lnav
lnav copied to clipboard
tstack
heap-use-after-free inside shared_buffer_ref::take_ownership
lnav version master
Describe the bug
lnav crash inside shared_buffer_ref::take_ownership.
Via git bisect, it seems 55f5e253 is the first revision with this issue. But I'm not sure whether it is root cause.
To Reproduce Steps to reproduce the behavior:
cat screen.zst.txt | base64 -d | zstd -d > screen
lnav -e 'scriptreplay timing.txt screen'
It crashes randomly with high probability.
#0 __memcpy_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:265
#1 0x0000555555ab69e2 in shared_buffer_ref::take_ownership (this=0x7fffffff9558, length=11227) at shared_buffer.cc:158
#2 0x00005555559c88b4 in shared_buffer_ref::take_ownership (this=<optimized out>) at /home/kcwu/src/lnav/src/shared_buffer.hh:164
#3 shared_buffer::invalidate_refs (this=<optimized out>) at /home/kcwu/src/lnav/src/shared_buffer.hh:193
#4 logfile::read_full_message (this=0x7fffcc0139a0, ll=..., msg_out=..., dir=line_buffer::scan_direction::forward, format=<optimized out>) at logfile.cc:1494
#5 0x00005555559eb3c5 in logfile_sub_source::eval_sql_filter (this=<optimized out>, stmt=0x5555570df508, ld=..., ld@entry=std::unique_ptr<logfile_sub_source::logfile_data> = {...}, ll=...) at logfile_sub_source.cc:1826
#6 0x0000555555932438 in lnav::log::annotate::applicable (vl=..., vl@entry=...) at log.annotate.cc:140
#7 0x000055555583ce02 in field_overlay_source::build_meta_line (this=0x5555570c8ca0, lv=..., dst=std::vector of length 0, capacity 0, row=...) at field_overlay_source.cc:555
#8 0x00005555558a82ee in listview_curses::height_for_row (this=this@entry=0x555556f725c8 <lnav_data+26472>, row=row@entry=..., height=height@entry=..., width=width@entry=301) at listview_curses.cc:1205
#9 0x00005555558a872e in listview_curses::layout_for_row (this=this@entry=0x555556f725c8 <lnav_data+26472>, row=...) at listview_curses.cc:1228
#10 0x00005555558a9989 in listview_curses::update_top_from_selection (this=0x555556f725c8 <lnav_data+26472>) at listview_curses.cc:101
#11 0x000055555576d3e0 in rebuild_indexes (deadline=std::optional = {...}) at lnav.indexing.cc:402
#12 0x000055555570da2b in looper () at lnav.cc:1929
#13 0x00005555556c6394 in main (argc=<optimized out>, argv=<optimized out>) at lnav.cc:4088
Build with ASAN, it reports heap-use-after-free
==2591804==ERROR: AddressSanitizer: heap-use-after-free on address 0x522000024100 at pc 0x7f004a4f2936 bp 0x7fff9ce291c0 sp 0x7fff9ce28980
READ of size 610 at 0x522000024100 thread T0
#0 0x7f004a4f2935 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
#1 0x55ac6b700ae9 in shared_buffer_ref::take_ownership(unsigned long) (/home/kcwu/src/lnav/src/lnav+0x112eae9) (BuildId: 052f0b4a675aa3100a128c20245f46ad5a34e345)
#2 0x55ac6a990f1d in shared_buffer_ref::take_ownership() (/home/kcwu/src/lnav/src/lnav+0x3bef1d) (BuildId: 052f0b4a675aa3100a128c20245f46ad5a34e345)
#3 0x55ac6a991049 in shared_buffer::invalidate_refs() (/home/kcwu/src/lnav/src/lnav+0x3bf049) (BuildId: 052f0b4a675aa3100a128c20245f46ad5a34e345)
#4 0x55ac6b458bf3 in logfile::read_full_message(__gnu_cxx::__normal_iterator<logline const*, std::vector<logline, std::allocator<logline> > >, shared_buffer_ref&, line_buffer::scan_direction, logfile::read_format_t) (/home/kcwu/src/lnav/src/lnav+0xe86bf3) (BuildId: 052f0b4a675aa3100a128c20245f46a
d5a34e345)
Unfortunately, I found it crash on one of my machine but not on another.