================================================================= ==memcached==51444==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000f91c30 at pc 0x7ffbd8023d36 bp 0x7ffbc6a89a40 sp 0x7ffbc6a89a38 READ of size 8 at 0x603000f91c30 thread T9 (mc:worker_0) #0 0x7ffbd8023d35 in PassiveDurabilityMonitor::State::checkForAndRemoveDroppedCollections() (/opt/couchbase/bin/../lib/libep.so+0x2bb9d35) #1 0x7ffbd802e375 in PassiveDurabilityMonitor::completeSyncWrite(StoredDocKeyT const&, PassiveDurabilityMonitor::Resolution, std::optional) (/opt/couchbase/bin/../lib/libep.so+0x2bc4375) #2 0x7ffbd85f34d1 in VBucket::queueItem(SingleThreadedRCPtr >&, VBQueueItemCtx const&) (/opt/couchbase/bin/../lib/libep.so+0x31894d1) #3 0x7ffbd8610480 in VBucket::queueDirty(HashTable::HashBucketLock const&, StoredValue&, VBQueueItemCtx const&) (/opt/couchbase/bin/../lib/libep.so+0x31a6480) #4 0x7ffbd8654a28 in VBucket::commit(DocKey const&, unsigned long, std::optional, Collections::VB::CachingReadHandle const&, void const*) (/opt/couchbase/bin/../lib/libep.so+0x31eaa28) #5 0x7ffbd7e96b69 in PassiveStream::processCommit(CommitSyncWrite const&) (/opt/couchbase/bin/../lib/libep.so+0x2a2cb69) #6 0x7ffbd7eac982 in PassiveStream::messageReceived(std::unique_ptr >) (/opt/couchbase/bin/../lib/libep.so+0x2a42982) #7 0x7ffbd7dd31e3 in DcpConsumer::lookupStreamAndDispatchMessage(DcpConsumer::UpdateFlowControl&, Vbid, unsigned int, std::unique_ptr >) (/opt/couchbase/bin/../lib/libep.so+0x29691e3) #8 0x7ffbd7deb384 in DcpConsumer::commit(unsigned int, Vbid, DocKey const&, unsigned long, unsigned long) (/opt/couchbase/bin/../lib/libep.so+0x2981384) #9 0x7ffbd8178480 in EventuallyPersistentEngine::commit(gsl::not_null, unsigned int, Vbid, DocKey const&, unsigned long, unsigned long) (/opt/couchbase/bin/../lib/libep.so+0x2d0e480) #10 0x5df3dd in dcpCommit(Cookie&, unsigned int, Vbid, DocKey const&, unsigned long, unsigned long) (/opt/couchbase/bin/memcached+0x5df3dd) #11 0x9077dd in dcp_commit_executor(Cookie&) (/opt/couchbase/bin/memcached+0x9077dd) #12 0x886aac in execute_client_request_packet(Cookie&, cb::mcbp::Request const&) (/opt/couchbase/bin/memcached+0x886aac) #13 0x80c074 in Cookie::execute() (/opt/couchbase/bin/memcached+0x80c074) #14 0x74c163 in Connection::executeCommandPipeline() (/opt/couchbase/bin/memcached+0x74c163) #15 0x76a38f in Connection::executeCommandsCallback() (/opt/couchbase/bin/memcached+0x76a38f) #16 0x76e1a4 in Connection::rw_callback(bufferevent*, void*) (/opt/couchbase/bin/memcached+0x76e1a4) #17 0x7ffbd0c35d8d (/opt/couchbase/bin/../lib/libevent_core-2.1.so.7+0xed8d) #18 0x7ffbd0c3ed00 (/opt/couchbase/bin/../lib/libevent_core-2.1.so.7+0x17d00) #19 0x7ffbd0c3f54e in event_base_loop (/opt/couchbase/bin/../lib/libevent_core-2.1.so.7+0x1854e) #20 0x6a3ae7 (/opt/couchbase/bin/memcached+0x6a3ae7) #21 0x7ffbd189bf18 (/opt/couchbase/bin/../lib/libplatform_so.so.0.1.0+0x6bf18) #22 0x7ffbce68fe64 in start_thread (/lib64/libpthread.so.0+0x7e64) #23 0x7ffbce3b888c in clone (/lib64/libc.so.6+0xfe88c) 0x603000f91c30 is located 0 bytes inside of 32-byte region [0x603000f91c30,0x603000f91c50) freed by thread T9 (mc:worker_0) here: #0 0x7ffbdce97d00 in operator delete(void*) (/opt/couchbase/bin/../lib/libasan.so.4+0xdbd00) #1 0x7ffbd8023823 in PassiveDurabilityMonitor::State::checkForAndRemoveDroppedCollections() (/opt/couchbase/bin/../lib/libep.so+0x2bb9823) #2 0x7ffbd802e375 in PassiveDurabilityMonitor::completeSyncWrite(StoredDocKeyT const&, PassiveDurabilityMonitor::Resolution, std::optional) (/opt/couchbase/bin/../lib/libep.so+0x2bc4375) #3 0x7ffbd85f34d1 in VBucket::queueItem(SingleThreadedRCPtr >&, VBQueueItemCtx const&) (/opt/couchbase/bin/../lib/libep.so+0x31894d1) #4 0x7ffbd8610480 in VBucket::queueDirty(HashTable::HashBucketLock const&, StoredValue&, VBQueueItemCtx const&) (/opt/couchbase/bin/../lib/libep.so+0x31a6480) #5 0x7ffbd8654a28 in VBucket::commit(DocKey const&, unsigned long, std::optional, Collections::VB::CachingReadHandle const&, void const*) (/opt/couchbase/bin/../lib/libep.so+0x31eaa28) #6 0x7ffbd7e96b69 in PassiveStream::processCommit(CommitSyncWrite const&) (/opt/couchbase/bin/../lib/libep.so+0x2a2cb69) #7 0x7ffbd7eac982 in PassiveStream::messageReceived(std::unique_ptr >) (/opt/couchbase/bin/../lib/libep.so+0x2a42982) #8 0x7ffbd7dd31e3 in DcpConsumer::lookupStreamAndDispatchMessage(DcpConsumer::UpdateFlowControl&, Vbid, unsigned int, std::unique_ptr >) (/opt/couchbase/bin/../lib/libep.so+0x29691e3) #9 0x7ffbd7deb384 in DcpConsumer::commit(unsigned int, Vbid, DocKey const&, unsigned long, unsigned long) (/opt/couchbase/bin/../lib/libep.so+0x2981384) #10 0x7ffbd8178480 in EventuallyPersistentEngine::commit(gsl::not_null, unsigned int, Vbid, DocKey const&, unsigned long, unsigned long) (/opt/couchbase/bin/../lib/libep.so+0x2d0e480) #11 0x5df3dd in dcpCommit(Cookie&, unsigned int, Vbid, DocKey const&, unsigned long, unsigned long) (/opt/couchbase/bin/memcached+0x5df3dd) #12 0x9077dd in dcp_commit_executor(Cookie&) (/opt/couchbase/bin/memcached+0x9077dd) #13 0x886aac in execute_client_request_packet(Cookie&, cb::mcbp::Request const&) (/opt/couchbase/bin/memcached+0x886aac) #14 0x80c074 in Cookie::execute() (/opt/couchbase/bin/memcached+0x80c074) #15 0x74c163 in Connection::executeCommandPipeline() (/opt/couchbase/bin/memcached+0x74c163) #16 0x76a38f in Connection::executeCommandsCallback() (/opt/couchbase/bin/memcached+0x76a38f) #17 0x76e1a4 in Connection::rw_callback(bufferevent*, void*) (/opt/couchbase/bin/memcached+0x76e1a4) #18 0x7ffbd0c35d8d (/opt/couchbase/bin/../lib/libevent_core-2.1.so.7+0xed8d) previously allocated by thread T9 (mc:worker_0) here: #0 0x7ffbdce97000 in operator new(unsigned long) (/opt/couchbase/bin/../lib/libasan.so.4+0xdb000) #1 0x7ffbd8032c48 in PassiveDurabilityMonitor::notifyDroppedCollection(CollectionID, long) (/opt/couchbase/bin/../lib/libep.so+0x2bc8c48) #2 0x7ffbd80c450f in EPVBucket::addSystemEventItem(std::unique_ptr >, std::optional, std::optional, Collections::VB::WriteHandle const&, std::function) (/opt/couchbase/bin/../lib/libep.so+0x2c5a50f) #3 0x7ffbd8ace278 in Collections::VB::Manifest::queueCollectionSystemEvent(Collections::VB::WriteHandle const&, VBucket&, CollectionID, std::basic_string_view >, Collections::VB::ManifestEntry const&, bool, std::optional, std::function) const (/opt/couchbase/bin/../lib/libep.so+0x3664278) #4 0x7ffbd8afe1de in Collections::VB::Manifest::dropCollection(Collections::VB::WriteHandle&, VBucket&, Monotonic, CollectionID, std::optional) (/opt/couchbase/bin/../lib/libep.so+0x36941de) #5 0x7ffbd85ebd5d in VBucket::replicaDropCollection(Monotonic, CollectionID, long) (/opt/couchbase/bin/../lib/libep.so+0x3181d5d) #6 0x7ffbd7e9b22b in PassiveStream::processDropCollection(VBucket&, DropCollectionEvent const&) (/opt/couchbase/bin/../lib/libep.so+0x2a3122b) #7 0x7ffbd7e9dde5 in PassiveStream::processSystemEvent(SystemEventMessage const&) (/opt/couchbase/bin/../lib/libep.so+0x2a33de5) #8 0x7ffbd7eac904 in PassiveStream::messageReceived(std::unique_ptr >) (/opt/couchbase/bin/../lib/libep.so+0x2a42904) #9 0x7ffbd7dd31e3 in DcpConsumer::lookupStreamAndDispatchMessage(DcpConsumer::UpdateFlowControl&, Vbid, unsigned int, std::unique_ptr >) (/opt/couchbase/bin/../lib/libep.so+0x29691e3) #10 0x7ffbd7dd74c5 in DcpConsumer::systemEvent(unsigned int, Vbid, mcbp::systemevent::id, unsigned long, mcbp::systemevent::version, cb::sized_buffer, cb::sized_buffer) (/opt/couchbase/bin/../lib/libep.so+0x296d4c5) #11 0x7ffbd8177628 in EventuallyPersistentEngine::system_event(gsl::not_null, unsigned int, Vbid, mcbp::systemevent::id, unsigned long, mcbp::systemevent::version, cb::sized_buffer, cb::sized_buffer) (/opt/couchbase/bin/../lib/libep.so+0x2d0d628) #12 0x5dd69a in dcpSystemEvent(Cookie&, unsigned int, Vbid, mcbp::systemevent::id, unsigned long, mcbp::systemevent::version, cb::sized_buffer, cb::sized_buffer) (/opt/couchbase/bin/memcached+0x5dd69a) #13 0x921e3e in dcp_system_event_executor(Cookie&) (/opt/couchbase/bin/memcached+0x921e3e) #14 0x886aac in execute_client_request_packet(Cookie&, cb::mcbp::Request const&) (/opt/couchbase/bin/memcached+0x886aac) #15 0x80c074 in Cookie::execute() (/opt/couchbase/bin/memcached+0x80c074) #16 0x74c163 in Connection::executeCommandPipeline() (/opt/couchbase/bin/memcached+0x74c163) #17 0x76a38f in Connection::executeCommandsCallback() (/opt/couchbase/bin/memcached+0x76a38f) #18 0x76e1a4 in Connection::rw_callback(bufferevent*, void*) (/opt/couchbase/bin/memcached+0x76e1a4) #19 0x7ffbd0c35d8d (/opt/couchbase/bin/../lib/libevent_core-2.1.so.7+0xed8d) Thread T9 (mc:worker_0) created by T0 here: #0 0x7ffbdcdf3050 in __interceptor_pthread_create (/opt/couchbase/bin/../lib/libasan.so.4+0x37050) #1 0x7ffbd189b174 in cb_create_named_thread(unsigned long*, void (*)(void*), void*, int, char const*) (/opt/couchbase/bin/../lib/libplatform_so.so.0.1.0+0x6b174) #2 0x6b4166 in worker_threads_init() (/opt/couchbase/bin/memcached+0x6b4166) #3 0x4d1aa3 in memcached_main(int, char**) (/opt/couchbase/bin/memcached+0x4d1aa3) #4 0x7ffbce2dc504 in __libc_start_main (/lib64/libc.so.6+0x22504) SUMMARY: AddressSanitizer: heap-use-after-free (/opt/couchbase/bin/../lib/libep.so+0x2bb9d35) in PassiveDurabilityMonitor::State::checkForAndRemoveDroppedCollections() Shadow bytes around the buggy address: 0x0c06801ea330: fa fa fa fa fa fa fa fa 00 00 00 fa fa fa fa fa 0x0c06801ea340: fa fa fa fa 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c06801ea350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c06801ea360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c06801ea370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c06801ea380: fa fa fa fa fa fa[fd]fd fd fd fa fa fa fa fa fa 0x0c06801ea390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c06801ea3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c06801ea3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c06801ea3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c06801ea3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==memcached==51444==ABORTING