Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-16654

ParallelConnectionMetadata::cleanup can cause the cursor to access deleted connection

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Gone away
    • 2.4.12, 2.8.0-rc3
    • None
    • Sharding
    • None
    • Sharding
    • ALL
    • Sharding C (11/20/15)

    Description

      ParallelConnectionMetadata::cleanup calls ShardConnection::done, which can potentially delete the underlying connection (https://github.com/mongodb/mongo/blob/r2.8.0-rc3/src/mongo/client/connpool.cpp#L66-73). This is also the same connection pointer stored in the cursor and when it's destructor gets called, it can try to access the pointer (https://github.com/mongodb/mongo/blob/r2.8.0-rc3/src/mongo/client/dbclientcursor.cpp#L364-372).

      Sample stacktrace from special local 2.4.12 build with special fail points to make it fail easier:

       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo17printStackAndExitEi+0x65)[0x965f65]
      		 
       m30999| /lib/x86_64-linux-gnu/libc.so.6(+0x370b0)[0x7f3885d7d0b0]
      		 
       m30999| /lib/x86_64-linux-gnu/libc.so.6(+0x150fe9)[0x7f3885e96fe9]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZNK5mongo18DBClientReplicaSet11_getMonitorEv+0xa9)[0x6b8269]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo18DBClientReplicaSet11checkMasterEv+0x24)[0x6b8314]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo18DBClientReplicaSet3sayERNS_7MessageEbPSs+0x7e)[0x6bbc6e]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo14DBClientCursorD1Ev+0x578)[0x6c6238]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo14DBClientCursorD0Ev+0x9)[0x6c65e9]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5boost6detail12shared_countD2Ev+0x39)[0x6736c9]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5boost6detail17sp_counted_impl_pIN5mongo23ParallelConnectionStateEE7disposeEv+0x2a)[0x6f6efa]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5boost6detail12shared_countD2Ev+0x39)[0x6736c9]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo26ParallelConnectionMetadata7cleanupEb+0x172)[0x6e47a2]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZNSt8_Rb_treeIN5mongo5ShardESt4pairIKS1_NS0_26ParallelConnectionMetadataEESt10_Select1stIS5_ESt4lessIS1_ESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeIS5_E+0x4b)[0x6f84bb]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo27ParallelSortClusteredCursorD1Ev+0xcd)[0x6e585d]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo27ParallelSortClusteredCursorD0Ev+0x9)[0x6e59e9]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo13ShardStrategy7queryOpERNS_7RequestE+0x11cd)[0x8c434d]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo7Request7processEi+0x18f)[0x8aa74f]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo21ShardedMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE+0x60)[0x679090]
      		 
       m30999| /home/ren/mongo-copy/mongos(_ZN5mongo17PortMessageServer17handleIncomingMsgEPv+0x471)[0x951501]
      		 
       m30999| /lib/x86_64-linux-gnu/libpthread.so.0(+0x7f8e)[0x7f3886b44f8e]

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. SERVER-15056 Sharded connection cleanup on setup error can crash mongos

          • Major - P3 - Major loss of function.
          • Closed

          Activity

            People

              backlog-server-sharding Backlog - Sharding Team
              randolph@mongodb.com Randolph Tan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: