Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-58194

Fix undefined behavior in the destructor for OpMsgFuzzerFixture

    XMLWordPrintable

    Details

    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      The test consistently fails on {A,UB}SAN Enterprise Ubuntu 18.04 FUZZER for any commit post SERVER-56351

      Show
      The test consistently fails on { A,UB}SAN Enterprise Ubuntu 18.04 FUZZER for any commit post SERVER-56351 . 
    • Linked BF Score:
      49
    • Story Points:
      4

      Description

      SERVER-56351 introduced a destructor for OpMsgFuzzerFixture that uses ClientStrand to bind the test client to the current thread when executed (here):

      OpMsgFuzzerFixture::~OpMsgFuzzerFixture() {
      		 
          CollectionShardingStateFactory::clear(_serviceContext);
      		 
       
      		 
          {
      		 
              auto clientGuard = _clientStrand->bind();
      		 
              auto opCtx = _serviceContext->makeOperationContext(clientGuard.get());
      		 
              Lock::GlobalLock glk(opCtx.get(), MODE_X);
      		 
              auto databaseHolder = DatabaseHolder::get(opCtx.get());
      		 
              databaseHolder->closeAll(opCtx.get());
      		 
          }
      		 
       
      		 
          shutdownGlobalStorageEngineCleanly(_serviceContext);
      		 
      }

      Binding a client strand internally calls into _setCurrent that in turn calls into ThreadName::set to set the current thread's name:

      void ClientStrand::_setCurrent() noexcept {
      		 
          invariant(_isBound.load());
      		 
          invariant(_client);
      		 
       
      		 
          LOGV2_DEBUG(
      		 
              5127801, kDiagnosticLogLevel, "Setting the Client", "client"_attr = _client->desc());
      		 
       
      		 
          // Set the Client for this thread so calls to Client::getCurrent() works as expected.
      		 
          Client::setCurrent(std::move(_client));
      		 
       
      		 
          // Set up the thread name.
      		 
          _oldThreadName = ThreadName::set(ThreadContext::get(), _threadName);
      		 
          if (_oldThreadName) {
      		 
              LOGV2_DEBUG(5127802, kDiagnosticLogLevel, "Set thread name", "name"_attr = *_threadName);
      		 
          }
      		 
      }

      During termination of the test, however, it appears that dereferencing the thread local to get ThreadContext::get() returns nullptr:

      [cpp_libfuzzer_test:op_msg_fuzzer] SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mongo/util/decorable.h:84:28 in
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer] AddressSanitizer:DEADLYSIGNAL
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer] =================================================================
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer] ==12365==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x55aea54da19e bp 0x7ffca099be90 sp 0x7ffca099be70 T0)
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer] ==12365==The signal is caused by a READ memory access.
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer] ==12365==Hint: address points to the zero page.
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #0 0x55aea54da19d in std::__uniq_ptr_impl<unsigned char, std::default_delete<unsigned char []> >::_M_ptr() const /opt/mongodbtoolchain/revisions/0d5a071f1db663c050a1d7f330c13f46e62d6d4f/stow/gcc-v3.ulc/lib/gcc/x86_64-mongodb-linux/8.5.0/../../../../include/c++/8.5.0/bits/unique_ptr.h:150:42
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #1 0x55aeb36890a3 in std::unique_ptr<unsigned char [], std::default_delete<unsigned char []> >::get() const /opt/mongodbtoolchain/revisions/0d5a071f1db663c050a1d7f330c13f46e62d6d4f/stow/gcc-v3.ulc/lib/gcc/x86_64-mongodb-linux/8.5.0/../../../../include/c++/8.5.0/bits/unique_ptr.h:598:21
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #2 0x55aeb36890a3 in mongo::DecorationContainer<mongo::ThreadContext>::getDecoration(mongo::DecorationContainer<mongo::ThreadContext>::DecorationDescriptor) /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decoration_container.h:168
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #3 0x55aeb367f3e8 in mongo::(anonymous namespace)::ThreadNameSconce& mongo::DecorationContainer<mongo::ThreadContext>::getDecoration<mongo::(anonymous namespace)::ThreadNameSconce>(mongo::DecorationContainer<mongo::ThreadContext>::DecorationDescriptorWithType<mongo::(anonymous namespace)::ThreadNameSconce>) /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decoration_container.h:183:33
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #4 0x55aeb367f3e8 in mongo::Decorable<mongo::ThreadContext>::Decoration<mongo::(anonymous namespace)::ThreadNameSconce>::operator()(mongo::ThreadContext&) const /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decorable.h:80
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #5 0x55aeb367f3e8 in mongo::Decorable<mongo::ThreadContext>::Decoration<mongo::(anonymous namespace)::ThreadNameSconce>::operator()(mongo::ThreadContext*) const /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decorable.h:84
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #6 0x55aeb367e2b8 in mongo::ThreadName::set(boost::intrusive_ptr<mongo::ThreadContext>, boost::intrusive_ptr<mongo::ThreadName>) /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/concurrency/thread_name.cpp:204:20
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #7 0x55aeb2be4801 in mongo::ClientStrand::_setCurrent() /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/db/client_strand.cpp:70:22
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #8 0x55aea5292ef8 in mongo::ClientStrand::bind() /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/db/client_strand.h:151:16
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #9 0x55aea5292ef8 in mongo::OpMsgFuzzerFixture::~OpMsgFuzzerFixture() /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/db/op_msg_fuzzer_fixture.cpp:133
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #10 0x7f90028bc160 in __run_exit_handlers /build/glibc-S9d2JN/glibc-2.27/stdlib/exit.c:108
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #11 0x7f90028bc259 in exit /build/glibc-S9d2JN/glibc-2.27/stdlib/exit.c:139
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #12 0x55aea5129b40 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /data/mci/dfb39050aa31abca2c40371c920c586e/toolchain-builder/tmp/build-llvm.sh-GjU/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:768:5
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #13 0x55aea5152462 in main /data/mci/dfb39050aa31abca2c40371c920c586e/toolchain-builder/tmp/build-llvm.sh-GjU/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #14 0x7f900289abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
      		 
      [cpp_libfuzzer_test:op_msg_fuzzer]     #15 0x55aea5106029 in _start (/data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/build/install/bin/op_msg_fuzzer+0x32538029)

      This ticket should investigate the root cause for this behavior and fix it.

        Attachments

          Activity

            People

            Assignee:
            backlog-server-servicearch Backlog - Service Architecture
            Reporter:
            amirsaman.memaripour Amirsaman Memaripour
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: