Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-31262

Storage of _rbidCommandHandle can race with destruction of SyncSourceResolver

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.4.11, 3.5.13
    • Affects Version/s: None
    • Component/s: Replication
    • Labels:
    • Fully Compatible
    • ALL
    • v3.4, v3.2
    • Repl 2017-10-02, Repl 2017-10-23
    • 0

      SyncSourceResolver::join waits for the Resolver's _state member to transition to kComplete. This transition is performed by the final '_finishCallback()' step, performed by the last callback scheduled by SyncSourceResolver. One of callback in the chain, _rbidRequestCallback, schedules a callback, takes a mutex on the SyncSourceResolver, and saves the handle into a member. However, nothing prevents the scheduled callback from executing, calling _finishCallback(), and allowing SyncSourceResolver's deconstructor to finish. If the handle is saved after the destructor calls, its own destructor will never be called, which prevents its shared_ptr's reference count from decrementing, causing a leak.

            siyuan.zhou@mongodb.com Siyuan Zhou
            spencer.jackson@mongodb.com Spencer Jackson
            0 Vote for this issue
            8 Start watching this issue