Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 7.6.0
Affects Version/s: 7.6.0
Component/s: storage-engine
Labels:
- couchstore

Triage:
Triaged
Story Points:
0
Is this a Regression?:
Unknown

Description

https://cv.jenkins.couchbase.com/job/couchstore.ASan-UBSan/job/master/835/AddressSanitizer/

stack-use-after-scope on address 0x7ffde8323d20 at pc 0x0000004dce6a bp 0x7ffde8323870 sp 0x7ffde8323020

READ of size 16 at 0x7ffde8323d20 thread T0

    #0 0x4dce69 in __asan_memcpy /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3

    #1 0x7fdbf3a0b484 in assemble_seq_index_value(DocInfo*, char*) /home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/couchstore/src/couch_save.cc:50:9

    #2 0x7fdbf39fceaa in add_doc_to_update_list(Db*, Doc const*, DocInfo const*, fatbuf*, sized_buf*, sized_buf*, sized_buf*, sized_buf*, unsigned long) /home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/couchstore/src/couch_save.cc:332:20

    #3 0x7fdbf39fc712 in couchstore_save_documents_and_callback /home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/couchstore/src/couch_save.cc:400:30

    #4 0x7fdbf39fe313 in couchstore_save_documents /home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/couchstore/src/couch_save.cc:438:12

    #5 0x51684a in couch_save_bulk(lua_State*) /home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/couchstore/src/couchscript.cc:434:18

    #6 0x7fdbf3287323  (/lib64/liblua-5.1.so+0xc323)

    #7 0x7fdbf3291e56  (/lib64/liblua-5.1.so+0x16e56)

    #8 0x7fdbf328774c  (/lib64/liblua-5.1.so+0xc74c)

    #9 0x7fdbf3286a6d  (/lib64/liblua-5.1.so+0xba6d)

    #10 0x7fdbf32878d9  (/lib64/liblua-5.1.so+0xc8d9)

    #11 0x7fdbf328344c in lua_pcall (/lib64/liblua-5.1.so+0x844c)

    #12 0x7fdbf3294277  (/lib64/liblua-5.1.so+0x19277)

    #13 0x7fdbf3287323  (/lib64/liblua-5.1.so+0xc323)

    #14 0x7fdbf3291e56  (/lib64/liblua-5.1.so+0x16e56)

    #15 0x7fdbf328774c  (/lib64/liblua-5.1.so+0xc74c)

    #16 0x7fdbf3286a6d  (/lib64/liblua-5.1.so+0xba6d)

    #17 0x7fdbf32878d9  (/lib64/liblua-5.1.so+0xc8d9)

    #18 0x7fdbf328344c in lua_pcall (/lib64/liblua-5.1.so+0x844c)

    #19 0x515780 in main /home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/couchstore/src/couchscript.cc:856:12

    #20 0x7fdbf13a3554 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:266

    #21 0x43f254 in _start (/home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/build/couchstore/couchscript+0x43f254)

Address 0x7ffde8323d20 is located in stack of thread T0 at offset 96 in frame

    #0 0x51614f in couch_save_bulk(lua_State*) /home/couchbase/jenkins/workspace/couchstore.ASan-UBSan_master/couchstore/src/couchscript.cc:356

  This frame has 3 object(s):

    [32, 56) 'bs' (line 369)

    [96, 112) 'revbuf' (line 382) <== Memory access at offset 96 is inside this variable

    [128, 384) 'buf268' (line 437)

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork

      (longjmp and C++ exceptions *are* supported)

SUMMARY: AddressSanitizer: stack-use-after-scope /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22:3 in __asan_memcpy

Shadow bytes around the buggy address:

  0x10003d05c750: f8 f2 f2 f2 f8 f2 f2 f2 00 00 00 00 f2 f2 f2 f2

  0x10003d05c760: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00

  0x10003d05c770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003d05c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003d05c790: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2

=>0x10003d05c7a0: f2 f2 f2 f2[f8]f8 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8

  0x10003d05c7b0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

  0x10003d05c7c0: f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3

  0x10003d05c7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003d05c7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x10003d05c7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Paolo Cocchi

Reporter:: Paolo Cocchi

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 31/Oct/23 1:24 AM

Updated:: 15/Nov/23 5:50 PM

Resolved:: 15/Nov/23 3:44 AM

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

MB-59379: Fix stack-use-after-scope: Gerrit Review:

ASAN stack-use-after-scope in assemble_seq_index_value()

Details

Description

Attachments

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty