Re: [PR] fix compiler optimize thread local variable access (brpc)

[via GitHub]

zcfh commented on PR #2156:
URL: https://github.com/apache/brpc/pull/2156#issuecomment-1925685544

   目前还没无法构造一个最小示例。
   在加上这个commit的修改后，AddressSanitizer 会提示 heap-use-after-free，不过不会显示释放的位置, 使用 
`--usercode_in_pthread` 就无法复现这个错误了。
   ```
   ==31802==ERROR: AddressSanitizer: heap-use-after-free on address 
0x614000141808 at pc 0x000002bc12f4 bp 0x7fbc7639f820 sp 0x7fbc7639f818
   READ of size 8 at 0x614000141808 thread T26
       #0 0x2bc12f3 in bthread::KeyTable::get_data(bthread_key_t) const 
/tmp/third_party/brpc-0.9.6/src/bthread/key.cpp:173:41
       #1 0x2bc12f3 in bthread_getspecific 
/tmp/third_party/brpc-0.9.6/src/bthread/key.cpp:466:20
       #2 0x1e26d74 in 
rpc::brpc::ContextHolderImpl<infra::kenv::Context>::Get() 
/tmp/infra/kess_grpc-v1100/src/main/brpc/kess/rpc/brpc/context_holder.h:54:40
       #3 0x1e26ba1 in rpc::brpc::KEnvHolder<infra::kenv::Context>::Get() 
/tmp/infra/kess_grpc-v1100/src/main/brpc/kess/rpc/brpc/context_holder.h:106:43
       #4 0x3d75afe in infra::kenv::Context::Get0(void*) 
/tmp/infra/kenv/src/kenv/context.cc:92:37
       ....
       #10 0x28799fc in 
brpc::policy::ProcessHttpRequest(brpc::InputMessageBase*) 
/tmp/third_party/brpc-0.9.6/src/brpc/policy/http_rpc_protocol.cpp:1489:21
       #11 0x283b8ba in brpc::ProcessInputMessage(void*) 
/tmp/third_party/brpc-0.9.6/src/brpc/input_messenger.cpp:136:5
       #12 0x2bd676e in bthread::TaskGroup::task_runner(long) 
/tmp/third_party/brpc-0.9.6/src/bthread/task_group.cpp:301:29
       #13 0x2b9fd30 in bthread_make_fcontext (/tmp/brpc/brpc-server+0x2b9fd30)
   
   0x614000141808 is located 8 bytes inside of 256-byte region 
[0x614000141800,0x614000141900)
   freed by thread T19 here:
       #0 0x1df750d in operator delete(void*) 
/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
   
   previously allocated by thread T26 here:
       #0 0x1df6ecd in operator new(unsigned long, std::nothrow_t const&) 
/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:105:3
   
   Thread T26 created by T0 here:
       #0 0x1db185a in pthread_create 
/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
       #1 0x2bd1147 in bthread::TaskControl::add_workers(int) 
/tmp/third_party/brpc-0.9.6/src/bthread/task_control.cpp:218:24
       #2 0x2b8afeb in bthread_setconcurrency 
/tmp/third_party/brpc-0.9.6/src/bthread/bthread.cpp:315:16
       #3 0x2aad924 in brpc::Server::StartInternal(in_addr const&, 
brpc::PortRange const&, brpc::ServerOptions const*) 
/tmp/third_party/brpc-0.9.6/src/brpc/server.cpp:914:9
       #4 0x2ab4967 in brpc::Server::Start(butil::EndPoint const&, 
brpc::ServerOptions const*) 
/tmp/third_party/brpc-0.9.6/src/brpc/server.cpp:1060:12
       #5 0x2ab4f3e in brpc::Server::Start(int, brpc::ServerOptions const*) 
/tmp/third_party/brpc-0.9.6/src/brpc/server.cpp:1079:12
       ...
       #11 0x1df9a08 in main /tmp/brpc/src/server.cc:46:30
       #12 0x7fbc9b405554 in __libc_start_main (/lib64/libc.so.6+0x22554)
   
   Thread T19 created by T0 here:
       #0 0x1db185a in pthread_create 
/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
       #1 0x2bd0a9d in bthread::TaskControl::init(int) 
/tmp/third_party/brpc-0.9.6/src/bthread/task_control.cpp:184:24
       #2 0x2b8c025 in bthread::get_or_new_task_control() 
/tmp/third_party/brpc-0.9.6/src/bthread/bthread.cpp:94:12
       #3 0x2b8a7dd in bthread::start_from_non_worker(unsigned long*, 
bthread_attr_t const*, void* (*)(void*), void*) 
/tmp/third_party/brpc-0.9.6/src/bthread/bthread.cpp:131:22
       #4 0x2b8a7dd in bthread_start_background 
/tmp/third_party/brpc-0.9.6/src/bthread/bthread.cpp:198:12
       #5 0x28160a2 in brpc::GlobalInitializeOrDieImpl() 
/tmp/third_party/brpc-0.9.6/src/brpc/global.cpp:605:27
       #6 0x7fbc9b9cd20a in __pthread_once_slow (/lib64/libpthread.so.0+0x620a)
   
   SUMMARY: AddressSanitizer: heap-use-after-free 
/tmp/third_party/brpc-0.9.6/src/bthread/key.cpp:173:41 in 
bthread::KeyTable::get_data(bthread_key_t) const
   Shadow bytes around the buggy address:
     0x0c28800202b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c28800202c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c28800202d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
     0x0c28800202e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c28800202f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
   =>0x0c2880020300: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x0c2880020310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x0c2880020320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c2880020330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c2880020340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c2880020350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   Shadow byte legend (one shadow byte represents 8 application bytes):
     Addressable:           00
     Partially addressable: 01 02 03 04 05 06 07
     Heap left redzone:       fa
     Freed heap region:       fd
     Stack left redzone:      f1
     Stack mid redzone:       f2
     Stack right redzone:     f3
     Stack after return:      f5
     Stack use after scope:   f8
     Global redzone:          f9
     Global init order:       f6
     Poisoned by user:        f7
     Container overflow:      fc
     Array cookie:            ac
     Intra object redzone:    bb
     ASan internal:           fe
     Left alloca redzone:     ca
     Right alloca redzone:    cb
     Shadow gap:              cc
   ==31802==ABORTING
   ```
   不知道是否有些排查思路？
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org
For additional commands, e-mail: dev-h...@brpc.apache.org