Loading...

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Build
Labels:
- address-sanitizer

Operating System:
ALL
Steps To Reproduce:

Hide

On ubuntu 14.04:

scons --dbg=on --cc=/usr/bin/clang --cxx=/usr/bin/clang++ --allocator=system --opt=on --sanitize=address ./mongo ./mongod

The start up mongod and run

ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.4 ./mongo jstests/dur/md5.js

One of the mongod instances spawned by the test will fail under ASAN:

m30002| =================================================================
m30002| ==28406==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000a180 at pc 0x1bdc2a5 bp 0x7fff96a6dcd0 sp 0x7fff96a6dcc8
m30002| READ of size 8 at 0x60c00000a180 thread T0
m30002| #0 0x1bdc2a4 in mongo::OperationContextImpl::OperationContextImpl() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/operation_context_impl.cpp:45
m30002| #1 0x1a4da23 in mongo::exitCleanly(mongo::ExitCode) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/instance.cpp:1018
m30002| #2 0xb029ce in mongoDbMain(int, char*, char*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:936
m30002| #3 0xb029ce in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:726
m30002| #4 0x7f4b878cdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
m30002| #5 0xaee1fc in _start (/home/andrew/Documents/10gen/dev/src/mongodb/mongod+0xaee1fc)
m30002|
m30002| 0x60c00000a180 is located 0 bytes inside of 120-byte region [0x60c00000a180,0x60c00000a1f8)
m30002| freed by thread T0 here:
m30002| #0 0xad8a99 in operator delete(void*) (/home/andrew/Documents/10gen/dev/src/mongodb/mongod+0xad8a99)
m30002| #1 0x2a89e01 in mongo::initGlobalStorageEngine() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/storage/storage_engine.cpp:67
m30002| #2 0xaf285f in mongo::_initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:586
m30002| #3 0xaef3ea in mongo::initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:677
m30002| #4 0xb029c7 in mongoDbMain(int, char*, char*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:935
m30002| #5 0xb029c7 in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:726
m30002| #6 0x7f4b878cdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
m30002|
m30002| previously allocated by thread T0 here:
m30002| #0 0xad8799 in operator new(unsigned long) (/home/andrew/Documents/10gen/dev/src/mongodb/mongod+0xad8799)
m30002| #1 0x2a8989d in mongo::initGlobalStorageEngine() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/storage/storage_engine.cpp:56
m30002| #2 0xaf285f in mongo::_initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:586
m30002| #3 0xaef3ea in mongo::initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:677
m30002| #4 0xb029c7 in mongoDbMain(int, char*, char*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:935
m30002| #5 0xb029c7 in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:726
m30002| #6 0x7f4b878cdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
m30002|
m30002| SUMMARY: AddressSanitizer: heap-use-after-free /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/operation_context_impl.cpp:45 mongo::OperationContextImpl::OperationContextImpl()
m30002| Shadow bytes around the buggy address:
m30002| 0x0c187fff93e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
m30002| 0x0c187fff93f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
m30002| 0x0c187fff9400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
m30002| 0x0c187fff9410: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
m30002| 0x0c187fff9420: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
m30002| =>0x0c187fff9430:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
m30002| 0x0c187fff9440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
m30002| 0x0c187fff9450: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
m30002| 0x0c187fff9460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
m30002| 0x0c187fff9470: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
m30002| 0x0c187fff9480: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
m30002| Shadow byte legend (one shadow byte represents 8 application bytes):
m30002| Addressable: 00
m30002| Partially addressable: 01 02 03 04 05 06 07
m30002| Heap left redzone: fa
m30002| Heap right redzone: fb
m30002| Freed heap region: fd
m30002| Stack left redzone: f1
m30002| Stack mid redzone: f2
m30002| Stack right redzone: f3
m30002| Stack partial redzone: f4
m30002| Stack after return: f5
m30002| Stack use after scope: f8
m30002| Global redzone: f9
m30002| Global init order: f6
m30002| Poisoned by user: f7
m30002| ASan internal: fe
m30002| ==28406==ABORTING

Show
On ubuntu 14.04: scons --dbg=on --cc=/usr/bin/clang --cxx=/usr/bin/clang++ --allocator=system --opt=on --sanitize=address ./mongo ./mongod The start up mongod and run ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.4 ./mongo jstests/dur/md5.js One of the mongod instances spawned by the test will fail under ASAN: m30002| ================================================================= m30002| ==28406==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000a180 at pc 0x1bdc2a5 bp 0x7fff96a6dcd0 sp 0x7fff96a6dcc8 m30002| READ of size 8 at 0x60c00000a180 thread T0 m30002| #0 0x1bdc2a4 in mongo::OperationContextImpl::OperationContextImpl() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/operation_context_impl.cpp:45 m30002| #1 0x1a4da23 in mongo::exitCleanly(mongo::ExitCode) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/instance.cpp:1018 m30002| #2 0xb029ce in mongoDbMain(int, char* , char *) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:936 m30002| #3 0xb029ce in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:726 m30002| #4 0x7f4b878cdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) m30002| #5 0xaee1fc in _start (/home/andrew/Documents/10gen/dev/src/mongodb/mongod+0xaee1fc) m30002| m30002| 0x60c00000a180 is located 0 bytes inside of 120-byte region [0x60c00000a180,0x60c00000a1f8) m30002| freed by thread T0 here: m30002| #0 0xad8a99 in operator delete(void*) (/home/andrew/Documents/10gen/dev/src/mongodb/mongod+0xad8a99) m30002| #1 0x2a89e01 in mongo::initGlobalStorageEngine() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/storage/storage_engine.cpp:67 m30002| #2 0xaf285f in mongo::_initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:586 m30002| #3 0xaef3ea in mongo::initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:677 m30002| #4 0xb029c7 in mongoDbMain(int, char* , char *) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:935 m30002| #5 0xb029c7 in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:726 m30002| #6 0x7f4b878cdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) m30002| m30002| previously allocated by thread T0 here: m30002| #0 0xad8799 in operator new(unsigned long) (/home/andrew/Documents/10gen/dev/src/mongodb/mongod+0xad8799) m30002| #1 0x2a8989d in mongo::initGlobalStorageEngine() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/storage/storage_engine.cpp:56 m30002| #2 0xaf285f in mongo::_initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:586 m30002| #3 0xaef3ea in mongo::initAndListen(int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:677 m30002| #4 0xb029c7 in mongoDbMain(int, char* , char *) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:935 m30002| #5 0xb029c7 in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/db.cpp:726 m30002| #6 0x7f4b878cdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) m30002| m30002| SUMMARY: AddressSanitizer: heap-use-after-free /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/operation_context_impl.cpp:45 mongo::OperationContextImpl::OperationContextImpl() m30002| Shadow bytes around the buggy address: m30002| 0x0c187fff93e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd m30002| 0x0c187fff93f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa m30002| 0x0c187fff9400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa m30002| 0x0c187fff9410: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd m30002| 0x0c187fff9420: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa m30002| =>0x0c187fff9430: [fd] fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa m30002| 0x0c187fff9440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd m30002| 0x0c187fff9450: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa m30002| 0x0c187fff9460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd m30002| 0x0c187fff9470: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd m30002| 0x0c187fff9480: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa m30002| Shadow byte legend (one shadow byte represents 8 application bytes): m30002| Addressable: 00 m30002| Partially addressable: 01 02 03 04 05 06 07 m30002| Heap left redzone: fa m30002| Heap right redzone: fb m30002| Freed heap region: fd m30002| Stack left redzone: f1 m30002| Stack mid redzone: f2 m30002| Stack right redzone: f3 m30002| Stack partial redzone: f4 m30002| Stack after return: f5 m30002| Stack use after scope: f8 m30002| Global redzone: f9 m30002| Global init order: f6 m30002| Poisoned by user: f7 m30002| ASan internal: fe m30002| ==28406==ABORTING
Sprint:
Platform D (12/11/15)

ASAN build is seeing a use-after-free in the 'durability' test suite when running the md5.js test:

http://buildlogs.mongodb.org/mci_0.9_ubuntu1404-debug-asan/builds/20237/test/durability_0/md5.js

Details

Description

Attachments

Activity

People

Dates