AddressSanitizer: heap-use-after-free at join_current_vcpu_into_workpool exited

An access violation occurred during the unit test occasionally. 

The reason is that `WorkPool::~impl()` ends before `WorkPool::impl::main_loop()` is completely exited.

```
==3891==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f82399e5800 at pc 0x000000af7f33 bp 0x7f8236ecd550 sp 0x7f8236ecd540
WRITE of size 1 at 0x7f82399e5800 thread T4 (reactor_1)
    #0 0xaf7f32 in std::__atomic_base<bool>::store(bool, std::memory_order) /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/atomic_base.h:464
    #1 0xaf7f32 in std::atomic<bool>::store(bool, std::memory_order) /opt/rh/gcc-toolset-12/root/usr/include/c++/12/atomic:104
    #2 0x75f2143 in photon::spinlock::unlock() /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/p/photon/0.9.2-rc2/source/photon/include/photon/thread/thread.h:226
    #3 0x75f35fc in photon::locker<photon::spinlock>::~locker() /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/p/photon/0.9.2-rc2/source/photon/include/photon/thread/thread.h:360
    #4 0x75f301b in photon::WorkPool::impl::remove_vcpu() (/root/jenkins/sharedspace/build/linux/x86_64/coverage/test_shard_entity+0x75f301b) (BuildId: b9bc8c5e40429821063c64ce3bbd65c30f3885e4)
    #5 0x75f3280 in photon::WorkPool::impl::main_loop() (/root/jenkins/sharedspace/build/linux/x86_64/coverage/test_shard_entity+0x75f3280) (BuildId: b9bc8c5e40429821063c64ce3bbd65c30f3885e4)
    #6 0x75f340a in photon::WorkPool::impl::join_current_vcpu_into_workpool() (/root/jenkins/sharedspace/build/linux/x86_64/coverage/test_shard_entity+0x75f340a) (BuildId: b9bc8c5e40429821063c64ce3bbd65c30f3885e4)
    #7 0x75f1ef9 in photon::WorkPool::join_current_vcpu_into_workpool() /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/p/photon/0.9.2-rc2/source/photon/thread/workerpool.cpp:215
    #8 0x3e5598c in xbase::photon::WorkerPool::join_current_vcpu_into_workpool(unsigned long) /var/xblock/xmake_globaldir/.xmake/packages/x/xbase/2.3.1/9dce03ed78864f33801c90f84fc022ce/include/xbase/photon/worker_pool.h:32
    #9 0x3e578d0 in bs::shard::init()::{lambda(unsigned long)#1}::operator()(unsigned long) const::{lambda()#1}::operator()() const src/bdev/store/xdfs_sdk_adaptor/xdfs_sdk_module.cc:50
    #10 0x3e96c0c in photon::FunctorWrapper<bs::shard::init()::{lambda(unsigned long)#1}::operator()(unsigned long) const::{lambda()#1}>::operator()() /var/xblock/xmake_globaldir/.xmake/packages/p/photon/0.9.2-rc2/e35baf9b88ba4553bfb3f28553b6d222/include/photon/thread/thread11.h:54
    #11 0x3e9180e in decltype(auto) tuple_assistance::apply_impl<photon::FunctorWrapper<bs::shard::init()::{lambda(unsigned long)#1}::operator()(unsigned long) const::{lambda()#1}>, std::tuple<>>(photon::FunctorWrapper<bs::shard::init()::{lambda(unsigned long)#1}::operator()(unsigned long) const::{lambda()#1}>&&, std::tuple<>&&, std::integer_sequence<unsigned long>) /var/xblock/xmake_globaldir/.xmake/packages/p/photon/0.9.2-rc2/e35baf9b88ba4553bfb3f28553b6d222/include/photon/common/tuple-assistance.h:80
    #12 0x3e918ea in decltype(auto) tuple_assistance::apply<photon::FunctorWrapper<bs::shard::init()::{lambda(unsigned long)#1}::operator()(unsigned long) const::{lambda()#1}>, std::tuple<> >(photon::FunctorWrapper<bs::shard::init()::{lambda(unsigned long)#1}::operator()(unsigned long) const::{lambda()#1}>&&, std::tuple<>&&) /var/xblock/xmake_globaldir/.xmake/packages/p/photon/0.9.2-rc2/e35baf9b88ba4553bfb3f28553b6d222/include/photon/common/tuple-assistance.h:87
    #13 0x3e4f8a1 in __stub11<std::pair<photon::FunctorWrapper<bs::shard::init(bs::shard::init()::_ZN2bs5shard13initEv.Frame*)::<lambda(std::size_t)>::<lambda()> >, std::tuple<> > > /var/xblock/xmake_globaldir/.xmake/packages/p/photon/0.9.2-rc2/e35baf9b88ba4553bfb3f28553b6d222/include/photon/thread/thread11.h:31
    #14 0x7603f41  (/root/jenkins/sharedspace/build/linux/x86_64/coverage/test_shard_entity+0x7603f41) (BuildId: b9bc8c5e40429821063c64ce3bbd65c30f3885e4)

0x7f82399e5800 is located 0 bytes inside of 1573184-byte region [0x7f82399e5800,0x7f8239b65940)
freed by thread T7 here:
    #0 0x7f8250cbcda5 in operator delete(void*, unsigned long, std::align_val_t) (/lib64/libasan.so.8+0xfeda5) (BuildId: 1f796f35bce45eb23165a3b40a2f8a8fd149a0c2)
    #1 0x75f5d05 in std::default_delete<photon::WorkPool::impl>::operator()(photon::WorkPool::impl*) const /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/unique_ptr.h:95
    #2 0x75f44f9 in std::unique_ptr<photon::WorkPool::impl, std::default_delete<photon::WorkPool::impl> >::~unique_ptr() /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/unique_ptr.h:396
    #3 0x75f1d7d in photon::WorkPool::~WorkPool() /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/p/photon/0.9.2-rc2/source/photon/thread/workerpool.cpp:195
    #4 0x75dc86d in std::default_delete<photon::WorkPool>::operator()(photon::WorkPool*) const /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/unique_ptr.h:95
    #5 0x75dc86d in std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >::~unique_ptr() /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/unique_ptr.h:396
    #6 0x75dc86d in void std::destroy_at<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> > >(std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*) /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/stl_construct.h:88
    #7 0x75dc86d in void std::_Destroy<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> > >(std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*) /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/stl_construct.h:149
    #8 0x75dc86d in void std::_Destroy_aux<false>::__destroy<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*>(std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*, std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*) /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/stl_construct.h:163
    #9 0x75dc86d in void std::_Destroy<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*>(std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*, std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*) /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/stl_construct.h:196
    #10 0x75dc86d in void std::_Destroy<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*, std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> > >(std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*, std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >*, std::allocator<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> > >&) /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/alloc_traits.h:850
    #11 0x75dc86d in std::vector<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> >, std::allocator<std::unique_ptr<photon::WorkPool, std::default_delete<photon::WorkPool> > > >::~vector() /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/stl_vector.h:730
    #12 0x75dc86d in xbase::photon::WorkerPool::~WorkerPool() include/xbase/photon/worker_pool.h:12
    #13 0x75dc86d in operator() src/photon/worker_pool.cc:27
    #14 0x75dc86d in __invoke_impl<void, xbase::photon::detail::destroy_work_pool()::<lambda()> > /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/invoke.h:61
    #15 0x75dc86d in __invoke<xbase::photon::detail::destroy_work_pool()::<lambda()> > /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/invoke.h:96
    #16 0x75dc86d in _M_invoke<0> /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/std_thread.h:258
    #17 0x75dc86d in operator() /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/std_thread.h:265
    #18 0x75dc86d in _M_run /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/std_thread.h:210
    #19 0x7f824feb9a13 in execute_native_thread_routine (/lib64/libstdc++.so.6+0xdba13) (BuildId: 6e59e8dc2b85e2825741b184f6784307b8623324)

previously allocated by thread T2 (reactor_0) here:
    #0 0x7f8250cbbac8 in operator new(unsigned long, std::align_val_t) (/lib64/libasan.so.8+0xfdac8) (BuildId: 1f796f35bce45eb23165a3b40a2f8a8fd149a0c2)
    #1 0x75f1d07 in photon::WorkPool::WorkPool(unsigned long, int, int, int) /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/p/photon/0.9.2-rc2/source/photon/thread/workerpool.cpp:193
    #2 0x75e0f00 in xbase::photon::WorkerPool::WorkerPool(unsigned long, int) include/xbase/photon/worker_pool.h:17
    #3 0x75e0f00 in xbase::photon::detail::init_work_pool(unsigned long) src/photon/worker_pool.cc:17
    #4 0x7f824f1fc3a7 in __pthread_once_slow (/lib64/libc.so.6+0x8f3a7) (BuildId: b5fa5a9afce174ac5751cad3fcbfacbc10158cfd)

Thread T4 (reactor_1) created by T2 (reactor_0) here:
    #0 0x7f8250cb21b9 in pthread_create (/lib64/libasan.so.8+0xf41b9) (BuildId: 1f796f35bce45eb23165a3b40a2f8a8fd149a0c2)
    #1 0xacba549 in eal_worker_thread_create ../lib/eal/linux/eal.c:953
    #2 0xacbb5ad in rte_eal_init ../lib/eal/linux/eal.c:1250
    #3 0xab61446 in spdk_env_init /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/s/spdk/11.0.2/source/spdk/lib/env_dpdk/init.c:678
    #4 0xab6dced in app_setup_env /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/s/spdk/11.0.2/source/spdk/lib/event/app.c:422
    #5 0xab76494 in spdk_app_start /var/xblock/xmake_globaldir/.xmake/cache/packages/2510/s/spdk/11.0.2/source/spdk/lib/event/app.c:796
    #6 0x73afd3f in operator() src/test/spdk_runner.cc:124
    #7 0x73b9511 in __invoke_impl<void, SpdkRunner::start()::<lambda()> > /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/invoke.h:61
    #8 0x73b941d in __invoke<SpdkRunner::start()::<lambda()> > /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/invoke.h:96
    #9 0x73b9014 in _M_invoke<0> /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/std_thread.h:258
    #10 0x73b8ce4 in operator() /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/std_thread.h:265
    #11 0x73b8b0e in _M_run /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/std_thread.h:210
    #12 0x7f824feb9a13 in execute_native_thread_routine (/lib64/libstdc++.so.6+0xdba13) (BuildId: 6e59e8dc2b85e2825741b184f6784307b8623324)

Thread T2 (reactor_0) created by T0 here:
    #0 0x7f8250cb21b9 in pthread_create (/lib64/libasan.so.8+0xf41b9) (BuildId: 1f796f35bce45eb23165a3b40a2f8a8fd149a0c2)
    #1 0x7f824feb9ae8 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib64/libstdc++.so.6+0xdbae8) (BuildId: 6e59e8dc2b85e2825741b184f6784307b8623324)
    #2 0x73b0044 in SpdkRunner::start() src/test/spdk_runner.cc:122
    #3 0x73a94fb in main src/test/spdk_testing_main.cc:22
    #4 0x7f824f1965cf in __libc_start_call_main (/lib64/libc.so.6+0x295cf) (BuildId: b5fa5a9afce174ac5751cad3fcbfacbc10158cfd)

Thread T7 created by T2 (reactor_0) here:
    #0 0x7f8250cb21b9 in pthread_create (/lib64/libasan.so.8+0xf41b9) (BuildId: 1f796f35bce45eb23165a3b40a2f8a8fd149a0c2)
    #1 0x7f824feb9ae8 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib64/libstdc++.so.6+0xdbae8) (BuildId: 6e59e8dc2b85e2825741b184f6784307b8623324)
    #2 0x7f824f1fc3a7 in __pthread_once_slow (/lib64/libc.so.6+0x8f3a7) (BuildId: b5fa5a9afce174ac5751cad3fcbfacbc10158cfd)

SUMMARY: AddressSanitizer: heap-use-after-free /opt/rh/gcc-toolset-12/root/usr/include/c++/12/bits/atomic_base.h:464 in std::__atomic_base<bool>::store(bool, std::memory_order)
Shadow bytes around the buggy address:
  0x7f82399e5580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7f82399e5600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7f82399e5680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7f82399e5700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7f82399e5780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x7f82399e5800:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7f82399e5880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7f82399e5900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7f82399e5980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7f82399e5a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x7f82399e5a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3891==ABORTING
```



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

AddressSanitizer: heap-use-after-free at join_current_vcpu_into_workpool exited #1024

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

AddressSanitizer: heap-use-after-free at join_current_vcpu_into_workpool exited #1024

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions