c - 为什么 AddressSanitizer 在 nginx 中不显示 heap-use-after-free
问题描述
我有这样的测试代码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
struct Info {
char *p;
int num;
};
int main()
{
struct Info *pInfo = (struct Info*)malloc(sizeof(struct Info));
free(pInfo);
printf("%d\n", pInfo->num);
return 0;
}
我用cmd编译并执行它:
gcc -O1 -g -fsanitize=address test.c -o t
AddressSanitizer 可以输出错误信息 heap-use-after-free,如:
==15552==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000eff8 at pc 0x47b4a1 bp 0x7fff17684ed0 sp 0x7fff17684ec8
READ of size 4 at 0x60200000eff8 thread T0
#0 0x47b4a0 in main /home/xiabaichuan/test_tmp/test.c:18
#1 0x7f318a01a554 in __libc_start_main (/lib64/libc.so.6+0x22554)
#2 0x47b38c in _start (/home/xiabaichuan/test_tmp/t+0x47b38c)
0x60200000eff8 is located 8 bytes inside of 16-byte region [0x60200000eff0,0x60200000f000)
freed by thread T0 here:
#0 0x465129 in free (/home/xiabaichuan/test_tmp/t+0x465129)
#1 0x47b465 in main /home/xiabaichuan/test_tmp/test.c:17
previously allocated by thread T0 here:
#0 0x4652a9 in __interceptor_malloc (/home/xiabaichuan/test_tmp/t+0x4652a9)
#1 0x47b45a in main /home/xiabaichuan/test_tmp/test.c:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/xiabaichuan/test_tmp/test.c:18 main
Shadow bytes around the buggy address:
但是,当我在 nginx http 模块中复制相同的测试代码,编译并运行时,在发送 http 请求触发代码后,AddressSanitizer 没有输出任何 heap-use-after-free 错误信息,我编译 NGINX cmd 就像:
gcc -o objs/nginx -L/home/xiabaichuan/master/cluster_live/TOOL/openresty-1.15.8.1/build/luajit-root/usr/local/openresty/luajit/lib -L/home/xiabaichuan/master/cluster_live/TOOL/openresty-1.15.8.1/build/luajit-root/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/luajit/lib -fsanitize=address -fno-omit-frame-pointer -fsanitize-recover=address -Wl,-E -Wl,-E -ldl -lcrypt -L/home/xiabaichuan/master/cluster_live/TOOL/openresty-1.15.8.1/build/luajit-root/usr/local/openresty/luajit/lib -lluajit-5.1 -lm -ldl -L/home/xiabaichuan/master/cluster_live/TOOL/openresty-1.15.8.1/build/luajit-root/usr/local/openresty/luajit/lib -lluajit-5.1 -lm -ldl -lpcre -lssl -lcrypto -ldl -lz \
-Wl,-E
当我向 nginx 发送 HTTP 请求时,printf 显示一个随机数,但 AddressSanitizer 没有输出任何错误消息;nginx 打印如下:
[root@osboxes sbin]# ./nginx
788529154 (Tips:this num is a random error num)
nginx测试代码如下:
struct Info
{
int num;
};
static void
ngx_http_flv_live_cleanup(void *data)
{
ngx_rtmp_session_t *s;
s = data;
ngx_log_error(NGX_LOG_INFO, s->connection->log, 0,
"live:\"flv close connection\"");
struct Info *pInfo = (struct Info *)malloc(sizeof(struct Info));
pInfo->num = 2;
free(pInfo);
ngx_http_flv_live_close_session_handler(s);
ngx_log_error(NGX_LOG_INFO, s->connection->log, 0,
"live:\"flv close connection:%d\"", pInfo->num);
printf("%d\n", pInfo->num);
ngx_http_flv_live_close_session_handler(s);
}
当我 curl 一个 flv-http URL 时,可能会执行此代码,但是此代码:“printf("%d\n", pInfo->num);", 不显示 heap-use-after-free,只打印一个随机数。
解决方案
推荐阅读
- docker - 如何将容器上的端口映射到主机?
- r - 如何将非线性目标函数传递到 R 中的 ROI 包中?
- r - 如何将主题标签及其单词保留为单个标记
- spring - Spring security oauth2 ,从 SecurityContext 获取 userdetails 对象
- jenkins - 方法 parameterizedTimerTrigger 方法未找到
- ruby-on-rails - 用户的未定义方法“current_sign_in_ip”(NoMethodError)
- asp.net - 无法使用分配的公共 IP 访问部署在 ACS kubernetes 集群中的 Windows 容器?
- c - 在C中使用字符串作为数组中的索引
- unity3d - 窗口标题栏和统一
- sphinx - Thinking-sphinx FATAL: failed to create binlog.001, error=Too many open files