[darwin-framework-tool] heap-use-after-free when calling chip::app::D… #26000

vivien-apple · 2023-04-06T12:53:20Z

…nssdServer::StartServer at startup

Problem

when darwin-framework-tool starts there is a use after-free:

==14751==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000047f10 at pc 0x0001101fe7b6 bp 0x70000b858c90 sp 0x70000b858c88
READ of size 1 at 0x61e000047f10 thread T1
    #0 0x1101fe7b5 in chip::FabricInfo::IsInitialized() const FabricTable.h:111
    #1 0x1101fe5b8 in chip::FabricTable::HasPendingFabricUpdate() const FabricTable.h:1096
    #2 0x1101fe458 in chip::FabricTable::GetShadowPendingFabricEntry() const FabricTable.h:1091
    #3 0x1101fe410 in chip::FabricTable::cbegin() const FabricTable.h:545
    #4 0x1101c4e3b in chip::FabricTable::begin() const FabricTable.h:552
    #5 0x114ab3a1b in chip::app::DnssdServer::AdvertiseOperational() Dnssd.cpp:153
    #6 0x114ab9796 in chip::app::DnssdServer::StartServer(chip::Dnssd::CommissioningMode) Dnssd.cpp:364
    #7 0x114ab8f33 in chip::app::DnssdServer::StartServer() Dnssd.cpp:343
    #8 0x114aba74a in chip::app::(anonymous namespace)::OnPlatformEvent(chip::DeviceLayer::ChipDeviceEvent const*) Dnssd.cpp:56
    #9 0x114ab9df8 in chip::app::(anonymous namespace)::OnPlatformEventWrapper(chip::DeviceLayer::ChipDeviceEvent const*, long) Dnssd.cpp:66
    #10 0x1149191d5 in chip::DeviceLayer::Internal::GenericPlatformManagerImpl<chip::DeviceLayer::PlatformManagerImpl>::DispatchEventToApplication(chip::DeviceLayer::ChipDeviceEvent const*) GenericPlatformManagerImpl.ipp:336
    #11 0x114918c52 in chip::DeviceLayer::Internal::GenericPlatformManagerImpl<chip::DeviceLayer::PlatformManagerImpl>::_DispatchEvent(chip::DeviceLayer::ChipDeviceEvent const*) GenericPlatformManagerImpl.ipp:301
    #12 0x11491ae40 in chip::DeviceLayer::PlatformManager::DispatchEvent(chip::DeviceLayer::ChipDeviceEvent const*) PlatformManager.h:505
    #13 0x11491adff in invocation function for block in chip::DeviceLayer::PlatformManagerImpl::_PostEvent(chip::DeviceLayer::ChipDeviceEvent const*) PlatformManagerImpl.cpp:150
    #14 0x1070201aa in __wrap_dispatch_async_block_invoke+0xca (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4a1aa)
    #15 0x7ff80efd27fa in _dispatch_call_block_and_release+0xb (libdispatch.dylib:x86_64+0x17fa)
    #16 0x7ff80efd3a43 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x2a43)
    #17 0x7ff80efd9ac3 in _dispatch_lane_serial_drain+0x2b5 (libdispatch.dylib:x86_64+0x8ac3)
    #18 0x7ff80efda5e6 in _dispatch_lane_invoke+0x1a0 (libdispatch.dylib:x86_64+0x95e6)
    #19 0x7ff80efe4ad6 in _dispatch_workloop_worker_thread+0x2f9 (libdispatch.dylib:x86_64+0x13ad6)
    #20 0x7ff80f14fce2 in _pthread_wqthread+0x145 (libsystem_pthread.dylib:x86_64+0x2ce2)
    #21 0x7ff80f14ec66 in start_wqthread+0xe (libsystem_pthread.dylib:x86_64+0x1c66)

0x61e000047f10 is located 2704 bytes inside of 2920-byte region [0x61e000047480,0x61e000047fe8)
freed by thread T0 here:
    #0 0x1070210b9 in wrap_free+0xa9 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4b0b9)
    #1 0x1145a6459 in chip::Platform::MemoryFree(void*) CHIPMem-Malloc.cpp:111
    #2 0x11444758d in void chip::Platform::Delete<chip::FabricTable>(chip::FabricTable*) CHIPMem.h:169
    #3 0x114446b43 in chip::Controller::DeviceControllerSystemState::Shutdown() CHIPDeviceControllerFactory.cpp:470
    #4 0x1102010c0 in chip::Controller::DeviceControllerSystemState::Release() CHIPDeviceControllerSystemState.h:163
    #5 0x1101cd7b8 in chip::Controller::DeviceControllerFactory::ReleaseSystemState() CHIPDeviceControllerFactory.h:175
    #6 0x1101ccd40 in __59-[MTRDeviceControllerFactory startControllerFactory:error:]_block_invoke MTRDeviceControllerFactory.mm:471
    #7 0x7ff80efd3a43 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x2a43)
    #8 0x7ff80efe136a in _dispatch_lane_barrier_sync_invoke_and_complete+0x3b (libdispatch.dylib:x86_64+0x1036a)
    #9 0x1101c5f0e in -[MTRDeviceControllerFactory startControllerFactory:error:] MTRDeviceControllerFactory.mm:301
    #10 0x1031096d9 in CHIPCommandBridge::MaybeSetUpStack() CHIPCommandBridge.mm:130
    #11 0x103107899 in CHIPCommandBridge::Run() CHIPCommandBridge.mm:41
    #12 0x1030b03f5 in Commands::RunCommand(int, char**, bool) Commands.cpp:271
    #13 0x1030adf87 in Commands::Run(int, char**) Commands.cpp:144
    #14 0x1032678a2 in main main.mm:48
    #15 0x7ff80ee2030f  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x107020f70 in wrap_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4af70)
    #1 0x1145a5d20 in chip::Platform::MemoryAlloc(unsigned long) CHIPMem-Malloc.cpp:91
    #2 0x11444b391 in chip::FabricTable* chip::Platform::New<chip::FabricTable>() CHIPMem.h:145
    #3 0x1144432bb in std::__1::unique_ptr<chip::FabricTable, chip::Platform::Deleter<chip::FabricTable> > chip::Platform::MakeUnique<chip::FabricTable>() CHIPMem.h:184
    #4 0x11443f2d6 in chip::Controller::DeviceControllerFactory::InitSystemState(chip::Controller::FactoryInitParams) CHIPDeviceControllerFactory.cpp:180
    #5 0x11443df04 in chip::Controller::DeviceControllerFactory::Init(chip::Controller::FactoryInitParams) CHIPDeviceControllerFactory.cpp:67
    #6 0x1101cc6c0 in __59-[MTRDeviceControllerFactory startControllerFactory:error:]_block_invoke MTRDeviceControllerFactory.mm:447
    #7 0x7ff80efd3a43 in _dispatch_client_callout+0x7 (libdispatch.dylib:x86_64+0x2a43)
    #8 0x7ff80efe136a in _dispatch_lane_barrier_sync_invoke_and_complete+0x3b (libdispatch.dylib:x86_64+0x1036a)
    #9 0x1101c5f0e in -[MTRDeviceControllerFactory startControllerFactory:error:] MTRDeviceControllerFactory.mm:301
    #10 0x1031096d9 in CHIPCommandBridge::MaybeSetUpStack() CHIPCommandBridge.mm:130
    #11 0x103107899 in CHIPCommandBridge::Run() CHIPCommandBridge.mm:41
    #12 0x1030b03f5 in Commands::RunCommand(int, char**, bool) Commands.cpp:271
    #13 0x1030adf87 in Commands::Run(int, char**) Commands.cpp:144
    #14 0x1032678a2 in main main.mm:48
    #15 0x7ff80ee2030f  (<unknown module>)

Thread T1 created by T0 here:
    <empty stack>

github-actions · 2023-04-06T13:03:29Z

PR #26000: Size comparison from 14ffac0 to d4dcdd4

Increases (1 build for cc32xx)

platform	target	config	section	`14ffac0`	`d4dcdd4`	change
cc32xx	lock	CC3235SF_LAUNCHXL	.debug_aranges	87608	87616	8
			.debug_frame	301328	301352	24
			.debug_info	20302987	20303469	482
			.debug_line	`2679748`	`2679881`	133
			.debug_loc	2824679	2824786	107
			.debug_ranges	286200	286208	8
			.debug_str	`3039406`	`3039457`	51
			.symtab	256768	256784	16

Full report (1 build for cc32xx)

platform	target	config	section	`14ffac0`	`d4dcdd4`	change
cc32xx	lock	CC3235SF_LAUNCHXL		0	0	0
			(read only)	642745	642745	0
			(read/write)	203848	203848	0
			.ARM.attributes	44	44	0
			.ARM.exidx	8	8	0
			.bss	197248	197248	0
			.comment	194	194	0
			.data	1480	1480	0
			.debug_abbrev	933099	933099	0
			.debug_aranges	87608	87616	8
			.debug_frame	301328	301352	24
			.debug_info	20302987	20303469	482
			.debug_line	`2679748`	`2679881`	133
			.debug_loc	2824679	2824786	107
			.debug_ranges	286200	286208	8
			.debug_str	`3039406`	`3039457`	51
			.ramVecs	780	780	0
			.resetVecs	64	64	0
			.rodata	104289	104289	0
			.shstrtab	232	232	0
			.stab	204	204	0
			.stabstr	441	441	0
			.stack	2048	2048	0
			.strtab	377422	377422	0
			.symtab	256768	256784	16
			.text	536336	536336	0

src/app/server/Dnssd.cpp

github-actions · 2023-04-07T14:50:59Z

PR #26000: Size comparison from 6eded52 to 8f6b5f3

Increases (1 build for cc32xx)

platform	target	config	section	`6eded52`	`8f6b5f3`	change
cc32xx	lock	CC3235SF_LAUNCHXL	(read only)	642745	642753	8
			.debug_aranges	87608	87624	16
			.debug_frame	301328	301368	40
			.debug_info	20302992	20303740	748
			.debug_line	2679759	2679968	209
			.debug_loc	2824679	2824855	176
			.debug_ranges	286200	286248	48
			.debug_str	`3039406`	`3039508`	102
			.rodata	104289	104297	8
			.strtab	377422	377487	65
			.symtab	256768	256816	48

Full report (1 build for cc32xx)

platform	target	config	section	`6eded52`	`8f6b5f3`	change
cc32xx	lock	CC3235SF_LAUNCHXL		0	0	0
			(read only)	642745	642753	8
			(read/write)	203848	203848	0
			.ARM.attributes	44	44	0
			.ARM.exidx	8	8	0
			.bss	197248	197248	0
			.comment	194	194	0
			.data	1480	1480	0
			.debug_abbrev	933119	933119	0
			.debug_aranges	87608	87624	16
			.debug_frame	301328	301368	40
			.debug_info	20302992	20303740	748
			.debug_line	2679759	2679968	209
			.debug_loc	2824679	2824855	176
			.debug_ranges	286200	286248	48
			.debug_str	`3039406`	`3039508`	102
			.ramVecs	780	780	0
			.resetVecs	64	64	0
			.rodata	104289	104297	8
			.shstrtab	232	232	0
			.stab	204	204	0
			.stabstr	441	441	0
			.stack	2048	2048	0
			.strtab	377422	377487	65
			.symtab	256768	256816	48
			.text	536336	536336	0

…nssdServer::StartServer at startup

github-actions · 2023-04-11T10:30:05Z

PR #26000: Size comparison from ed5ebd2 to c082069

Increases (1 build for cc32xx)

platform	target	config	section	`ed5ebd2`	`c082069`	change	% change
cc32xx	lock	CC3235SF_LAUNCHXL	(read only)	642945	643121	176	0.0
			.debug_aranges	87616	87648	32	0.0
			.debug_frame	301352	301464	112	0.0
			.debug_info	20303341	20304699	1358	0.0
			.debug_line	2679963	2680377	414	0.0
			.debug_loc	2824782	2824921	139	0.0
			.debug_ranges	286208	286240	32	0.0
			.debug_str	`3039557`	3039659	102	0.0
			.rodata	104353	104361	8	0.0
			.strtab	377533	377871	338	0.1
			.symtab	256800	256944	144	0.1
			.text	536472	536640	168	0.0

Full report (1 build for cc32xx)

platform	target	config	section	`ed5ebd2`	`c082069`	change	% change
cc32xx	lock	CC3235SF_LAUNCHXL		0	0	0	0.0
			(read only)	642945	643121	176	0.0
			(read/write)	203848	203848	0	0.0
			.ARM.attributes	44	44	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	197248	197248	0	0.0
			.comment	194	194	0	0.0
			.data	1480	1480	0	0.0
			.debug_abbrev	933129	933129	0	0.0
			.debug_aranges	87616	87648	32	0.0
			.debug_frame	301352	301464	112	0.0
			.debug_info	20303341	20304699	1358	0.0
			.debug_line	2679963	2680377	414	0.0
			.debug_loc	2824782	2824921	139	0.0
			.debug_ranges	286208	286240	32	0.0
			.debug_str	`3039557`	3039659	102	0.0
			.ramVecs	780	780	0	0.0
			.resetVecs	64	64	0	0.0
			.rodata	104353	104361	8	0.0
			.shstrtab	232	232	0	0.0
			.stab	204	204	0	0.0
			.stabstr	441	441	0	0.0
			.stack	2048	2048	0	0.0
			.strtab	377533	377871	338	0.1
			.symtab	256800	256944	144	0.1
			.text	536472	536640	168	0.0

vivien-apple self-assigned this Apr 6, 2023

pullapprove bot requested review from amitnj, andy31415, anush-apple, arkq, bzbarsky-apple, carol-apple, chrisdecenzo and chshu April 6, 2023 12:53

github-actions bot added app controller labels Apr 6, 2023

pullapprove bot requested review from sharadb-amazon, tcarmelveilleux, tecimovic, tehampson, turon, vijs, woody-apple, xylophone21, younghak-hwang and yunhanw-google April 6, 2023 12:53

pullapprove bot added review - pending controller app and removed controller app labels Apr 6, 2023

andy31415 approved these changes Apr 6, 2023

View reviewed changes

bzbarsky-apple approved these changes Apr 6, 2023

View reviewed changes

pullapprove bot added review - approved and removed review - pending labels Apr 6, 2023

bzbarsky-apple reviewed Apr 6, 2023

View reviewed changes

src/app/server/Dnssd.cpp Outdated Show resolved Hide resolved

vivien-apple force-pushed the Darwin_HeapUseAfterFreeWhenCalling_chip_app_DnssdServer_StartServer branch from d4dcdd4 to 8f6b5f3 Compare April 7, 2023 14:35

github-actions bot added the lib label Apr 7, 2023

vivien-apple force-pushed the Darwin_HeapUseAfterFreeWhenCalling_chip_app_DnssdServer_StartServer branch from 8f6b5f3 to 96c01c8 Compare April 11, 2023 10:09

[darwin-framework-tool] heap-use-after-free when calling chip::app::D…

c082069

…nssdServer::StartServer at startup

vivien-apple force-pushed the Darwin_HeapUseAfterFreeWhenCalling_chip_app_DnssdServer_StartServer branch from 96c01c8 to c082069 Compare April 11, 2023 10:16

vivien-apple mentioned this pull request Apr 14, 2023

[darwin-framework-tool] Add is_asan proper supports #26014

Merged

bzbarsky-apple merged commit c5216d1 into project-chip:master Apr 14, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[darwin-framework-tool] heap-use-after-free when calling chip::app::D… #26000

[darwin-framework-tool] heap-use-after-free when calling chip::app::D… #26000

vivien-apple commented Apr 6, 2023

github-actions bot commented Apr 6, 2023

github-actions bot commented Apr 7, 2023

github-actions bot commented Apr 11, 2023

[darwin-framework-tool] heap-use-after-free when calling chip::app::D… #26000

[darwin-framework-tool] heap-use-after-free when calling chip::app::D… #26000

Conversation

vivien-apple commented Apr 6, 2023

Problem

github-actions bot commented Apr 6, 2023

github-actions bot commented Apr 7, 2023

github-actions bot commented Apr 11, 2023