evbuffer use after free

[kithrup]

We're using libevent in an application, that can end up with thousands of threads (wheeeee). We've gotten a bunch of segfaults in libevent code, so I finally tried using clang's thread and address sanitizers (macOS). The address sanitizer gave me an instance where (as the title says) a buffer is used after free:

==97101==ERROR: AddressSanitizer: heap-use-after-free on address 0x0001499adc48 at pc 0x0001002d9d9c bp 0x000171952c90 sp 0x000171952c88
READ of size 8 at 0x0001499adc48 thread T86
    #0 0x1002d9d98 in bufferevent_trigger bufferevent.c:279

0x0001499adc48 is located 456 bytes inside of 608-byte region [0x0001499ada80,0x0001499adce0)
freed by thread T2519 here:
    #0 0x101cd7380 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x53380)
    #1 0x1002ddbf8 in bufferevent_finalize_cb_ bufferevent.c:788
    #2 0x100302204 in event_process_active_single_queue event.c
    #3 0x1002f80e0 in event_base_loop event.c:2070

(I removed our code from the stacks there, mind you.)

The use is in

void
bufferevent_trigger(struct bufferevent *bufev, short iotype, int options)
{
    bufferevent_incref_and_lock_(bufev);

while the free is

    /* Free the actual allocated memory. */
    mm_free(((char*)bufev) - bufev->be_ops->mem_offset);

I cannot seem to reproduce this trivially.

I'm going to keep poking at this, both from our side and libevent, but I'd be grateful for help. 😄

This is with master from github as of last week.

(The thread sanitizer seemed to give me a bunch of false positives, although I did change some flags to atomic, and got rid of some bitfields to do the same.)

[azat]

This means that the bufferevent had been used after it freed, but of course this should never happen.

You told that you stripped your application code frames from the stacktraces, then I will recommend you to do though your code, precisely look at from which place bufferevent_trigger is called.