Fix use-after-free in UDPSimSocket::bind() due to missing addRef by saintstack · Pull Request #13172 · apple/foundationdb

saintstack · 2026-05-07T20:40:01Z

The UDPSimSocket constructor stored a raw this pointer into process->boundUDPSockets via emplace(), which direct-initializes a Reference from the raw pointer. The explicit Reference(P*) constructor does not call addref — it assumes ownership of the initial refcount. But that initial refcount already belongs to the Reference returned by createUDPSocket(). Result: two Reference objects sharing one refcount.

When bind() erased the old map entry, the refcount dropped to 0 and freed the object. The next line then called addRef(this) on freed memory — a heap-use-after-free.

This was a latent bug that only crashed when buggify altered memory allocation patterns enough for the freed memory to be reused between lines 2531 and 2532. Certain buggify seeds triggered it reliably, causing RandomUnitTests and other simulation tests to segfault.

Found by building with AddressSanitizer (-fsanitize=address), which immediately reported the exact free/use sequence in UDPSimSocket::bind().

(Found by claude debugging simulation failures)

The UDPSimSocket constructor stored a raw `this` pointer into process->boundUDPSockets via emplace(), which direct-initializes a Reference<IUDPSocket> from the raw pointer. The explicit Reference(P*) constructor does not call addref — it assumes ownership of the initial refcount. But that initial refcount already belongs to the Reference returned by createUDPSocket(). Result: two Reference objects sharing one refcount. When bind() erased the old map entry, the refcount dropped to 0 and freed the object. The next line then called addRef(this) on freed memory — a heap-use-after-free. This was a latent bug that only crashed when buggify altered memory allocation patterns enough for the freed memory to be reused between lines 2531 and 2532. Certain buggify seeds triggered it reliably, causing RandomUnitTests and other simulation tests to segfault. Found by building with AddressSanitizer (-fsanitize=address), which immediately reported the exact free/use sequence in UDPSimSocket::bind(). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Copilot

Pull request overview

Fixes a simulation-only heap-use-after-free in UDPSimSocket construction by ensuring the simulator’s boundUDPSockets map holds its own reference to the socket object (instead of implicitly “stealing” the initial refcount).

Changes:

Replace emplace(localAddress, this) with an explicit Reference<IUDPSocket>::addRef(this) when inserting into process->boundUDPSockets.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

foundationdb-ci · 2026-05-07T21:09:07Z

Result of foundationdb-pr-clang-ide on Linux RHEL 9

Commit ID: bdf5d81
Duration 0:28:53
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T21:26:05Z

Result of foundationdb-pr-clang-arm on Linux CentOS 7

Commit ID: bdf5d81
Duration 0:45:51
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T21:37:11Z

Result of foundationdb-pr-macos on macOS Ventura 13.x

Commit ID: bdf5d81
Duration 0:57:01
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T21:38:39Z

Result of foundationdb-pr-macos-m1 on macOS Ventura 13.x

Commit ID: bdf5d81
Duration 0:58:30
Result: ❌ FAILED
Error: Error while executing command: ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${HOME}/.ssh_key ec2-user@${MAC_EC2_HOST} /opt/homebrew/bin/bash --login ./build_pr_macos.sh. Reason: exit status 1
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T21:40:19Z

Result of foundationdb-pr on Linux RHEL 9

Commit ID: bdf5d81
Duration 1:00:09
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T21:45:11Z

Result of foundationdb-pr-clang on Linux RHEL 9

Commit ID: bdf5d81
Duration 1:04:58
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T21:46:34Z

Result of foundationdb-pr-cluster-tests on Linux RHEL 9

Commit ID: bdf5d81
Duration 1:06:22
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)
Cluster Test Logs zip file of the test logs (available for 30 days)

saintstack · 2026-05-07T23:12:27Z

Odd one...


CMake Error: CMAKE_CXX_COMPILER not set, after EnableLanguage
CMake Error at /Users/ec2-user/foundationdb_build_output_macos_arm64/googlebenchmark-download/googlebenchmark-src/cmake/CXXFeatureCheck.cmake:51 (try_run):
  Failed to configure test project build system.
Call Stack (most recent call first):
  /Users/ec2-user/foundationdb_build_output_macos_arm64/googlebenchmark-download/googlebenchmark-src/CMakeLists.txt:279 (cxx_feature_check)


-- Configuring incomplete, errors occurred!
See also "/Users/ec2-user/foundationdb_build_output_macos_arm64/CMakeFiles/CMakeError.log".
�[31m################################################################################�(B�[m
�[31m##### 21:38:33 #  ./build_pr_macos.sh FAILED                               #####�(B�[m
�[31m################################################################################�(B�[m

[Container] 2026/05/07 21:38:33.351876 Command did not exit successfully ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${HOME}/.ssh_key ec2-user@${MAC_EC2_HOST} /opt/homebrew/bin/bash --login ./build_pr_macos.sh exit status 1
[Container] 2026/05/07 21:38:33.356313 Running command echo "#====================    POST-BUILD CLEANUP                   ==================#"
#====================    POST-BUILD CLEANUP                   ==================#

[Container] 2026/05/07 21:38:33.365101 Running command ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${HOME}/.ssh_key ec2-user@${MAC_EC2_HOST} touch /tmp/ci.done
Warning: Permanently added 'ip-100-80-0-15.us-west-2.compute.internal,100.80.0.15' (ECDSA) to the list of known hosts.

[Container] 2026/05/07 21:38:33.523295 Running command wait

[Container] 2026/05/07 21:38:33.532445 Running command echo "################################################################################"
################################################################################

[Container] 2026/05/07 21:38:33.542218 Phase complete: BUILD State: FAILED_WITH_ABORT
[Container] 2026/05/07 21:38:33.542366 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${HOME}/.ssh_key ec2-user@${MAC_EC2_HOST} /opt/homebrew/bin/bash --login ./build_pr_macos.sh. Reason: exit status 1

foundationdb-ci · 2026-05-07T23:46:30Z

Result of foundationdb-pr-macos on macOS Ventura 13.x

Commit ID: bdf5d81
Duration 0:33:44
Result: ❌ FAILED
Error: Error while executing command: ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${HOME}/.ssh_key ec2-user@${MAC_EC2_HOST} /usr/local/bin/bash --login ./build_pr_macos.sh. Reason: exit status 1
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T23:49:36Z

Result of foundationdb-pr-clang-ide on Linux RHEL 9

Commit ID: bdf5d81
Duration 0:36:55
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-07T23:58:47Z

Result of foundationdb-pr-clang-arm on Linux CentOS 7

Commit ID: bdf5d81
Duration 0:46:01
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-08T00:24:20Z

Result of foundationdb-pr-cluster-tests on Linux RHEL 9

Commit ID: bdf5d81
Duration 1:11:37
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)
Cluster Test Logs zip file of the test logs (available for 30 days)

foundationdb-ci · 2026-05-08T00:30:56Z

Result of foundationdb-pr-clang on Linux RHEL 9

Commit ID: bdf5d81
Duration 1:18:14
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-08T00:44:24Z

Result of foundationdb-pr on Linux RHEL 9

Commit ID: bdf5d81
Duration 1:31:41
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

foundationdb-ci · 2026-05-08T01:41:48Z

Result of foundationdb-pr-macos-m1 on macOS Ventura 13.x

Commit ID: bdf5d81
Duration 2:29:02
Result: ✅ SUCCEEDED
Error: N/A
Build Log terminal output (available for 30 days)
Build Workspace zip file of the working directory (available for 30 days)

spraza

lgtm, thanks for fixing this

saintstack · 2026-05-08T20:38:12Z

I just ran this for this PR standalone: 20260508-183548-stack_use-4c16dc63f9a906d9 compressed=True data_size=37100763 duration=5244653 ended=100000 fail_fast=10 max_runs=100000 pass=100000 priority=100 remaining=0 runtime=1:14:57 sanity=False started=100000 stopped=20260508-195045 submitted=20260508-183548 timeout=5400 username=stack_use

saintstack requested a review from Copilot May 7, 2026 20:40

Copilot started reviewing on behalf of saintstack May 7, 2026 20:40 View session

Copilot AI reviewed May 7, 2026

View reviewed changes

saintstack requested a review from Copilot May 7, 2026 20:53

Copilot started reviewing on behalf of saintstack May 7, 2026 20:54 View session

Copilot AI reviewed May 7, 2026

View reviewed changes

saintstack closed this May 7, 2026

saintstack reopened this May 7, 2026

saintstack requested a review from spraza May 7, 2026 23:12

saintstack added testing simulation, real cluster, and unit tests. nightlies Issues to address failures in the nighty runs. labels May 7, 2026

spraza approved these changes May 8, 2026

View reviewed changes

saintstack merged commit e53a955 into apple:main May 8, 2026
14 of 15 checks passed

Conversation

saintstack commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-clang-ide on Linux RHEL 9

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-clang-arm on Linux CentOS 7

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-macos on macOS Ventura 13.x

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-macos-m1 on macOS Ventura 13.x

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr on Linux RHEL 9

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-clang on Linux RHEL 9

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-cluster-tests on Linux RHEL 9

Uh oh!

saintstack commented May 7, 2026

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-macos on macOS Ventura 13.x

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-clang-ide on Linux RHEL 9

Uh oh!

foundationdb-ci commented May 7, 2026

Result of foundationdb-pr-clang-arm on Linux CentOS 7

Uh oh!

foundationdb-ci commented May 8, 2026

Result of foundationdb-pr-cluster-tests on Linux RHEL 9

Uh oh!

foundationdb-ci commented May 8, 2026

Result of foundationdb-pr-clang on Linux RHEL 9

Uh oh!

foundationdb-ci commented May 8, 2026

Result of foundationdb-pr on Linux RHEL 9

Uh oh!

foundationdb-ci commented May 8, 2026

Result of foundationdb-pr-macos-m1 on macOS Ventura 13.x

Uh oh!

spraza left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

saintstack commented May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

saintstack commented May 7, 2026 •

edited

Loading