几乎必现的heap-use-after-free #2848
Labels
question
Further information is requested
Comments
|
|
跟踪代码,第一个红款free的内存,第二个红框继续在往里面写数据 |
|
调用的代码是? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
版本:2.8.1版本
场景:使用module api,两次模型A推断的输出,深拷贝后作为模型B的输入。模型B推断几乎必现heap-use-after-free
==75524==ERROR: AddressSanitizer: heap-use-after-free on address 0x00014b466940 at pc 0x00011541f360 bp 0x00016b671c60 sp 0x00016b671420
WRITE of size 3364 at 0x00014b466940 thread T4
#0 0x11541f35c in wrap_memcpy+0x244 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x1b35c) (BuildId: f0a7ac5c49bc3abc851181b6f92b308a32000000200000000100000000000b00)
#1 0x11033d05c in MNN::CPUTensorConverter::convert(MNN::Tensor const*, MNN::Tensor const*, MNN::CoreFunctions const*, int, int) CPUTensorConvert.cpp:303
#2 0x110238488 in MNN::CPUBackend::onCopyBuffer(MNN::Tensor const*, MNN::Tensor const*) const CPUBackend.cpp:502
#3 0x110152b28 in MNN::Tensor::copyFromHostTensor(MNN::Tensor const*) Tensor.cpp:171
#4 0x1104e42e4 in MNN::Express::StaticModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) StaticModule.cpp:396
#5 0x1104d2b44 in MNN::Express::PipelineModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) PipelineModule.cpp:217
#6 0x1104c5530 in MNN::Express::NetModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) Module.cpp:220
0x00014b466940 is located 64 bytes inside of 4168-byte region [0x00014b466900,0x00014b467948)
freed by thread T4 here:
#0 0x115446fa4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x42fa4) (BuildId: f0a7ac5c49bc3abc851181b6f92b308a32000000200000000100000000000b00)
#1 0x11010f960 in MNNMemoryFreeAlign MNNMemoryUtils.cpp:59
#2 0x1100cff3c in MNN::DefaultAllocator::onRelease(MNN::MemChunk) BufferAllocator.cpp:54
#3 0x1100cc550 in MNN::EagerBufferAllocator::Node::~Node() BufferAllocator.cpp:91
#4 0x1100cc628 in MNN::EagerBufferAllocator::Node::~Node() BufferAllocator.cpp:89
#5 0x1100cc654 in MNN::EagerBufferAllocator::Node::~Node() BufferAllocator.cpp:89
#6 0x1100d1d70 in MNN::RefCount::decRef() const AutoStorage.h:158
#7 0x1100d1c70 in MNN::SharedPtrMNN::Tensor::InsideDescribe::NativeInsideDescribe::~SharedPtr() AutoStorage.h:200
#8 0x1100cc5e8 in MNN::SharedPtrMNN::Tensor::InsideDescribe::NativeInsideDescribe::~SharedPtr() AutoStorage.h:200
#9 0x1100d01f0 in std::__1::pair<unsigned long const, MNN::SharedPtrMNN::EagerBufferAllocator::Node>::~pair() pair.h:40
#10 0x1100cd570 in std::__1::pair<unsigned long const, MNN::SharedPtrMNN::EagerBufferAllocator::Node>::~pair() pair.h:40
#11 0x1100d21f8 in void std::__1::allocator_traits<std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, void*>>>::destroy[abi:v15006]<std::__1::pair<unsigned long const, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, void, void>(std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, void*>>&, std::__1::pair<unsigned long const, MNN::SharedPtrMNN::EagerBufferAllocator::Node>) allocator_traits.h:319
#12 0x1100d216c in std::__1::__tree<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, std::__1::__map_value_compare<unsigned long, std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, std::__1::less, true>, std::__1::allocator<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>>>::destroy(std::__1::__tree_node<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, void>) __tree:1800
#13 0x1100d2140 in std::__1::__tree<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, std::__1::__map_value_compare<unsigned long, std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, std::__1::less, true>, std::__1::allocator<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>>>::destroy(std::__1::__tree_node<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, void>) __tree:1798
#14 0x1100d73f4 in std::__1::__tree<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, std::__1::__map_value_compare<unsigned long, std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>, std::__1::less, true>, std::__1::allocator<std::__1::__value_type<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node>>>::clear() __tree:1837
#15 0x1100cdd00 in std::__1::multimap<unsigned long, MNN::SharedPtrMNN::EagerBufferAllocator::Node, std::__1::less, std::__1::allocator<std::__1::pair<unsigned long const, MNN::SharedPtrMNN::EagerBufferAllocator::Node>>>::clearabi:v15006 map:2115
#16 0x1100cdc8c in MNN::EagerBufferAllocator::release(bool) BufferAllocator.cpp:210
#17 0x11023685c in MNN::CPURuntime::onGabageCollect(int) CPUBackend.cpp:175
#18 0x11014c938 in MNN::Session::resize() Session.cpp:211
#19 0x1104e4218 in MNN::Express::StaticModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) StaticModule.cpp:388
#20 0x1104d2b44 in MNN::Express::PipelineModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) PipelineModule.cpp:217
#21 0x1104c5530 in MNN::Express::NetModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) Module.cpp:220
previously allocated by thread T4 here:
#0 0x115446e68 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x42e68) (BuildId: f0a7ac5c49bc3abc851181b6f92b308a32000000200000000100000000000b00)
#1 0x11010f678 in MNNMemoryAllocAlign MNNMemoryUtils.cpp:24
#2 0x1100cfe78 in MNN::DefaultAllocator::onAlloc(unsigned long, unsigned long) BufferAllocator.cpp:50
#3 0x1100cc7f0 in MNN::EagerBufferAllocator::alloc(unsigned long, bool, unsigned long) BufferAllocator.cpp:118
#4 0x110237368 in MNN::CPUBackend::allocBuffer(unsigned long, MNN::Tensor, MNN::Backend::StorageType) CPUBackend.cpp:278
#5 0x1102376c0 in MNN::CPUBackend::onAcquire(MNN::Tensor const*, MNN::Backend::StorageType) CPUBackend.cpp:321
#6 0x1100c8f5c in MNN::Backend::onAcquireBuffer(MNN::Tensor const*, MNN::Backend::StorageType) Backend.cpp:76
#7 0x11011feac in MNN::_allocTensor(MNN::Tensor*, MNN::Backend*, bool) Pipeline.cpp:159
#8 0x11011e4f0 in MNN::Pipeline::allocMemory(bool, bool) Pipeline.cpp:951
#9 0x11014c888 in MNN::Session::resize() Session.cpp:201
#10 0x1104e4218 in MNN::Express::StaticModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) StaticModule.cpp:388
#11 0x1104d2b44 in MNN::Express::PipelineModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) PipelineModule.cpp:217
#12 0x1104c5530 in MNN::Express::NetModule::onForward(std::__1::vector<MNN::Express::VARP, std::__1::allocatorMNN::Express::VARP> const&) Module.cpp:220
SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x1b35c) (BuildId: f0a7ac5c49bc3abc851181b6f92b308a32000000200000000100000000000b00) in wrap_memcpy+0x244
Shadow bytes around the buggy address:
0x0070296accd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0070296acce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0070296accf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0070296acd00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0070296acd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0070296acd20: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0070296acd30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0070296acd40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0070296acd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0070296acd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0070296acd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==75524==ABORTING
The text was updated successfully, but these errors were encountered: