Problem: use-after-free in test_poller #2581

bluca · 2017-05-18T10:48:13Z

https://travis-ci.org/zeromq/libzmq/jobs/233571415

==25383==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00001de60 at pc 0x2ae3fcc0045b bp 0x7ffc63f68e80 sp 0x7ffc63f68e78
READ of size 4 at 0x61a00001de60 thread T0
    #0 0x2ae3fcc0045a in zmq::socket_base_t::check_tag() ../src/socket_base.cpp:104
    #1 0x2ae3fcc5ba3a in zmq::socket_poller_t::~socket_poller_t() ../src/socket_poller.cpp:70
    #2 0x2ae3fcc584bb in zmq_poller_destroy ../src/zmq.cpp:1241
    #3 0x4040c6 in main ../tests/test_poller.cpp:176
    #4 0x2ae3fd105f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #5 0x4016d8  (/home/travis/build/zeromq/libzmq/zeromq-4.2.3/_build/tests/.libs/test_poller+0x4016d8)
0x61a00001de60 is located 992 bytes inside of 1336-byte region [0x61a00001da80,0x61a00001dfb8)
freed by thread T1 here:
    #0 0x2ae3fbc6ee70 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc3e70)
    #1 0x2ae3fcbf5d84 in zmq::server_t::~server_t() ../src/server.cpp:49
    #2 0x2ae3fcbcece4 in zmq::own_t::process_destroy() ../src/own.cpp:214
    #3 0x2ae3fcc0b660 in zmq::socket_base_t::check_destroy() ../src/socket_base.cpp:1539
    #4 0x2ae3fcc0b389 in zmq::socket_base_t::in_event() ../src/socket_base.cpp:1511
    #5 0x2ae3fcb9eb5a in zmq::epoll_t::loop() ../src/epoll.cpp:188
    #6 0x2ae3fcb9ecff in zmq::epoll_t::worker_routine(void*) ../src/epoll.cpp:203
    #7 0x2ae3fcc359ec in thread_routine ../src/thread.cpp:106
    #8 0x2ae3fcece183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
previously allocated by thread T0 here:
    #0 0x2ae3fbc6e570 in operator new(unsigned long, std::nothrow_t const&) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc3570)
    #1 0x2ae3fcc007e9 in zmq::socket_base_t::create(int, zmq::ctx_t*, unsigned int, int) ../src/socket_base.cpp:149
    #2 0x2ae3fcb72e9a in zmq::ctx_t::create_socket(int) ../src/ctx.cpp:377
    #3 0x2ae3fcc558af in zmq_socket ../src/zmq.cpp:257
    #4 0x403562 in main ../tests/test_poller.cpp:60
    #5 0x2ae3fd105f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
Thread T1 created by T0 here:
    #0 0x2ae3fbbdc5c9 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x315c9)
    #1 0x2ae3fcc35ba3 in zmq::thread_t::start(void (*)(void*), void*) ../src/thread.cpp:115
    #2 0x2ae3fcb73386 in zmq::ctx_t::start_thread(zmq::thread_t&, void (*)(void*), void*) const ../src/ctx.cpp:413
    #3 0x2ae3fcb9e2e5 in zmq::epoll_t::start() ../src/epoll.cpp:144
    #4 0x2ae3fcbeaab1 in zmq::reaper_t::start() ../src/reaper.cpp:68
    #5 0x2ae3fcb72a32 in zmq::ctx_t::create_socket(int) ../src/ctx.cpp:338
    #6 0x2ae3fcc558af in zmq_socket ../src/zmq.cpp:257
    #7 0x4033c3 in main ../tests/test_poller.cpp:44
    #8 0x2ae3fd105f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/socket_base.cpp:104 in zmq::socket_base_t::check_tag()

Detected by the address sanitizer test run.

Looks like a race between zmq_poller_destroy in the application thread and the reaper thread.

@somdoron should the zmq_poller be destroyed before the sockets are closed?

The text was updated successfully, but these errors were encountered:

somdoron · 2017-05-18T11:11:32Z

socket must be removed from poller before destroying the socket. On May 18, 2017 13:48, "Luca Boccassi" <[email protected]> wrote: https://travis-ci.org/zeromq/libzmq/jobs/233571415 ==25383==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00001de60 at pc 0x2ae3fcc0045b bp 0x7ffc63f68e80 sp 0x7ffc63f68e78 READ of size 4 at 0x61a00001de60 thread T0 #0 0x2ae3fcc0045a in zmq::socket_base_t::check_tag() ../src/socket_base.cpp:104 #1 0x2ae3fcc5ba3a in zmq::socket_poller_t::~socket_poller_t() ../src/socket_poller.cpp:70 #2 0x2ae3fcc584bb in zmq_poller_destroy ../src/zmq.cpp:1241 #3 0x4040c6 in main ../tests/test_poller.cpp:176 #4 0x2ae3fd105f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #5 0x4016d8 (/home/travis/build/zeromq/libzmq/zeromq-4.2.3/_build/tests/.libs/test_poller+0x4016d8) 0x61a00001de60 is located 992 bytes inside of 1336-byte region [0x61a00001da80,0x61a00001dfb8) freed by thread T1 here: #0 0x2ae3fbc6ee70 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc3e70) #1 0x2ae3fcbf5d84 in zmq::server_t::~server_t() ../src/server.cpp:49 #2 0x2ae3fcbcece4 in zmq::own_t::process_destroy() ../src/own.cpp:214 #3 0x2ae3fcc0b660 in zmq::socket_base_t::check_destroy() ../src/socket_base.cpp:1539 #4 0x2ae3fcc0b389 in zmq::socket_base_t::in_event() ../src/socket_base.cpp:1511 #5 0x2ae3fcb9eb5a in zmq::epoll_t::loop() ../src/epoll.cpp:188 #6 0x2ae3fcb9ecff in zmq::epoll_t::worker_routine(void*) ../src/epoll.cpp:203 #7 0x2ae3fcc359ec in thread_routine ../src/thread.cpp:106 #8 0x2ae3fcece183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183) previously allocated by thread T0 here: #0 0x2ae3fbc6e570 in operator new(unsigned long, std::nothrow_t const&) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc3570) #1 0x2ae3fcc007e9 in zmq::socket_base_t::create(int, zmq::ctx_t*, unsigned int, int) ../src/socket_base.cpp:149 #2 0x2ae3fcb72e9a in zmq::ctx_t::create_socket(int) ../src/ctx.cpp:377 #3 0x2ae3fcc558af in zmq_socket ../src/zmq.cpp:257 #4 0x403562 in main ../tests/test_poller.cpp:60 #5 0x2ae3fd105f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) Thread T1 created by T0 here: #0 0x2ae3fbbdc5c9 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x315c9) #1 0x2ae3fcc35ba3 in zmq::thread_t::start(void (*)(void*), void*) ../src/thread.cpp:115 #2 0x2ae3fcb73386 in zmq::ctx_t::start_thread(zmq::thread_t&, void (*)(void*), void*) const ../src/ctx.cpp:413 #3 0x2ae3fcb9e2e5 in zmq::epoll_t::start() ../src/epoll.cpp:144 #4 0x2ae3fcbeaab1 in zmq::reaper_t::start() ../src/reaper.cpp:68 #5 0x2ae3fcb72a32 in zmq::ctx_t::create_socket(int) ../src/ctx.cpp:338 #6 0x2ae3fcc558af in zmq_socket ../src/zmq.cpp:257 #7 0x4033c3 in main ../tests/test_poller.cpp:44 #8 0x2ae3fd105f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-use-after-free ../src/socket_base.cpp:104 in zmq::socket_base_t::check_tag() Detected by the address sanitizer test run. Looks like a race between zmq_poller_destroy in the application thread and the reaper thread. @somdoron <https://github.com/somdoron> should the zmq_poller be destroyed before the sockets are closed? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2581>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AClv9g0KL9MUPabIJJ_px0mc_3m3tZ74ks5r7CHzgaJpZM4NfC8a> .

Solution: remove server socket from poller before closing it Fixes zeromq#2581

bluca added a commit to bluca/libzmq that referenced this issue May 18, 2017

Problem: use-after-free in test_poller

1763753

Solution: remove server socket from poller before closing it Fixes zeromq#2581

bluca mentioned this issue May 18, 2017

Problem: use-after-free in test_poller #2582

Merged

somdoron closed this as completed in #2582 May 18, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Problem: use-after-free in test_poller #2581

Problem: use-after-free in test_poller #2581

bluca commented May 18, 2017

somdoron commented May 18, 2017 via email

Problem: use-after-free in test_poller #2581

Problem: use-after-free in test_poller #2581

Comments

bluca commented May 18, 2017

somdoron commented May 18, 2017 via email