celix
celix copied to clipboard
apache
psa-tcp use-after-free reported by CI
Issue created for record.
https://github.com/apache/celix/runs/5694151734?check_suite_focus=true
32: ==22607==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000004b38 at pc 0x7faa3854701d bp 0x7faa2f3f65c0 sp 0x7faa2f3f65b0
32: READ of size 8 at 0x606000004b38 thread T5
32: #0 0x7faa3854701c in hashMap_get /home/runner/work/celix/celix/libs/utils/src/hash_map.c:126
32: #1 0x7faa33eb44ef in psa_tcp_disConnectHandler /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_topic_receiver.c:626
32: #2 0x7faa33eb7d01 in pubsub_tcpHandler_closeConnectionEntry /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_handler.c:489
32: #3 0x7faa33eb5eef in pubsub_tcpHandler_close /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_handler.c:294
32: #4 0x7faa33ec04c6 in pubsub_tcpHandler_handler /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_handler.c:1418
32: #5 0x7faa33ec0b5c in pubsub_tcpHandler_thread /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_handler.c:1448
32: #6 0x7faa38459608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
32: #7 0x7faa38032292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
32:
32: 0x606000004b38 is located 24 bytes inside of 56-byte region [0x606000004b20,0x606000004b58)
32: freed by thread T1 here:
32: #0 0x7faa387867cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
32: #1 0x7faa38546e6c in hashMap_destroy /home/runner/work/celix/celix/libs/utils/src/hash_map.c:103
32: #2 0x7faa33eb0e7d in pubsub_tcpTopicReceiver_destroy /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_topic_receiver.c:277
32: #3 0x7faa33ea97c5 in pubsub_tcpAdmin_removeProtocolSvc /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_admin.c:275
32: #4 0x7faa3863380a in serviceTracker_invokeRemovingService /home/runner/work/celix/celix/libs/framework/src/service_tracker.c:597
32: #5 0x7faa38633350 in serviceTracker_untrackTracked /home/runner/work/celix/celix/libs/framework/src/service_tracker.c:560
32: #6 0x7faa38630b63 in serviceTracker_close /home/runner/work/celix/celix/libs/framework/src/service_tracker.c:232
32: #7 0x7faa3863469d in celix_serviceTracker_destroy /home/runner/work/celix/celix/libs/framework/src/service_tracker.c:695
32: #8 0x7faa385fb1d7 in celix_bundleContext_removeServiceTracker /home/runner/work/celix/celix/libs/framework/src/bundle_context.c:902
32: #9 0x7faa3860f81e in fw_handleEventRequest /home/runner/work/celix/celix/libs/framework/src/framework.c:1554
32: #10 0x7faa3860fee3 in fw_handleEvents /home/runner/work/celix/celix/libs/framework/src/framework.c:1602
32: #11 0x7faa386100d7 in fw_eventDispatcher /home/runner/work/celix/celix/libs/framework/src/framework.c:1628
32: #12 0x7faa38459608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
32:
32: previously allocated by thread T1 here:
32: #0 0x7faa38786bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
32: #1 0x7faa38546ae6 in hashMap_create /home/runner/work/celix/celix/libs/utils/src/hash_map.c:73
32: #2 0x7faa33eaff7b in pubsub_tcpTopicReceiver_create /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_topic_receiver.c:198
32: #3 0x7faa33eaa8a0 in pubsub_tcpAdmin_setupTopicReceiver /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_admin.c:457
32: #4 0x7faa3414b33c in pstm_setupTopicReceiverCallback /home/runner/work/celix/celix/bundles/pubsub/pubsub_topology_manager/src/pubsub_topology_manager.c:1014
32: #5 0x7faa38634bd2 in celix_serviceTracker_useHighestRankingService /home/runner/work/celix/celix/libs/framework/src/service_tracker.c:761
32: #6 0x7faa385fd7e4 in celix_bundleContext_useServiceWithOptions_2_UseServiceTracker /home/runner/work/celix/celix/libs/framework/src/bundle_context.c:1185
32: #7 0x7faa3860f81e in fw_handleEventRequest /home/runner/work/celix/celix/libs/framework/src/framework.c:1554
32: #8 0x7faa3860fee3 in fw_handleEvents /home/runner/work/celix/celix/libs/framework/src/framework.c:1602
32: #9 0x7faa386100d7 in fw_eventDispatcher /home/runner/work/celix/celix/libs/framework/src/framework.c:1628
32: #10 0x7faa38459608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
32:
32: Thread T5 created by T1 here:
32: #0 0x7faa386b3805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
32: #1 0x7faa3854d066 in celixThread_create /home/runner/work/celix/celix/libs/utils/src/celix_threads.c:38
32: #2 0x7faa33eb4d55 in pubsub_tcpHandler_create /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_handler.c:171
32: #3 0x7faa33eafb24 in pubsub_tcpTopicReceiver_create /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_topic_receiver.c:170
32: #4 0x7faa33eaa8a0 in pubsub_tcpAdmin_setupTopicReceiver /home/runner/work/celix/celix/bundles/pubsub/pubsub_admin_tcp/src/pubsub_tcp_admin.c:457
32: #5 0x7faa3414b33c in pstm_setupTopicReceiverCallback /home/runner/work/celix/celix/bundles/pubsub/pubsub_topology_manager/src/pubsub_topology_manager.c:1014
32: #6 0x7faa38634bd2 in celix_serviceTracker_useHighestRankingService /home/runner/work/celix/celix/libs/framework/src/service_tracker.c:761
32: #7 0x7faa385fd7e4 in celix_bundleContext_useServiceWithOptions_2_UseServiceTracker /home/runner/work/celix/celix/libs/framework/src/bundle_context.c:1185
32: #8 0x7faa3860f81e in fw_handleEventRequest /home/runner/work/celix/celix/libs/framework/src/framework.c:1554
32: #9 0x7faa3860fee3 in fw_handleEvents /home/runner/work/celix/celix/libs/framework/src/framework.c:1602
32: #10 0x7faa386100d7 in fw_eventDispatcher /home/runner/work/celix/celix/libs/framework/src/framework.c:1628
32: #11 0x7faa38459608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
32:
32: Thread T1 created by T0 here:
32: #0 0x7faa386b3805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
32: #1 0x7faa3854d066 in celixThread_create /home/runner/work/celix/celix/libs/utils/src/celix_threads.c:38
32: #2 0x7faa3860688a in fw_init /home/runner/work/celix/celix/libs/framework/src/framework.c:416
32: #3 0x7faa386072c1 in framework_start /home/runner/work/celix/celix/libs/framework/src/framework.c:495
32: #4 0x7faa38641d31 in celix_frameworkFactory_createFramework /home/runner/work/celix/celix/libs/framework/src/celix_framework_factory.c:34
32: #5 0x7faa38641206 in celixLauncher_launchWithProperties /home/runner/work/celix/celix/libs/framework/src/celix_launcher.c:158
32: #6 0x7faa386411da in celixLauncher_launchWithConfigAndProps /home/runner/work/celix/celix/libs/framework/src/celix_launcher.c:149
32: #7 0x7faa38641144 in celixLauncher_launch /home/runner/work/celix/celix/libs/framework/src/celix_launcher.c:133
32: #8 0x55a1e03a106e in PubSubIntegrationTestSuite::PubSubIntegrationTestSuite() (/home/runner/work/celix/celix/build/bundles/pubsub/integration/pubsub_tcp_v2_wire_v1_tests/pubsub_tcp_v2_wire_v1_testsd+0x1f06e)
32: #9 0x55a1e03ae0ef in PubSubIntegrationTestSuite_recvTest_Test::PubSubIntegrationTestSuite_recvTest_Test() (/home/runner/work/celix/celix/build/bundles/pubsub/integration/pubsub_tcp_v2_wire_v1_tests/pubsub_tcp_v2_wire_v1_testsd+0x2c0ef)
32: #10 0x55a1e03ae149 in testing::internal::TestFactoryImpl<PubSubIntegrationTestSuite_recvTest_Test>::CreateTest() (/home/runner/work/celix/celix/build/bundles/pubsub/integration/pubsub_tcp_v2_wire_v1_tests/pubsub_tcp_v2_wire_v1_testsd+0x2c149)
32: #11 0x55a1e043b00d in testing::Test* testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::TestFactoryBase, testing::Test*>(testing::internal::TestFactoryBase*, testing::Test* (testing::internal::TestFactoryBase::*)(), char const*) /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:2607
32: #12 0x55a1e0429296 in testing::Test* testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::TestFactoryBase, testing::Test*>(testing::internal::TestFactoryBase*, testing::Test* (testing::internal::TestFactoryBase::*)(), char const*) /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:2643
32: #13 0x55a1e03c48c8 in testing::TestInfo::Run() /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:2851
32: #14 0x55a1e03c5ad3 in testing::TestSuite::Run() /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:3015
32: #15 0x55a1e03eb679 in testing::internal::UnitTestImpl::RunAllTests() /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:5855
32: #16 0x55a1e043e395 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:2607
32: #17 0x55a1e042b68d in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:2643
32: #18 0x55a1e03e8077 in testing::UnitTest::Run() /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest.cc:5438
32: #19 0x55a1e04680ca in RUN_ALL_TESTS() /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/include/gtest/gtest.h:2490
32: #20 0x55a1e0467fa5 in main /home/runner/work/celix/celix/build/_deps/googletest-src/googletest/src/gtest_main.cc:52
32: #21 0x7faa37f370b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
32:
32: SUMMARY: AddressSanitizer: heap-use-after-free /home/runner/work/celix/celix/libs/utils/src/hash_map.c:126 in hashMap_get
32: Shadow bytes around the buggy address:
32: 0x0c0c7fff8910: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
32: 0x0c0c7fff8920: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
32: 0x0c0c7fff8930: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
32: 0x0c0c7fff8940: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
32: 0x0c0c7fff8950: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
32: =>0x0c0c7fff8960: fa fa fa fa fd fd fd[fd]fd fd fd fa fa fa fa fa
32: 0x0c0c7fff8970: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
32: 0x0c0c7fff8980: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
32: 0x0c0c7fff8990: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
32: 0x0c0c7fff89a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
32: 0x0c0c7fff89b0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
32: Shadow byte legend (one shadow byte represents 8 application bytes):
32: Addressable: 00
32: Partially addressable: 01 02 03 04 05 06 07
32: Heap left redzone: fa
32: Freed heap region: fd
32: Stack left redzone: f1
32: Stack mid redzone: f2
32: Stack right redzone: f3
32: Stack after return: f5
32: Stack use after scope: f8
32: Global redzone: f9
32: Global init order: f6
32: Poisoned by user: f7
32: Container overflow: fc
32: Array cookie: ac
32: Intra object redzone: bb
32: ASan internal: fe
32: Left alloca redzone: ca
32: Right alloca redzone: cb
32: Shadow gap: cc
32: ==22607==ABORTING
32/47 Test #32: pubsub_tcp_v2_wire_v1_tests ............................***Failed 2.10 sec
test 33
Start 33: pubsub_tcp_v2_wire_v2_tests
According to Zhenbao Xu's analysis, this one is due to incorrect resource release order. The cure to this kind of issues is to release resources in strict reverse order as they are acquired. That is if resources are acquired in order of ABCDE, they should be released in order EDCBA.
Given that Xu is now focusing on RSA/PSA, I think he will come with fixes when he fully grasps the whole design of these two components.