Wt

Problem¶

A heap-use-after-free crash was identified in the test.http executable, specifically in the http_server_clean_close test case when running it multiple times (floating bug) on Ubuntu 24.04 with AddressSanitizer (ASan) enabled.

Probably, the root Cause¶

The crash occurs during server shutdown in http::server::Server::handleStop().

1. handleStop() calls tcp_listeners_.clear(), which destroys the TcpListener objects.
2. Each TcpListener owns a new_connection (TcpConnectionPtr), which in turn owns an asio::ip::tcp::socket.
3. However, an asynchronous async_accept() operation might still be pending on that socket.
4. When asio attempts to cancel the pending operation (due to the acceptor closing), it accesses the socket object that has already been freed.

ASan Trace Highlights¶

• Freed by: http::server::TcpConnection::~TcpConnection() called via tcp_listeners_.clear() in Server::handleStop().
• Read (UAF): boost::asio::detail::io_object_impl<...>::get_service() within the asio accept completion chain.

How to Reproduce¶

1. Was reproduced on current master and on 4.10.3
2. Use an environment with Ubuntu 24.04.
3. Build wt with tests and ASan enabled: cmake -DBUILD_TESTS=ON -DCMAKE_CXX_FLAGS="-fsanitize=address" ... make
4. Run the specific test case under stress: for i in {1..100}; do ./test.http --run_test=http_server_clean_close || break; done The crash usually occurs within 20 iterations.