search

rstudio / httpuv

HTTP and WebSocket server package for R
Other
229 stars 86 forks source link

Sanitizer complains when starting app after a failed app start #134

Closed wch closed 6 years ago

wch commented 6 years ago

This happens with the RDsan build of R from wch1/r-debug. It doesn't happen for me on my Mac. This might be related to #133.

Minimal example:

docker run --rm -ti wch1/r-debug

RDsan
install.packages('httpuv') # Currently 1.4.2
library(httpuv)

startServer("0.0.0.0", 8000, list())
startServer("0.0.0.0", 8000, list())
startServer("0.0.0.0", 8001, list()) # Crashes here. Will also crash with 8000.

It happens when you start an app, try to start another app on the same port (which fails), and then try to start another app.

Output:

> library(httpuv)
> startServer("0.0.0.0", 8000, list())
[1] "106858786783336"
> startServer("0.0.0.0", 8000, list())
Error in startServer("0.0.0.0", 8000, list()) : Failed to create server
> startServer("0.0.0.0", 8000, list())
=================================================================
==32185==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000070248 at pc 0x7f35781d4759 bp 0x7f3577d10ea0 sp 0x7f3577d10e90
WRITE of size 8 at 0x613000070248 thread T1
    #0 0x7f35781d4758 in uv__stream_init src/unix/stream.c:76
    #1 0x7f35781ddcc1 in uv_tcp_init_ex src/unix/tcp.c:127
    #2 0x7f35781dde1e in uv_tcp_init src/unix/tcp.c:146
    #3 0x7f35780cf8ad in createTcpServer(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/http.cpp:120
    #4 0x7f35780d0321 in createTcpServerSync(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/http.cpp:172
    #5 0x7f35781512bd in void boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> >::operator()<void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list0>(boost::_bi::type<void>, void (*&)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list0&, int) /usr/local/RDsan/lib/R/site-library/BH/include/boost/bind/bind.hpp:676
    #6 0x7f357814dc87 in boost::_bi::bind_t<void, void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> > >::operator()() /usr/local/RDsan/lib/R/site-library/BH/include/boost/bind/bind.hpp:1294
    #7 0x7f357814b8d7 in boost::detail::function::void_function_obj_invoker0<boost::_bi::bind_t<void, void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> > >, void>::invoke(boost::detail::function::function_buffer&) /usr/local/RDsan/lib/R/site-library/BH/include/boost/function/function_template.hpp:159
    #8 0x7f35780c1331 in boost::function0<void>::operator()() const /usr/local/RDsan/lib/R/site-library/BH/include/boost/function/function_template.hpp:759
    #9 0x7f35780c4c6b in CallbackQueue::flush() /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/callbackqueue.cpp:47
    #10 0x7f35780c4885 in flush_callback_queue(uv_async_s*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/callbackqueue.cpp:12
    #11 0x7f35781bbd01 in uv__async_io src/unix/async.c:118
    #12 0x7f35781ea310 in uv__io_poll src/unix/linux-core.c:400
    #13 0x7f35781bd9d4 in uv_run src/unix/core.c:368
    #14 0x7f35781339e1 in io_thread(void*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/httpuv.cpp:112
    #15 0x7f3583c517fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #16 0x7f3584389b5e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x114b5e)

0x613000070248 is located 72 bytes inside of 360-byte region [0x613000070200,0x613000070368)
freed by thread T1 here:
    #0 0x7f35852352d0 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe12d0)
    #1 0x7f35780e0465 in boost::detail::sp_counted_impl_pd<Socket*, boost::detail::sp_ms_deleter<Socket> >::~sp_counted_impl_pd() (/usr/local/RDsan/lib/R/site-library/httpuv/libs/httpuv.so+0x31d465)
    #2 0x7f35780d1444 in boost::detail::sp_counted_base::destroy() /usr/local/RDsan/lib/R/site-library/BH/include/boost/smart_ptr/detail/sp_counted_base_std_atomic.hpp:89
    #3 0x7f35780d18f7 in boost::detail::sp_counted_base::weak_release() /usr/local/RDsan/lib/R/site-library/BH/include/boost/smart_ptr/detail/sp_counted_base_std_atomic.hpp:124
    #4 0x7f35780d1730 in boost::detail::sp_counted_base::release() /usr/local/RDsan/lib/R/site-library/BH/include/boost/smart_ptr/detail/sp_counted_base_std_atomic.hpp:111
    #5 0x7f35780d1b52 in boost::detail::shared_count::~shared_count() /usr/local/RDsan/lib/R/site-library/BH/include/boost/smart_ptr/detail/shared_count.hpp:426
    #6 0x7f35780d4446 in boost::shared_ptr<Socket>::~shared_ptr() /usr/local/RDsan/lib/R/site-library/BH/include/boost/smart_ptr/shared_ptr.hpp:341
    #7 0x7f35780d014d in createTcpServer(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/http.cpp:117
    #8 0x7f35780d0321 in createTcpServerSync(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/http.cpp:172
    #9 0x7f35781512bd in void boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> >::operator()<void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list0>(boost::_bi::type<void>, void (*&)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list0&, int) /usr/local/RDsan/lib/R/site-library/BH/include/boost/bind/bind.hpp:676
    #10 0x7f357814dc87 in boost::_bi::bind_t<void, void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> > >::operator()() /usr/local/RDsan/lib/R/site-library/BH/include/boost/bind/bind.hpp:1294
    #11 0x7f357814b8d7 in boost::detail::function::void_function_obj_invoker0<boost::_bi::bind_t<void, void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> > >, void>::invoke(boost::detail::function::function_buffer&) /usr/local/RDsan/lib/R/site-library/BH/include/boost/function/function_template.hpp:159
    #12 0x7f35780c1331 in boost::function0<void>::operator()() const /usr/local/RDsan/lib/R/site-library/BH/include/boost/function/function_template.hpp:759
    #13 0x7f35780c4c6b in CallbackQueue::flush() /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/callbackqueue.cpp:47
    #14 0x7f35780c4885 in flush_callback_queue(uv_async_s*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/callbackqueue.cpp:12
    #15 0x7f35781bbd01 in uv__async_io src/unix/async.c:118
    #16 0x7f35781ea310 in uv__io_poll src/unix/linux-core.c:400
    #17 0x7f35781bd9d4 in uv_run src/unix/core.c:368
    #18 0x7f35781339e1 in io_thread(void*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/httpuv.cpp:112
    #19 0x7f3583c517fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)

previously allocated by thread T1 here:
    #0 0x7f3585234458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
    #1 0x7f35780dc9e4 in boost::detail::shared_count::shared_count<Socket*, boost::detail::sp_ms_deleter<Socket> >(Socket*, boost::detail::sp_inplace_tag<boost::detail::sp_ms_deleter<Socket> >) (/usr/local/RDsan/lib/R/site-library/httpuv/libs/httpuv.so+0x3199e4)
    #2 0x7f35780da9eb in boost::shared_ptr<Socket>::shared_ptr<Socket, boost::detail::sp_inplace_tag<boost::detail::sp_ms_deleter<Socket> > >(Socket*, boost::detail::sp_inplace_tag<boost::detail::sp_ms_deleter<Socket> >) (/usr/local/RDsan/lib/R/site-library/httpuv/libs/httpuv.so+0x3179eb)
    #3 0x7f35780d8dd8 in boost::detail::sp_if_not_array<Socket>::type boost::make_shared<Socket, boost::shared_ptr<WebApplication>&, CallbackQueue*&>(boost::shared_ptr<WebApplication>&, CallbackQueue*&) (/usr/local/RDsan/lib/R/site-library/httpuv/libs/httpuv.so+0x315dd8)
    #4 0x7f35780cf888 in createTcpServer(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/http.cpp:117
    #5 0x7f35780d0321 in createTcpServerSync(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/http.cpp:172
    #6 0x7f35781512bd in void boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> >::operator()<void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list0>(boost::_bi::type<void>, void (*&)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list0&, int) /usr/local/RDsan/lib/R/site-library/BH/include/boost/bind/bind.hpp:676
    #7 0x7f357814dc87 in boost::_bi::bind_t<void, void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> > >::operator()() /usr/local/RDsan/lib/R/site-library/BH/include/boost/bind/bind.hpp:1294
    #8 0x7f357814b8d7 in boost::detail::function::void_function_obj_invoker0<boost::_bi::bind_t<void, void (*)(uv_loop_s*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, boost::shared_ptr<WebApplication>, CallbackQueue*, uv_stream_s**, Barrier*), boost::_bi::list7<boost::_bi::value<uv_loop_s*>, boost::_bi::value<char const*>, boost::_bi::value<int>, boost::_bi::value<boost::shared_ptr<WebApplication> >, boost::_bi::value<CallbackQueue*>, boost::_bi::value<uv_stream_s**>, boost::_bi::value<Barrier*> > >, void>::invoke(boost::detail::function::function_buffer&) /usr/local/RDsan/lib/R/site-library/BH/include/boost/function/function_template.hpp:159
    #9 0x7f35780c1331 in boost::function0<void>::operator()() const /usr/local/RDsan/lib/R/site-library/BH/include/boost/function/function_template.hpp:759
    #10 0x7f35780c4c6b in CallbackQueue::flush() /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/callbackqueue.cpp:47
    #11 0x7f35780c4885 in flush_callback_queue(uv_async_s*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/callbackqueue.cpp:12
    #12 0x7f35781bbd01 in uv__async_io src/unix/async.c:118
    #13 0x7f35781ea310 in uv__io_poll src/unix/linux-core.c:400
    #14 0x7f35781bd9d4 in uv_run src/unix/core.c:368
    #15 0x7f35781339e1 in io_thread(void*) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/httpuv.cpp:112
    #16 0x7f3583c517fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)

Thread T1 created by T0 here:
    #0 0x7f358518bd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f35781dfd76 in uv_thread_create src/unix/thread.c:198
    #2 0x7f3578133d27 in ensure_io_thread() /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/httpuv.cpp:133
    #3 0x7f357813573c in makeTcpServer(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, Rcpp::Function_Impl<Rcpp::PreserveStorage>, Rcpp::Function_Impl<Rcpp::PreserveStorage>, Rcpp::Function_Impl<Rcpp::PreserveStorage>, Rcpp::Function_Impl<Rcpp::PreserveStorage>, Rcpp::Function_Impl<Rcpp::PreserveStorage>, Rcpp::Function_Impl<Rcpp::PreserveStorage>) /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/httpuv.cpp:234
    #4 0x7f35780ad851 in _httpuv_makeTcpServer /tmp/RtmpIOOdMu/R.INSTALL47bf24cd26c2/httpuv/src/RcppExports.cpp:46
    #5 0x7f3584895cc1 in R_doDotCall /tmp/r-source/src/main/dotcode.c:596
    #6 0x7f35848b1a6c in do_dotcall /tmp/r-source/src/main/dotcode.c:1252
    #7 0x7f358495cbd5 in bcEval /tmp/r-source/src/main/eval.c:6771
    #8 0x7f3584930179 in Rf_eval /tmp/r-source/src/main/eval.c:624
    #9 0x7f3584935e5f in R_execClosure /tmp/r-source/src/main/eval.c:1764
    #10 0x7f35849355b7 in Rf_applyClosure /tmp/r-source/src/main/eval.c:1692
    #11 0x7f358495c321 in bcEval /tmp/r-source/src/main/eval.c:6739
    #12 0x7f3584930179 in Rf_eval /tmp/r-source/src/main/eval.c:624
    #13 0x7f3584935e5f in R_execClosure /tmp/r-source/src/main/eval.c:1764
    #14 0x7f35849355b7 in Rf_applyClosure /tmp/r-source/src/main/eval.c:1692
    #15 0x7f3584931442 in Rf_eval /tmp/r-source/src/main/eval.c:747
    #16 0x7f35849d0ad9 in Rf_ReplIteration /tmp/r-source/src/main/main.c:258
    #17 0x7f35849d0ed4 in R_ReplConsole /tmp/r-source/src/main/main.c:308
    #18 0x7f35849d318d in run_Rmainloop /tmp/r-source/src/main/main.c:1082
    #19 0x7f35849d31a3 in Rf_mainloop /tmp/r-source/src/main/main.c:1089
    #20 0x400942 in main /tmp/r-source/src/main/Rmain.c:29
    #21 0x7f35842961c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)

SUMMARY: AddressSanitizer: heap-use-after-free src/unix/stream.c:76 in uv__stream_init
Shadow bytes around the buggy address:
  0x0c2680005ff0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c2680006000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2680006010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680006020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680006030: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2680006040: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c2680006050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680006060: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2680006070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2680006080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2680006090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32185==ABORTING
wch commented 6 years ago

Looking at the stack trace (and exploring with gdb), it appears that the shared_ptr that's allocated here is getting deallocated by the time the very next line (120) is executed. I don't understand how that's happening.