ネームサーバーの起動時にエラーが発生する事がある

[Nobu19800]

ネームサーバー起動時に以下のように解放済みの領域にアクセスするエラーが発生する場合がある。

=================================================================
==914616==ERROR: AddressSanitizer: heap-use-after-free on address 0x504000000e90 at pc 0x7f613783b5b3 bp 0x7fffeaa0b6a0 sp 0x7fffeaa0ae48
READ of size 1 at 0x504000000e90 thread T0
    #0 0x7f613783b5b2 in __interceptor_strcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466
    #1 0x7f6136f09759 in cmp_string /home/nobu/work/RtORB/lib/hashtable.c:52
    #2 0x7f6136f0a400 in getNewKey /home/nobu/work/RtORB/lib/hashtable.c:202
    #3 0x7f6136f0a9fe in registerItem /home/nobu/work/RtORB/lib/hashtable.c:290
    #4 0x7f6136f305e4 in register_PortableServer_Servant /home/nobu/work/RtORB/lib/poa.c:504
    #5 0x7f6136f30cf7 in PortableServer_POA_reinstall_object /home/nobu/work/RtORB/lib/poa.c:581
    #6 0x55893fc7fc13 in main /home/nobu/work/OpenRTM-aist/utils/openrtmNames/openrtmNames.cpp:167
    #7 0x7f6135f06d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f6135f06e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #9 0x55893fc80574 in _start (/home/nobu/work/rtorbinstall/bin/openrtmNames+0x21574)

0x504000000e90 is located 0 bytes inside of 37-byte region [0x504000000e90,0x504000000eb5)
freed by thread T0 here:
    #0 0x7f613785d537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7f6136f30c78 in PortableServer_POA_reinstall_object /home/nobu/work/RtORB/lib/poa.c:577
    #2 0x55893fc7fc13 in main /home/nobu/work/OpenRTM-aist/utils/openrtmNames/openrtmNames.cpp:167
    #3 0x7f6135f06d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f613785d887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f6136f0cb63 in new_ObjectID /home/nobu/work/RtORB/lib/util.c:170
    #2 0x7f6136f28581 in new_CORBA_Object /home/nobu/work/RtORB/lib/orb.c:308
    #3 0x7f6136f30839 in RtORB_POA_Object__create /home/nobu/work/RtORB/lib/poa.c:541
    #4 0x7f6136f3e099 in POA_CosNaming_NamingContextExt__init /home/nobu/work/RtORB/build/lib/CosName/CosNaming-skels.c:509
    #5 0x7f6136ed70fd in impl_CosNaming_NamingContextExt__create_servant /home/nobu/work/RtORB/lib/CXX/CosNaming-skelimpl.cc:720
    #6 0x55893fca899b in POA_CosNaming::NamingContextExt::NamingContextExt() /home/nobu/work/rtorbinstall/include/CosName/CosNaming.h:1612
    #7 0x55893fc8c826 in RTM::NamingContext::NamingContext(PortableServer::POA*) /home/nobu/work/OpenRTM-aist/utils/openrtmNames/NamingContext.cpp:49
    #8 0x55893fc7f914 in main /home/nobu/work/OpenRTM-aist/utils/openrtmNames/openrtmNames.cpp:147
    #9 0x7f6135f06d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466 in __interceptor_strcmp
Shadow bytes around the buggy address:
  0x0a087fff8180: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0a087fff8190: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0a087fff81a0: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 00 fa
  0x0a087fff81b0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 05 fa
  0x0a087fff81c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
=>0x0a087fff81d0: fa fa[fd]fd fd fd fd fa fa fa 00 00 00 00 00 03
  0x0a087fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0a087fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0a087fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0a087fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0a087fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==914616==ABORTING

おそらくelfhash関数とgetNewKey関数あたりに問題がありそうだが、まだ原因は特定できていない。

RtORB/lib/hashtable.c

Lines 40 to 49 in 21e2f7f

	uint32_t elfhash(const unsigned char *name) {
	uint32_t h = 0, g;
	while (*name) {
	h = (h << 4) + *name++;
	g = h & 0xF0000000L;
	if (g) h ^= g >> 24;
	h &= ~g;
	}
	return h;
	}

RtORB/lib/hashtable.c

Lines 193 to 214 in 21e2f7f

	int32_t getNewKey(hashtable *tbl, void *k){
	int size;
	int key;
	size = tbl->size;
	key = (*tbl->hash_func)((const unsigned char*)k) % tbl->size;
	while(size){
	if(tbl->items[key].key == 0|| (*tbl->cmp_func)((char*)tbl->items[key].key, (char*)k)) return key;
	else key = hashtableNextKey(tbl, key);
	size--;
	}
	fprintf(stderr, "No space left.....\n");
	return -1;
	}
	int32_t hashtableNextKey(hashtable *tbl, int32_t k){
	int key = (k+1) % tbl->size;
	return key;
	}