19
      		 
           #7 0x6f952b in main /home/couchbase/jenkins/workspace/kv_engine.ASan-UBSan_master/build/../kv_engine/programs/engine_testapp/engine_testapp.cc:629:37
      		 
           #8 0x7feac4ceebf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MB-42962 UBSan failure "object has a possibly invalid vptr" during test "multi_bucket set/get "

          • Major - Major loss of function.
          • Resolved
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              james.harrison James Harrison (Inactive)
              james.harrison James Harrison (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty