Skip to content

adbstats: segmentation fault in isc_stats_decrement() on shutdown

This happened in the "chain" system test during a CI run on system:gcc:alpine3.15:amd64 - https://gitlab.isc.org/isc-projects/bind9/-/jobs/2475270

Looks like a use-after-free bug.

I:chain:ns2 crashed on shutdown
I:chain:ns2 didn't die when sent a SIGTERM
I:chain:ns2 died before a SIGABRT was sent
I:chain:stopping servers failed
I:chain:Core dump(s) found: chain/ns2/core.3385 
D:chain:backtrace from chain/ns2/core.3385:
D:chain:--------------------------------------------------------------------------------
D:chain:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/lt-named -D chain-ns2 -X named.lock'.
D:chain:Program terminated with signal SIGSEGV, Segmentation fault.
D:chain:#0  0x00007f3eee32fb3f in isc_stats_decrement (stats=0xdededededededede, counter=counter@entry=3) at stats.c:115
D:chain:115		REQUIRE(ISC_STATS_VALID(stats));
D:chain:[Current thread is 1 (LWP 3398)]
D:chain:#0  0x00007f3eee32fb3f in isc_stats_decrement (stats=0xdededededededede, counter=counter@entry=3) at stats.c:115
D:chain:#1  0x00007f3eee0fbc3d in dec_adbstats (counter=3, adb=<optimized out>) at adb.c:509
D:chain:#2  free_adbname (namep=namep@entry=0x7f3eecb63500) at adb.c:1307
D:chain:#3  0x00007f3eee0fbeed in expire_name (n=n@entry=0x7f3eecb63550, evtype=evtype@entry=262154) at adb.c:748
D:chain:#4  0x00007f3eee0fc67c in fetch_callback (task=<optimized out>, ev=<optimized out>) at adb.c:3223
D:chain:#5  0x00007f3eee332875 in task_run (task=0x7f3ee8f92cc0) at task.c:717
D:chain:#6  isc_task_run (task=0x7f3ee8f92cc0) at task.c:797
D:chain:#7  0x00007f3eee301d9a in isc__nm_async_task (ev0=0x7f3eec6c1d00, worker=0x7f3eed04ae80) at netmgr/netmgr.c:802
D:chain:#8  process_netievent (worker=worker@entry=0x7f3eed04ae80, ievent=0x7f3eec6c1d00) at netmgr/netmgr.c:873
D:chain:#9  0x00007f3eee30276f in process_queue (worker=worker@entry=0x7f3eed04ae80, type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c:965
D:chain:#10 0x00007f3eee303059 in process_all_queues (worker=0x7f3eed04ae80) at netmgr/netmgr.c:736
D:chain:#11 async_cb (handle=0x7f3eed04b1e0) at netmgr/netmgr.c:765
D:chain:#12 0x00007f3eedc0d391 in ?? () from /usr/lib/libuv.so.1
D:chain:#13 0x00007f3eedc1d03d in ?? () from /usr/lib/libuv.so.1
D:chain:#14 0x00007f3eedc0d8ef in uv_run () from /usr/lib/libuv.so.1
D:chain:#15 0x00007f3eee302a05 in nm_thread (worker0=0x7f3eed04ae80) at netmgr/netmgr.c:674
D:chain:#16 0x00007f3eee339560 in isc__trampoline_run (arg=0x7f3eecb7eba0) at trampoline.c:198
D:chain:#17 0x00007f3eee8be221 in start (p=0x7f3eecb67148) at src/thread/pthread_create.c:203
D:chain:#18 0x00007f3eee8c03e0 in __clone () at src/thread/x86_64/clone.s:22
D:chain:Backtrace stopped: frame did not save the PC
D:chain:--------------------------------------------------------------------------------
D:chain:full backtrace from chain/ns2/core.3385 saved in chain/ns2/core.3385-backtrace.txt
D:chain:core dump chain/ns2/core.3385 archived as chain/ns2/core.3385.gz
R:chain:FAIL
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information