Skip to content
This repository has been archived by the owner on Jan 7, 2022. It is now read-only.

Commit

Permalink
Fix use-after-free in AdminCommandClient
Browse files Browse the repository at this point in the history 
Summary:
ASAN error:

  ==373949==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700007d938 at pc 0x0000005be44b bp 0x7f71060ab440 sp 0x7f71060ab438
  READ of size 2 at 0x60700007d938 thread T7 (IOThreadPool2)
  SCARINESS: 42 (2-byte-read-heap-use-after-free)
  I1008 20:44:07.669364  373949 [not-set] TestUtil.cpp:292] wait_until() Still waiting until: node 0 starts (157.375s)
  I1008 20:44:07.811503  373949 [not-set] TestUtil.cpp:292] wait_until() Still waiting until: node 0 starts (187.389s)
  I1008 20:44:38.524135  373949 [not-set] TestUtil.cpp:292] wait_until() Still waiting until: node 0 starts (218.206s)
      #0 0x5be44a in folly::SocketAddress::SocketAddress(folly::SocketAddress const&) folly/SocketAddress.h:83
      #1 0x2ba49a0 in facebook::logdevice::AdminCommandClient::Request::Request(facebook::logdevice::AdminCommandClient::Request const&) logdevice/ops/admin_command_client/AdminCommandClient.h:32
      #2 0x2ba49a0 in facebook::logdevice::AdminClientConnection::AdminClientConnection(folly::EventBase*, facebook::logdevice::AdminCommandClient::Request const&, std::chrono::duration<long, std::ratio<1l, 1000l> >, std::shared_ptr<folly::SSLContext>) logdevice/ops/admin_command_client/AdminCommandClient.cpp:39
      #3 0x2ba40c1 in std::_MakeUniq<facebook::logdevice::AdminClientConnection>::__single_object std::make_unique<facebook::logdevice::AdminClientConnection, folly::EventBase*, facebook::logdevice::AdminCommandClient::Request const&, std::chrono::duration<long, std::ratio<1l, 1000l> >&, std::shared_ptr<folly::SSLContext> >(folly::EventBase*&&, facebook::logdevice::AdminCommandClient::Request const&, std::chrono::duration<long, std::ratio<1l, 1000l> >&, std::shared_ptr<folly::SSLContext>&&) third-party-buck/platform007/build/libgcc/include/c++/trunk/bits/unique_ptr.h:825
      #4 0x2ba20b7  (/data/users/kolmike/fbsource/fbcode/buck-out/dbgo/gen/logdevice/test/tests+0x2ba20b7)
      #5 0x13e1204 in folly::futures::detail::Core<folly::Unit>::doCallback(folly::Executor::KeepAlive<folly::Executor>&&, folly::futures::detail::State)::'lambda'(folly::Executor::KeepAlive<folly::Executor>&&)::operator()(folly::Executor::KeepAlive<folly::Executor>&&) folly/futures/detail/Core.h:940
      #6 0x2d05a3b in folly::detail::function::FunctionTraits<void ()>::operator()() folly/Function.h:376
      #7 0x2d05a3b in folly::ThreadPoolExecutor::runTask(std::shared_ptr<folly::ThreadPoolExecutor::Thread> const&, folly::ThreadPoolExecutor::Task&&) folly/executors/ThreadPoolExecutor.cpp:84
      #8 0x2caaec7 in folly::IOThreadPoolExecutor::add(folly::Function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >, folly::Function<void ()>)::$_0::operator()() folly/executors/IOThreadPoolExecutor.cpp:106
      #9 0x2caaec7 in void folly::detail::function::FunctionTraits<void ()>::callBig<folly::IOThreadPoolExecutor::add(folly::Function<void ()>, std::chrono::duration<long, std::ratio<1l, 1000l> >, folly::Function<void ()>)::$_0>(folly::detail::function::Data&) folly/Function.h:367
      #10 0x2cfb023 in folly::detail::function::FunctionTraits<void ()>::operator()() folly/Function.h:376
      #11 0x2cfb023 in folly::EventBase::FunctionRunner::messageAvailable(folly::Function<void ()>&&) folly/io/async/EventBase.cpp:59
      #12 0x2cf4b37 in folly::NotificationQueue<folly::Function<void ()> >::Consumer::consumeMessages(bool, unsigned long*) folly/io/async/NotificationQueue.h:729
      #13 0x2cfb9fc in folly::EventHandler::libeventCallback(int, short, void*) folly/io/async/EventHandler.cpp:161
      #14 0x3772f98 in event_process_active /home/engshare/third-party2/libevent/1.4.14b_hphp/src/libevent-1.4.14b-stable/event.c:390
      #15 0x3773237 in event_base_loop /home/engshare/third-party2/libevent/1.4.14b_hphp/src/libevent-1.4.14b-stable/event.c:532
      #16 0x2cec440 in folly::EventBase::loopBody(int, bool) folly/io/async/EventBase.cpp:338
      #17 0x2ceec9b in folly::EventBase::loop() folly/io/async/EventBase.cpp:261
      #18 0x2ceec9b in folly::EventBase::loopForever() folly/io/async/EventBase.cpp:477
      #19 0x2ca7590 in folly::IOThreadPoolExecutor::threadRun(std::shared_ptr<folly::ThreadPoolExecutor::Thread>) folly/executors/IOThreadPoolExecutor.cpp:179
      #20 0x2d0fd70 in void std::__invoke_impl<void, void (folly::ThreadPoolExecutor::*&)(std::shared_ptr<folly::ThreadPoolExecutor::Thread>), folly::ThreadPoolExecutor*&, std::shared_ptr<folly::ThreadPoolExecutor::Thread>&>(std::__invoke_memfun_deref, void (folly::ThreadPoolExecutor::*&)(std::shared_ptr<folly::ThreadPoolExecutor::Thread>), folly::ThreadPoolExecutor*&, std::shared_ptr<folly::ThreadPoolExecutor::Thread>&) third-party-buck/platform007/build/libgcc/include/c++/trunk/bits/invoke.h:73
      #21 0x7f711342467f in execute_native_thread_routine /home/engshare/third-party2/libgcc/7.x/src/gcc-7.x/libstdc++-v3/src/c++11/thread.cc:83:15
      #22 0x7f71129026b5 in start_thread /home/engshare/third-party2/glibc/2.26/src/glibc-2.26/nptl/pthread_create.c:465:7
      #23 0x7f711221bebe in __GI___clone /home/engshare/third-party2/glibc/2.26/src/glibc-2.26/sysdeps/unix/sysv/linux/x86_64/clone.S:95

  0x60700007d938 is located 24 bytes inside of 72-byte region [0x60700007d920,0x60700007d968)
  freed by thread T0 here:
      #0 0x34b2258 in operator delete(void*) (/data/users/kolmike/fbsource/fbcode/buck-out/dbgo/gen/logdevice/test/tests+0x34b2258)
      #1 0x2b07f64 in facebook::logdevice::test::nc(std::shared_ptr<facebook::logdevice::AdminCommandClient> const&, folly::SocketAddress const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool, std::chrono::duration<long, std::ratio<1l, 1000l> >, std::chrono::duration<long, std::ratio<1l, 1000l> >) logdevice/test/utils/nc.cpp:36
      #2 0xe1d5b1 in facebook::logdevice::IntegrationTestUtils::Node::sendCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, std::chrono::duration<long, std::ratio<1l, 1000l> >) const logdevice/test/utils/IntegrationTestUtils.cpp:1538
      #3 0xe20a03 in facebook::logdevice::IntegrationTestUtils::Node::getServerInfo() const logdevice/test/utils/IntegrationTestUtils.cpp:1619
      #4 0xe72c70 in facebook::logdevice::IntegrationTestUtils::Node::waitUntilStarted(std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >)::$_5::operator()() const logdevice/test/utils/IntegrationTestUtils.cpp:1648
      #5 0xe72c70 in std::_Function_handler<bool (), facebook::logdevice::IntegrationTestUtils::Node::waitUntilStarted(std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >)::$_5>::_M_invoke(std::_Any_data const&) third-party-buck/platform007/build/libgcc/include/c++/trunk/bits/std_function.h:301
      #6 0x177c3f5 in std::function<bool ()>::operator()() const third-party-buck/platform007/build/libgcc/include/c++/trunk/bits/std_function.h:706
      #7 0x177c3f5 in facebook::logdevice::wait_until(char const*, std::function<bool ()>, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >) logdevice/common/test/TestUtil.cpp:277
      #8 0xe0f70d in facebook::logdevice::IntegrationTestUtils::Node::waitUntilStarted(std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >) logdevice/test/utils/IntegrationTestUtils.cpp:1676
      #9 0xe04345 in facebook::logdevice::IntegrationTestUtils::Cluster::start(std::vector<short, std::allocator<short> >) logdevice/test/utils/IntegrationTestUtils.cpp:1122
      #10 0xdfd2dd in facebook::logdevice::IntegrationTestUtils::ClusterFactory::createOneTry(facebook::logdevice::Configuration const&) logdevice/test/utils/IntegrationTestUtils.cpp:887
      #11 0xdf9ece in facebook::logdevice::IntegrationTestUtils::ClusterFactory::create(facebook::logdevice::Configuration const&) logdevice/test/utils/IntegrationTestUtils.cpp:1423
      #12 0xdf68e3 in facebook::logdevice::IntegrationTestUtils::ClusterFactory::create(int) logdevice/test/utils/IntegrationTestUtils.cpp:694
      #13 0x6bbe76 in (anonymous namespace)::DataSizeTest::init() logdevice/test/DataSizeTest.cpp:132
      #14 0x6cab7d in (anonymous namespace)::DataSizeTest_RestartNode_Test::TestBody() logdevice/test/DataSizeTest.cpp:336
      #15 0x366771c in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2417:27
      #16 0x366771c in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2453:52
      #17 0x3658ad1 in testing::Test::Run() (.part.595) /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2490:50
      #18 0x3658f51 in testing::Test::Run() /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2481:3
      #19 0x3658f51 in testing::TestInfo::Run() (.part.596) /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2677:14
      #20 0x36590e4 in testing::TestInfo::Run() /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2801:21
      #21 0x36590e4 in testing::TestCase::Run() (.part.597) /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2802:31
      #22 0x365a664 in testing::TestCase::Run() /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:4737:45
      #23 0x365a664 in testing::internal::UnitTestImpl::RunAllTests() /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:4739:46
      #24 0x365a904 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2417:27
      #25 0x365a904 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:2453:52
      #26 0x365a904 in testing::UnitTest::Run() /home/engshare/third-party2/googletest/master/src/googletest/googletest/src/gtest.cc:4333:55
      #27 0x2c74173 in RUN_ALL_TESTS() third-party-buck/platform007/build/googletest/include/gtest/gtest.h:2255
      #28 0x2c74173 in main common/gtest/LightMain.cpp:19
      #29 0x7f711212b1a5 in __libc_start_main /home/engshare/third-party2/glibc/2.26/src/glibc-2.26/csu/libc-start.c:308:16
      #30 0x4f0c99 in _start /home/engshare/third-party2/glibc/2.26/src/glibc-2.26/sysdeps/x86_64/start.S:120

Reviewed By: MohamedBassem

Differential Revision: D17825971

fbshipit-source-id: f68ee49d5b9a079e55c5bed6e2e6b28dbb161c9b
  • Loading branch information
@al13n321 @facebook-github-bot
al13n321 authored and facebook-github-bot committed Oct 9, 2019
1 parent 218e006 commit 4d72536
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion logdevice/ops/admin_command_client/AdminCommandClient.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ AdminCommandClient::asyncSend(
for (auto& r : rr) {
futures.push_back(
folly::via(executor_.get())
.then([executor = executor_.get(), &r, connect_timeout](
.then([executor = executor_.get(), r, connect_timeout](
auto&&) mutable {
auto connection = std::make_unique<AdminClientConnection>(
executor->getEventBase(),
Expand Down

0 comments on commit 4d72536

Please sign in to comment.