MB-32465: Fix heap-use-after-free on Configuration during bucket destroy

As reported by ASan (see below). Fix by changing the order of
construction/destruction of Configuration.

    =================================================================
    ==25686==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070004182f8 at pc 0x7fc48fe80bfe bp 0x7fc4865d3050 sp 0x7fc4865d3048
    READ of size 8 at 0x6070004182f8 thread T34 (mc:bucket_del)
        #0 0x7fc48fe80bfd in std::_Rb_tree<...>::find() const /usr/local/include/c++/7.3.0/bits/stl_tree.h:2533
        #1 0x7fc48fe81ce6 in std::map<...>::find() const /usr/local/include/c++/7.3.0/bits/stl_map.h:1189
        #2 0x7fc48fe81ce6 in unsigned long Configuration::getParameter<unsigned long>(...) const kv_engine/engines/ep/src/configuration.cc:171
        #3 0x7fc48fead5f9 in Configuration::getDcpConnBufferSize() const build/kv_engine/engines/ep/src/generated_configuration.cc:591
        #4 0x7fc48fa9d249 in DcpFlowControlManager::setBufSizeWithinBounds(DcpConsumer*, unsigned long&) kv_engine/engines/ep/src/dcp/flow-control-manager.cc:49
        #5 0x7fc48fa9ef2d in DcpFlowControlManagerAggressive::handleDisconnect(DcpConsumer*) kv_engine/engines/ep/src/dcp/flow-control-manager.cc:202
        #6 0x7fc48fa59cf2 in DcpConsumer::~DcpConsumer() kv_engine/engines/ep/src/dcp/consumer.cc:187
    <cut shared_ptr details...>
        #19 0x7fc48f9c1cb7 in AtomicQueue<std::shared_ptr<ConnHandler> >::~AtomicQueue() kv_engine/engines/ep/src/atomicqueue.h:39
        #20 0x7fc48f9c1cb7 in ConnMap::~ConnMap() kv_engine/engines/ep/src/connmap.cc:106
        #21 0x7fc48fa8c4b7 in DcpConnMap::~DcpConnMap() kv_engine/engines/ep/src/dcp/dcpconnmap.cc:63
        #22 0x7fc48fa8c4b7 in DcpConnMap::~DcpConnMap() kv_engine/engines/ep/src/dcp/dcpconnmap.cc:65
        #23 0x7fc48fb9d41c in std::default_delete<DcpConnMap>::operator()(DcpConnMap*) const /usr/local/include/c++/7.3.0/bits/unique_ptr.h:78
        #24 0x7fc48fb9d41c in std::unique_ptr<DcpConnMap, std::default_delete<DcpConnMap> >::~unique_ptr() /usr/local/include/c++/7.3.0/bits/unique_ptr.h:268
        #25 0x7fc48fb9d41c in EventuallyPersistentEngine::~EventuallyPersistentEngine() kv_engine/engines/ep/src/ep_engine.cc:5772
        #26 0x7fc48fb9da8e in EventuallyPersistentEngine::~EventuallyPersistentEngine() kv_engine/engines/ep/src/ep_engine.cc:5780
        #27 0x7fc48fb9da8e in EventuallyPersistentEngine::destroy(bool) kv_engine/engines/ep/src/ep_engine.cc:154
        #28 0x44299e in DestroyBucketThread::destroy() kv_engine/daemon/memcached.cc:1980

    0x6070004182f8 is located 40 bytes inside of 80-byte region [0x6070004182d0,0x607000418320)
    freed by thread T34 (mc:bucket_del) here:
        #0 0x7fc49a5c16b0 in operator delete(void*) (install/bin/../lib/libasan.so.4+0xdb6b0)
    <cut shared_ptr details...>
        #8 0x7fc48fe77232 in Configuration::~Configuration() kv_engine/engines/ep/src/configuration.h:178
        #9 0x7fc48fb9d38b in EventuallyPersistentEngine::~EventuallyPersistentEngine() kv_engine/engines/ep/src/ep_engine.cc:5772
        #10 0x7fc48fb9da8e in EventuallyPersistentEngine::~EventuallyPersistentEngine() kv_engine/engines/ep/src/ep_engine.cc:5780
        #11 0x7fc48fb9da8e in EventuallyPersistentEngine::destroy(bool) kv_engine/engines/ep/src/ep_engine.cc:154
        #12 0x44299e in DestroyBucketThread::destroy() kv_engine/daemon/memcached.cc:1980
        #13 0x4439ee in DestroyBucketThread::run() kv_engine/daemon/memcached.cc:2012
        #14 0x7fc498801ff0 in Couchbase::Thread::thread_entry() platform/src/thread.cc:45
        #15 0x7fc4987d57d8 in CouchbaseThread::run() platform/src/cb_pthreads.cc:59
        #16 0x7fc4987d57d8 in platform_thread_wrap platform/src/cb_pthreads.cc:72
        #17 0x7fc496bd06b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Change-Id: I5c4efec7a58ded4c29cca6cee73886b0a0e51172
Reviewed-on: http://review.couchbase.org/103584
Tested-by: Build Bot <[email protected]>
Reviewed-by: Trond Norbye <[email protected]>

Author: daverigby

engines/ep/src/ep_engine.h

@@ -1031,6 +1031,12 @@ class EventuallyPersistentEngine : public EngineIface, public DcpIface {
     // Engine statistics. First concrete member as a number of other members
     // refer to it so needs to be constructed first (and destructed last).
     EPStats stats;
+    /**
+     * Engine configuration. Referred to by various other members
+     * (e.g. dcpConnMap_) so needs to be constructed before (and destructed
+     * after) them.
+     */
+    Configuration configuration;
     std::unique_ptr<KVBucket> kvBucket;
     WorkLoadPolicy *workload;
     bucket_priority_t workloadPriority;
@@ -1049,7 +1055,6 @@ class EventuallyPersistentEngine : public EngineIface, public DcpIface {
     size_t getlDefaultTimeout;
     size_t getlMaxTimeout;
     size_t maxFailoverEntries;
-    Configuration configuration;
     std::atomic<bool> trafficEnabled;
 
     // a unique system generated token initialized at each time