C++ ASAN在释放后显示堆的使用,而boost::asio在套接字上调用纯recv
我有大约100个开放的TCP套接字,监视一些远程设备。这是一种纯粹的主从通信。其中服务器是主服务器(连接到设备),设备是从服务器 Master会定期向所有设备发送请求,并等待响应的到来。只有在发送操作被认为是成功的(调用了handler handle\u send)之后,套接字才会触发异步读取,直到消息完成。当服务器收到好消息时,它将停止启动async_read_some,因为它不应该再接收任何消息 随机地,ASAN会抱怨recv阶段未分配的缓冲区(当调用实际系统调用“recvmsg”时[参见boost 1.66/usr/include/boost/asio/detail/impl/socket_ops.ipp:784]) 我们在linux机器上,当我使用boost 1.53时,同样的问题也会发生 下面是堆栈跟踪:C++ ASAN在释放后显示堆的使用,而boost::asio在套接字上调用纯recv,c++,c++11,boost,address-sanitizer,C++,C++11,Boost,Address Sanitizer,我有大约100个开放的TCP套接字,监视一些远程设备。这是一种纯粹的主从通信。其中服务器是主服务器(连接到设备),设备是从服务器 Master会定期向所有设备发送请求,并等待响应的到来。只有在发送操作被认为是成功的(调用了handler handle\u send)之后,套接字才会触发异步读取,直到消息完成。当服务器收到好消息时,它将停止启动async_read_some,因为它不应该再接收任何消息 随机地,ASAN会抱怨recv阶段未分配的缓冲区(当调用实际系统调用“recvmsg”时[参见b
==7779==ERROR: AddressSanitizer: heap-use-after-free on address 0x611001478a40 at pc 0x503308 bp 0x7ffdea424a70 sp 0x7ffdea424a40
WRITE of size 53 at 0x611001478a40 thread T0
\#0 0x503307 in __interceptor_recvmsg (/usr/tsp/bin/tspinger+0x503307)
\#1 0x8a62c7 in boost::asio::detail::socket_ops::recv(int, iovec*, unsigned long, int, boost::system::error_code&) /usr/include/boost/asio/detail/impl/socket_ops.ipp:784
\#2 0x8a5457 in boost::asio::detail::socket_ops::non_blocking_recv(int, iovec*, unsigned long, int, bool, boost::system::error_code&, unsigned long&) /usr/include/boost/asio/detail/impl/socket_ops.ipp:877
\#3 0x8a4ac3 in boost::asio::detail::reactive_socket_recv_op_base<boost::asio::mutable_buffers_1>::do_perform(boost::asio::detail::reactor_op*) /usr/include/boost/asio/detail/reactive_socket_recv_op.hpp:55
\#4 0x681c4e in boost::asio::detail::reactor_op::perform() /usr/include/boost/asio/detail/reactor_op.hpp:44
\#5 0x6f9a98 in boost::asio::detail::epoll_reactor::descriptor_state::perform_io(unsigned int) /usr/include/boost/asio/detail/impl/epoll_reactor.ipp:743
\#6 0x6f8a30 in boost::asio::detail::epoll_reactor::descriptor_state::do_complete(void*, boost::asio::detail::scheduler_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/impl/epoll_reactor.ipp:774
\#7 0x603207 in boost::asio::detail::scheduler_operation::complete(void*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/scheduler_operation.hpp:40
\#8 0x5fe649 in boost::asio::detail::scheduler::do_run_one(boost::asio::detail::conditionally_enabled_mutex::scoped_lock&, boost::asio::detail::scheduler_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/scheduler.ipp:401
\#9 0x5fc7d1 in boost::asio::detail::scheduler::run(boost::system::error_code&) /usr/include/boost/asio/detail/impl/scheduler.ipp:154
\#10 0x5e5e85 in boost::asio::io_context::run() /usr/include/boost/asio/impl/io_context.ipp:62
0x611001478a40 is located 0 bytes inside of 209-byte region [0x611001478a40,0x611001478b11)
freed by thread T0 here:
==7779==AddressSanitizer CHECK failed: /builddir/build/BUILD/llvm-3.4.2.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_stackdepot.cc:184 "((id & (1u << 31))) == ((0))" (0x80000000, 0x0)
\#0 0x52fe0f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/tsp/bin/tspinger+0x52fe0f)
\#1 0x535671 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/tsp/bin/tspinger+0x535671)
\#2 0x53bb8d in __sanitizer::StackDepotGet(unsigned int, unsigned long*) (/usr/tsp/bin/tspinger+0x53bb8d)
\#3 0x4f0c54 in __asan::AsanChunkView::GetFreeStack(__sanitizer::StackTrace*) (/usr/tsp/bin/tspinger+0x4f0c54)
\#4 0x52d096 in __asan::DescribeHeapAddress(unsigned long, unsigned long) (/usr/tsp/bin/tspinger+0x52d096)
\#5 0x52e211 in __asan_report_error (/usr/tsp/bin/tspinger+0x52e211)
\#6 0x503323 in __interceptor_recvmsg (/usr/tsp/bin/tspinger+0x503323)
\#7 0x8a62c7 in boost::asio::detail::socket_ops::recv(int, iovec*, unsigned long, int, boost::system::error_code&) /usr/include/boost/asio/detail/impl/socket_ops.ipp:784
\#8 0x8a5457 in boost::asio::detail::socket_ops::non_blocking_recv(int, iovec*, unsigned long, int, bool, boost::system::error_code&, unsigned long&) /usr/include/boost/asio/detail/impl/socket_ops.ipp:877
\#9 0x8a4ac3 in boost::asio::detail::reactive_socket_recv_op_base<boost::asio::mutable_buffers_1>::do_perform(boost::asio::detail::reactor_op*) /usr/include/boost/asio/detail/reactive_socket_recv_op.hpp:55
\#10 0x681c4e in boost::asio::detail::reactor_op::perform() /usr/include/boost/asio/detail/reactor_op.hpp:44
\#11 0x6f9a98 in boost::asio::detail::epoll_reactor::descriptor_state::perform_io(unsigned int) /usr/include/boost/asio/detail/impl/epoll_reactor.ipp:743
\#12 0x6f8a30 in boost::asio::detail::epoll_reactor::descriptor_state::do_complete(void*, boost::asio::detail::scheduler_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/impl/epoll_reactor.ipp:774
\#13 0x603207 in boost::asio::detail::scheduler_operation::complete(void*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/scheduler_operation.hpp:40
\#14 0x5fe649 in boost::asio::detail::scheduler::do_run_one(boost::asio::detail::conditionally_enabled_mutex::scoped_lock&, boost::asio::detail::scheduler_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/scheduler.ipp:401
\#15 0x5fc7d1 in boost::asio::detail::scheduler::run(boost::system::error_code&) /usr/include/boost/asio/detail/impl/scheduler.ipp:154
\#16 0x5e5e85 in boost::asio::io_context::run() /usr/include/boost/asio/impl/io_context.ipp:62
==7779==错误:地址消毒器:在pc 0x503308 bp 0x7ffdea424a70 sp 0x7ffdea424a40的地址0x611001478a40上释放后使用堆
在0x611001478a40螺纹T0处写入尺寸53
\#0 0x503307在拦截器recvmsg中(/usr/tsp/bin/tspinger+0x503307)
\#boost::asio::detail::socket_ops::recv(int,iovec*,unsigned long,int,boost::system::error_code&)/usr/include/boost/asio/detail/impl/socket_ops.ipp:784
\#2 0x8a5457 in boost::asio::detail::socket_ops::非阻塞_recv(int,iovec*,unsigned long,int,bool,boost::system::error_code&,unsigned long&)/usr/include/boost/asio/detail/impl/socket_ops.ipp:877
\#3 0x8a4ac3 in boost::asio::detail::reactive_socket_recv_op_base::do_perform(boost::asio::detail::reactor_op*)/usr/include/boost/asio/detail/reactive_socket_recv_op.hpp:55
\#boost::asio::detail::reactor_op::perform()/usr/include/boost/asio/detail/reactor_op.hpp:44中的4 0x681c4e
\#5 0x6f9a98 in boost::asio::detail::epoll_反应堆::描述符_状态::执行_io(无符号整数)/usr/include/boost/asio/detail/impl/epoll_反应堆。ipp:743
\#boost::asio::detail::epoll\u reactor::descriptor\u state::do\u complete(void*,boost::asio::detail::scheduler\u operation*,boost::system::error\u code const&,unsigned long)/usr/include/boost/asio/detail/impl/epoll\u reactor.ipp:774
\#boost::asio::detail::scheduler\u操作中的7 0x603207::complete(void*,boost::system::error\u code const&,unsigned long)/usr/include/boost/asio/detail/scheduler\u操作。hpp:40
\#boost::asio::detail::scheduler::do_run_one(boost::asio::detail::Conditionaly_enabled_mutex::scoped_lock&,boost::asio::detail::scheduler_thread_info&,boost::system::error_code const&)/usr/include/boost/asio/detail/impl/scheduler.ipp:401
\#boost::asio::detail::scheduler::run(boost::system::error_code&)/usr/include/boost/asio/detail/impl/scheduler.ipp:154中的9 0x5fc7d1
\#boost::asio::io_context::run()/usr/include/boost/asio/impl/io_context.ipp:62中的10 0x5e5e85
0x611001478a40位于209字节区域内的0字节[0x611001478a40,0x611001478b11)
线程T0在此释放:
==7779==AddressSanitizer CHECK failed:/builddir/build/build/llvm-3.4.2.src/projects/compiler rt/lib/sanitizer\u common/sanitizer\u stackdepot.cc:184“((id&(1u)您可以尝试在导出ASAN\u选项=检测容器溢出=0
)下运行吗?我正在使用libasan-4.8.5(因为centos 7环境)。我尝试设置该选项,但得到了相同的结果。“我无法得到这一点:ASAN显示了相同的内存使用和释放点”-ASAN无法显示释放的点,因为某些内部断言失败(缓冲区的头被损坏,很可能是内存损坏)。然后,他向您显示断言的堆栈跟踪,而不是免费的
。现在关于失败,我们可能需要看到调用套接字的更广泛背景。异步读取一些
。特别是,您确定执行异步调用时,m\u invector
的框架仍然存在吗?您可以尝试在导出ASAN\u>下运行吗IONS=detect_container_overflow=0
?我正在使用libasan-4.8.5(因为centos 7环境)。我尝试设置该选项,但得到了相同的结果。“我无法得出结论:ASAN显示了相同的内存使用和释放点”-ASAN无法显示释放的点,因为某些内部断言失败(缓冲区的头被损坏,很可能是由于内存损坏)。然后,他向您显示断言的堆栈跟踪,而不是免费的
。现在关于失败,我们可能需要看到调用套接字的更广泛背景。异步读取一些
。特别是,您确定执行异步调用时,m\u invector
的框架仍然存在吗?
m_invector = vector<byte>(RX_BUFFER_SIZE);
socket_.async_read_some(boost::asio::buffer(m_invector),
std::bind(&RemoteObject::handle_read, shared_from_this(),
std::placeholders::_1, std::placeholders::_2));
signed_size_type recv(socket_type s, buf* bufs, size_t count,
int flags, boost::system::error_code& ec)
{
clear_last_error();
msghdr msg = msghdr();
msg.msg_iov = bufs;
msg.msg_iovlen = static_cast<int>(count);
signed_size_type result = error_wrapper(::recvmsg(s, &msg, flags), ec); //LINE 784
if (result >= 0)
ec = boost::system::error_code();
return result;
}