Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-22791

Invariant failure when creating WT collection with crafted configString

XMLWordPrintableJSON

    • Fully Compatible
    • ALL
    • TIG 11 (03/11/16)
    • 0

      This bug affects 3.2.3 and master. It does not affect 3.0.9.

      Invariant failure nested.type == WT_CONFIG_ITEM::WT_CONFIG_ITEM_STRUCT src/mongo/db/storage/wiredtiger/wiredtiger_util.h 240

* thread #17: tid = 0x6dfe00, 0x00007fff9b69f70e libsystem_kernel.dylib`__write_nocancel + 10
  * frame #0: 0x00007fff9b69f70e libsystem_kernel.dylib`__write_nocancel + 10
    frame #1: 0x00007fff89042202 libsystem_c.dylib`_swrite + 87
    frame #2: 0x00007fff8903a72c libsystem_c.dylib`__sflush + 87
    frame #3: 0x00007fff8903d0c0 libsystem_c.dylib`_fwalk + 58
    frame #4: 0x00007fff8905c69a libsystem_c.dylib`abort + 52
    frame #5: 0x00000001014e65c3 mongod`mongo::invariantFailed(expr="nested.type == WT_CONFIG_ITEM::WT_CONFIG_ITEM_STRUCT", file="src/mongo/db/storage/wiredtiger/wiredtiger_util.h", line=240) + 387 at assert_util.cpp:153
    frame #6: 0x000000010107ae6f mongod`mongo::WiredTigerConfigParser::WiredTigerConfigParser(this=0x0000700000828cd8, nested=0x0000700000828d18) + 79 at wiredtiger_util.h:240
    frame #7: 0x000000010107a3fd mongod`mongo::WiredTigerConfigParser::WiredTigerConfigParser(this=0x0000700000828cd8, nested=0x0000700000828d18) + 29 at wiredtiger_util.h:239
    frame #8: 0x0000000101076990 mongod`mongo::WiredTigerUtil::checkApplicationMetadataFormatVersion(opCtx=0x0000000105401100, uri=(_data = "table:collection-2--4302918691755824297", _size = 39), minimumVersion=1, maximumVersion=1) + 832 at wiredtiger_util.cpp:203
    frame #9: 0x0000000101043aa1 mongod`mongo::WiredTigerRecordStore::WiredTigerRecordStore(this=0x0000000105401b50, ctx=0x0000000105401100, ns=(_data = "test.z", _size = 6), uri=(_data = "table:collection-2--4302918691755824297", _size = 39), engineName="wiredTiger", isCapped=false, isEphemeral=false, cappedMaxSize=-1, cappedMaxDocs=-1, cappedCallback=0x0000000000000000, sizeStorer=0x0000000105007770) + 1697 at wiredtiger_record_store.cpp:812
    frame #10: 0x0000000101044905 mongod`mongo::WiredTigerRecordStore::WiredTigerRecordStore(this=0x0000000105401b50, ctx=0x0000000105401100, ns=(_data = "test.z", _size = 6), uri=(_data = "table:collection-2--4302918691755824297", _size = 39), engineName="wiredTiger", isCapped=false, isEphemeral=false, cappedMaxSize=-1, cappedMaxDocs=-1, cappedCallback=0x0000000000000000, sizeStorer=0x0000000105007770) + 261 at wiredtiger_record_store.cpp:811
    frame #11: 0x0000000101038428 mongod`mongo::WiredTigerKVEngine::getRecordStore(this=0x00000001056105f0, opCtx=0x0000000105401100, ns=(_data = "test.z", _size = 6), ident=(_data = "collection-2--4302918691755824297", _size = 33), options=0x0000700000829f28) + 1112 at wiredtiger_kv_engine.cpp:466
    frame #12: 0x0000000100f024f4 mongod`mongo::KVDatabaseCatalogEntry::createCollection(this=0x0000000105401570, txn=0x0000000105401100, ns=(_data = "test.z", _size = 6), options=0x0000700000829f28, allocateDefaultSpace=true) + 1828 at kv_database_catalog_entry.cpp:217
    frame #13: 0x0000000100320924 mongod`mongo::Database::createCollection(this=0x00000001054015b0, txn=0x0000000105401100, ns=(_data = "test.z", _size = 6), options=0x0000700000829f28, createIdIndex=true) + 1684 at database.cpp:510
    frame #14: 0x00000001003227e6 mongod`mongo::userCreateNS(txn=0x0000000105401100, db=0x00000001054015b0, ns=(_data = "test.z", _size = 6), options=BSONObj @ 0x000070000082a668, createDefaultIndexes=true) + 3366 at database.cpp:635
    frame #15: 0x00000001003035e4 mongod`mongo::createCollection(txn=0x0000000105401100, dbName="test", cmdObj=0x000070000082ae00) + 1876 at create_collection.cpp:82
    frame #16: 0x00000001004da31b mongod`mongo::CmdCreate::run(this=0x00000001029ecb20, txn=0x0000000105401100, dbname="test", cmdObj=0x000070000082ae00, (null)=0, errmsg="", result=0x000070000082b038) + 331 at dbcommands.cpp:544
    frame #17: 0x00000001004d507c mongod`mongo::Command::run(this=0x00000001029ecb20, txn=0x0000000105401100, request=0x000070000082bed0, replyBuilder=0x000070000082c080) + 4540 at dbcommands.cpp:1479
    frame #18: 0x00000001004d3990 mongod`mongo::Command::execCommand(txn=0x0000000105401100, command=0x00000001029ecb20, request=0x000070000082bed0, replyBuilder=0x000070000082c080) + 5264 at dbcommands.cpp:1347
    frame #19: 0x0000000100372f26 mongod`mongo::runCommands(txn=0x0000000105401100, request=0x000070000082bed0, replyBuilder=0x000070000082c080) + 2118 at commands.cpp:498
    frame #20: 0x0000000100769f44 mongod`mongo::(anonymous namespace)::receivedRpc(txn=0x0000000105401100, client=0x0000000105615470, dbResponse=0x000070000082d430, message=0x000070000082db90) + 628 at instance.cpp:304
    frame #21: 0x0000000100766eed mongod`mongo::assembleResponse(txn=0x0000000105401100, m=0x000070000082db90, dbresponse=0x000070000082d430, remote=0x000070000082d1b0) + 2301 at instance.cpp:525
    frame #22: 0x000000010000c64d mongod`mongo::MyMessageHandler::process(this=0x0000000105003630, m=0x000070000082db90, port=0x0000000105613eb0) + 397 at db.cpp:174
    frame #23: 0x000000010153085d mongod`mongo::PortMessageServer::handleIncomingMsg(arg=0x0000000105613eb0) + 1917 at message_server_port.cpp:229
    frame #24: 0x000000010152f1ca mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] decltype(__f=0x0000000105613d70, __args=0x0000000105613d78)(void*)>(fp)(std::__1::forward<mongo::(anonymous namespace)::MessagingPortWithHandler*&>(fp0))) std::__1::__invoke<void* (*&)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*&>(void* (*&&&)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*&&&) + 24 at __functional_base:415
    frame #25: 0x000000010152f1b2 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] std::__1::__bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<>, _is_valid_bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void* (__f=0x0000000105613d70, __bound_args=0x0000000105613d78, (null)=__tuple_indices<0> @ 0x000070000082dea0, __args=0x000070000082de60)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, 0ul, std::__1::tuple<> >(void* (*&)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) + 40 at functional:2060
    frame #26: 0x000000010152f18a mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] std::__1::__bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<>, _is_valid_bind_return<void* (*)(void*), std::__1::tuple<mongo::(anonymous namespace)::MessagingPortWithHandler*>, std::__1::tuple<> >::value>::type std::__1::__bind<void* (this=0x0000000105613d70)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*>::operator()<>() + 38 at functional:2123
    frame #27: 0x000000010152f164 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] decltype(__f=0x0000000105613d70)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >(std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*>&&) + 11 at __functional_base:415
    frame #28: 0x000000010152f159 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(void*) [inlined] void std::__1::__thread_execute<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >(__t=0x0000000105613d70, (null)=__tuple_indices<> @ 0x000070000082de38)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> >&, std::__1::__tuple_indices<>) + 25 at thread:337
    frame #29: 0x000000010152f140 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (*)(void*), mongo::(anonymous namespace)::MessagingPortWithHandler*> > >(__vp=0x0000000105613d70) + 368 at thread:347
    frame #30: 0x00007fff8afb9c13 libsystem_pthread.dylib`_pthread_body + 131
    frame #31: 0x00007fff8afb9b90 libsystem_pthread.dylib`_pthread_start + 168
    frame #32: 0x00007fff8afb7375 libsystem_pthread.dylib`thread_start + 13

            Assignee:
            robert.guo@mongodb.com Robert Guo (Inactive)
            Reporter:
            kamran.khan Kamran K.
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: