AddressSanitizer: heap-use-after-free in dns_zonemgr_releasezone (zonemgr_test)
Happened on the branch, but I think it's not affected by the changes in that branch. Also the unit test re-run makes it go away, so I am convinced this is a dormant timing issue.
[==========] Running 4 test(s).
[ RUN ] zonemgr_create
[ OK ] zonemgr_create
[ RUN ] zonemgr_managezone
[ OK ] zonemgr_managezone
[ RUN ] zonemgr_createzone
=================================================================
==13303==ERROR: AddressSanitizer: heap-use-after-free on address 0x6210000079b0 at pc 0x7fe801cc8a76 bp 0x7fe7f58975d0 sp 0x7fe7f58975c8
READ of size 8 at 0x6210000079b0 thread T26
#0 0x7fe801cc8a75 in isc__rwlock_unlock /builds/isc-projects/bind9/lib/isc/rwlock.c:494
#1 0x7fe800e6e8fa in dns_zonemgr_releasezone /builds/isc-projects/bind9/lib/dns/zone.c:18695
#2 0x7fe800e6fb2f in zone_shutdown /builds/isc-projects/bind9/lib/dns/zone.c:14886
#3 0x7fe801c3f1dd in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75
#4 0x7fe8019855be in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68
#5 0x7fe80197bbe7 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384
#6 0x7fe801c5c806 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:270
#7 0x7fe801c5c806 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:297
#8 0x7fe801cc1e53 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:198
#9 0x7fe7ff8a514c in start_thread (/lib64/libc.so.6+0x8b14c)
#10 0x7fe7ff925bb3 in __GI___clone (/lib64/libc.so.6+0x10bbb3)
0x6210000079b0 is located 176 bytes inside of 3976-byte region [0x621000007900,0x621000008888)
freed by thread T0 here:
#0 0x7fe80252e388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7fe801c65636 in sdallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:72
#2 0x7fe801c65636 in mem_put /builds/isc-projects/bind9/lib/isc/mem.c:365
#3 0x7fe801c6d3ce in isc__mem_putanddetach /builds/isc-projects/bind9/lib/isc/mem.c:654
#4 0x7fe800df2500 in zonemgr_free /builds/isc-projects/bind9/lib/dns/zone.c:18829
#5 0x7fe800e74d72 in dns_zonemgr_detach /builds/isc-projects/bind9/lib/dns/zone.c:18723
#6 0x40426f in loop_test_zonemgr_createzone /builds/isc-projects/bind9/tests/dns/zonemgr_test.c:126
#7 0x7fe801c3f1dd in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75
#8 0x7fe8019855be in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68
#9 0x7fe80197bbe7 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384
#10 0x7fe801c5c806 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:270
#11 0x7fe801c5c806 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:297
#12 0x7fe801c6232f in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:477
#13 0x4038a9 in run_test_zonemgr_createzone /builds/isc-projects/bind9/tests/dns/zonemgr_test.c:106
#14 0x7fe800030c0b in cmocka_run_one_test_or_fixture (/lib64/libcmocka.so.0+0x5c0b)
previously allocated by thread T0 here:
#0 0x7fe80252f6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x7fe801c67261 in mallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:57
#2 0x7fe801c67261 in mem_get /builds/isc-projects/bind9/lib/isc/mem.c:343
#3 0x7fe801c692d5 in isc__mem_get /builds/isc-projects/bind9/lib/isc/mem.c:774
#4 0x7fe800e6a2d7 in dns_zonemgr_create /builds/isc-projects/bind9/lib/dns/zone.c:18468
#5 0x4041b6 in loop_test_zonemgr_createzone /builds/isc-projects/bind9/tests/dns/zonemgr_test.c:113
#6 0x7fe801c3f1dd in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75
#7 0x7fe8019855be in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68
#8 0x7fe80197bbe7 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384
#9 0x7fe801c5c806 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:270
#10 0x7fe801c5c806 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:297
#11 0x7fe801c6232f in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:477
#12 0x4038a9 in run_test_zonemgr_createzone /builds/isc-projects/bind9/tests/dns/zonemgr_test.c:106
#13 0x7fe800030c0b in cmocka_run_one_test_or_fixture (/lib64/libcmocka.so.0+0x5c0b)
Thread T26 created by T0 here:
#0 0x7fe8024c03e6 in __interceptor_pthread_create (/lib64/libasan.so.8+0x4b3e6)
#1 0x7fe801cae995 in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70
#2 0x7fe801c62159 in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:471
#3 0x4038a9 in run_test_zonemgr_createzone /builds/isc-projects/bind9/tests/dns/zonemgr_test.c:106
#4 0x7fe800030c0b in cmocka_run_one_test_or_fixture (/lib64/libcmocka.so.0+0x5c0b)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/isc-projects/bind9/lib/isc/rwlock.c:494 in isc__rwlock_unlock
Shadow bytes around the buggy address:
0x0c427fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c427fff8f30: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c427fff8f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fff8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fff8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c427fff8f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13303==ABORTING