[ed: original title "'out of memory, printing stack and exiting' during parallel/basic.js on Linux 64-bit DEBUG"]
ProgressMeter is not thread-safe. Because of this, it is possible to crash the server when calling db.currentOp() during a map-reduce or index build.
Threads are permitted to call CurOp::setMessage() on CurOp objects they own. CurOp::setMessage() calls ProgressMeter::setName(), which calls operator= ProgressMeter::_name, which is an std::string.
db.currentOp() calls CurOp::info() on CurOp objects owned by other threads. CurOp::info() calls ProgressMeter::toString(), which performs a copy on the same string above. Doing so while _name is being modified can result in a string with a corrupt length, which can crash the server (e.g. during allocation of a copy, or while reading unmapped memory).
- duplicates
-
SERVER-12555 OpDebug::planSummary std::string may be accessed concurrently by multiple threads
-
- Closed
-
- is related to
-
SERVER-60646 remove ThreadSafeString
-
- Closed
-