Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-21416

AsyncResultsMerger's parameters may hold a reference to freed OperationContext

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Critical - P2 Critical - P2
    • 3.2.0-rc3
    • Affects Version/s: 3.2.0-rc3
    • Component/s: Sharding
    • Labels:
      None
    • Fully Compatible
    • ALL
    • Sharding C (11/20/15)
    • 0

      The AsyncResultsMeger parameters structure has a pointer to the OperationContext, which was used to create it. However, in getMore scenarios, the getMore comes on a separate call, which has a different OperationContext and this causes use-after-free exception:

      [ShardedClusterFixture:job3:mongos] ----- BEGIN BACKTRACE -----
[ShardedClusterFixture:job3:mongos] {"backtrace":[{"b":"400000","o":"8355E2"},{"b":"400000","o":"8344F9"},{"b":"400000","o":"834878"},{"b":"2AF8CB0FE000","o":"ECA0"},{"b":"400000","o":"2FBFFB"},{"b":"400000","o":"75E6F5"},{"b":"400000","o":"75EFF0"},{"b":"400000","o":"75FDBB"},{"b":"400000","o":"76CB0B"},{"b":"400000","o":"763A32"},{"b":"400000","o":"7651AB"},{"b":"400000","o":"768B44"},{"b":"400000","o":"71AA73"},{"b":"400000","o":"771E89"},{"b":"400000","o":"772ADD"},{"b":"400000","o":"782121"},{"b":"400000","o":"771656"},{"b":"400000","o":"250AA5"},{"b":"400000","o":"7EEC65"},{"b":"2AF8CB0FE000","o":"683D"},{"b":"2AF8CB31B000","o":"D4FDD"}],"processInfo":{ "mongodbVersion" : "3.2.0-rc2-114-g820b117", "gitVersion" : "820b11793691ba0019767e686875444663bd2541", "compiledModules" : [], "uname" : { "sysname" : "Linux", "release" : "2.6.18-194.el5xen", "version" : "#1 SMP Tue Mar 16 22:01:26 EDT 2010", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000" }, { "b" : "2AF8CA55F000", "path" : "/lib64/librt.so.1", "elfType" : 3 }, { "b" : "2AF8CA768000", "path" : "/lib64/libdl.so.2", "elfType" : 3 }, { "b" : "2AF8CA96C000", "path" : "/usr/lib64/libstdc  .so.6", "elfType" : 3 }, { "b" : "2AF8CAC6D000", "path" : "/lib64/libm.so.6", "elfType" : 3 }, { "b" : "2AF8CAEF0000", "path" : "/lib64/libgcc_s.so.1", "elfType" : 3 }, { "b" : "2AF8CB0FE000", "path" : "/lib64/libpthread.so.0", "elfType" : 3 }, { "b" : "2AF8CB31B000", "path" : "/lib64/libc.so.6", "elfType" : 3 }, { "b" : "2AF8CA341000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3 } ] }}
[ShardedClusterFixture:job3:mongos]  mongos(mongo::printStackTrace(std::ostream&) 0x32) [0xc355e2]
[ShardedClusterFixture:job3:mongos]  mongos( 0x8344F9) [0xc344f9]
[ShardedClusterFixture:job3:mongos]  mongos( 0x834878) [0xc34878]
[ShardedClusterFixture:job3:mongos]  libpthread.so.0( 0xECA0) [0x2af8cb10cca0]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::RemoteCommandTargeter::selectFindHostMaxWaitTime(mongo::OperationContext*) 0xB) [0x6fbffb]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::AsyncResultsMerger::RemoteCursorData::resolveShardIdToHostAndPort(mongo::OperationContext*, mongo::ReadPreferenceSetting const&) 0x95) [0xb5e6f5]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::AsyncResultsMerger::askForNextBatch_inlock(unsigned long) 0x80) [0xb5eff0]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::AsyncResultsMerger::nextEvent() 0x1AB) [0xb5fdbb]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::RouterStageMerge::next() 0x4B) [0xb6cb0b]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ClusterClientCursorImpl::next() 0x132) [0xb63a32]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ClusterCursorManager::PinnedCursor::next() 0x1B) [0xb651ab]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ClusterFind::runGetMore(mongo::OperationContext*, mongo::GetMoreRequest const&) 0x224) [0xb68b44]
[ShardedClusterFixture:job3:mongos]  mongos( 0x71AA73) [0xb1aa73]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Command::execCommandClientBasic(mongo::OperationContext*, mongo::Command*, mongo::ClientBasic&, int, char const*, mongo::BSONObj&, mongo::BSONObjBuilder&) 0x559) [0xb71e89]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Command::runAgainstRegistered(mongo::OperationContext*, char const*, mongo::BSONObj&, mongo::BSONObjBuilder&, int) 0x2ED) [0xb72add]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Strategy::clientCommandOp(mongo::OperationContext*, mongo::Request&) 0x1B1) [0xb82121]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Request::process(mongo::OperationContext*, int) 0x866) [0xb71656]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ShardedMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) 0x65) [0x650aa5]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::PortMessageServer::handleIncomingMsg(void*) 0x265) [0xbeec65]
[ShardedClusterFixture:job3:mongos]  libpthread.so.0( 0x683D) [0x2af8cb10483d]
[ShardedClusterFixture:job3:mongos]  libc.so.6(clone 0x6D) [0x2af8cb3effdd]
[ShardedClusterFixture:job3:mongos] -----  END BACKTRACE  -----

            Assignee:
            david.storch@mongodb.com David Storch
            Reporter:
            kaloian.manassiev@mongodb.com Kaloian Manassiev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: