Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.2.6, 4.4.0-rc0, 4.7.0
Affects Version/s: None
Component/s: Internal Code
Labels:
- servicearch-wfbf-day

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.4, v4.2
Sprint:
Service arch 2020-04-20
Linked BF Score:
23
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The replica set change notifier makes a copy of _listeners under a lock, but then invokes onConfirmedSet on those listeners outside the lock. During shutdown, those pointers can be dead, which can cause us to use after free and crash.

See replica_set_change_notifier.cpp#L116-L120

    auto listeners = _listeners;
    lk.unlock();

    for (auto listener : listeners) {
        listener->onConfirmedSet(state);
    };

Assignee:: Janna Golden
Reporter:: Mira Carey
Participants:: Githook User, Janna Golden, Mira Carey
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: Jul 26 2019 06:59:30 PM UTC
Updated:: Oct 29 2023 10:18:41 PM UTC
Resolved:: Apr 07 2020 09:48:31 PM UTC
Confidence Status Last Update:: 06/Apr/20 2:28 PM

Details

Description

Attachments

Forms

Activity

People

Dates