Skip to content

ASAN: heap-use-after-free in lbox_tuple_format_new #8889

New issue
New issue
Closed
#8993
Closed
ASAN: heap-use-after-free in lbox_tuple_format_new#8889
#8993
Assignees
locker
Labels
2.10Target is 2.10 and all newer release/master branchesbugSomething isn't working
@nshy

Description

@nshy
nshy
opened on Jul 17, 2023

Found in 3.0.0-alpha1-16-g0e5a3cc21.

Issue is found on replication-luatest/bootstrap_strategy_test.lua run but seems to be not related to replication. It is flaky (fail rate is low but yet it reproducible under load and with large number of iterations yes replication-luatest/bootstrap_strategy_test | head -n 20 | xargs test/test-run.py --builddir ../build-asan-release -j16 --force).

The issue is probably related to tuple format reuse.

To get a repro you need ASAN-friendly allocators. It is WIP in scope of #7327. Temporarily available in https://github.com/nshy/tarantool/tree/small-asan.

=================================================================
==816865==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000002468 at pc 0x56312553de9a bp 0x7faf4da5bc90 sp 0x7faf4da5bc88
READ of size 4 at 0x610000002468 thread T0
    #0 0x56312553de99 in tuple_format_ref /home/shiny/dev/tarantool/src/box/tuple_format.h:377:14
    #1 0x56312553de99 in luaT_push_tuple_format /home/shiny/dev/tarantool/src/box/lua/tuple_format.c:49:2
    #2 0x56312553de99 in lbox_tuple_format_new /home/shiny/dev/tarantool/src/box/lua/tuple_format.c:91:9
    #3 0x5631256e0a02 in lj_BC_FUNCC /home/shiny/dev/tarantool/build-asan-release/third_party/luajit/src/lj_vm.S:811
    #4 0x56312550e5cf in netbox_transport_fetch_schema /home/shiny/dev/tarantool/src/box/lua/net_box.c:2859:2
    #5 0x56312550e5cf in netbox_connection_handler_f /home/shiny/dev/tarantool/src/box/lua/net_box.c:2905:20
    #6 0x5631256e0a02 in lj_BC_FUNCC /home/shiny/dev/tarantool/build-asan-release/third_party/luajit/src/lj_vm.S:811
    #7 0x5631256fc430 in lua_cpcall /home/shiny/dev/tarantool/third_party/luajit/src/lj_api.c:1197:12
    #8 0x56312557158c in luaT_cpcall /home/shiny/dev/tarantool/src/lua/utils.c:685:6
    #9 0x56312550c233 in netbox_worker_f /home/shiny/dev/tarantool/src/box/lua/net_box.c:2933:13
    #10 0x563124e78108 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*) /home/shiny/dev/tarantool/src/lib/core/fiber.h:1234:10
    #11 0x5631255d26ef in fiber_loop /home/shiny/dev/tarantool/src/lib/core/fiber.c:1013:18
    #12 0x563125f58c3c in coro_init /home/shiny/dev/tarantool/third_party/coro/coro.c:108:3

0x610000002468 is located 40 bytes inside of 192-byte region [0x610000002440,0x610000002500)
freed by thread T0 here:
    #0 0x563124e28d92 in __interceptor_free.part.0 asan_malloc_linux.cpp.o
    #1 0x56312553d45b in tuple_format_unref /home/shiny/dev/tarantool/src/box/tuple_format.h:385:3
    #2 0x56312553d45b in lbox_tuple_format_gc /home/shiny/dev/tarantool/src/box/lua/tuple_format.c:37:2
    #3 0x5631256e0a02 in lj_BC_FUNCC /home/shiny/dev/tarantool/build-asan-release/third_party/luajit/src/lj_vm.S:811

previously allocated by thread T0 here:
    #0 0x563124e29dc9 in malloc (/home/shiny/dev/tarantool/build-asan-release/src/tarantool+0x915dc9) (BuildId: eb3b30e568736c28adfe040834b3ab2b13991663)
    #1 0x563125a4e71d in tuple_format_alloc /home/shiny/dev/tarantool/src/box/tuple_format.c:762:32
    #2 0x563125a4e71d in tuple_format_new /home/shiny/dev/tarantool/src/box/tuple_format.c:887:3
    #3 0x563125a3f2a6 in runtime_tuple_format_new /home/shiny/dev/tarantool/src/box/tuple.c:309:3
    #4 0x56312553dc9c in lbox_tuple_format_new /home/shiny/dev/tarantool/src/box/lua/tuple_format.c:86:3
    #5 0x5631256e0a02 in lj_BC_FUNCC /home/shiny/dev/tarantool/build-asan-release/third_party/luajit/src/lj_vm.S:811

SUMMARY: AddressSanitizer: heap-use-after-free /home/shiny/dev/tarantool/src/box/tuple_format.h:377:14 in tuple_format_ref
Shadow bytes around the buggy address:
  0x0c207fff8430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c207fff8440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c207fff8460: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c207fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x0c207fff8490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c207fff84a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff84b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c207fff84c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==816865==ABORTING

Metadata

Metadata

Assignees

Labels

2.10Target is 2.10 and all newer release/master branchesbugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions