Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 5.1.0-rc3
Affects Version/s: None
Component/s: Internal Code
Labels:
- servicearch-wfbf-day

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:

Hide

The test consistently fails on {A,UB}SAN Enterprise Ubuntu 18.04 FUZZER for any commit post ~~SERVER-56351~~.

Show
The test consistently fails on { A,UB}SAN Enterprise Ubuntu 18.04 FUZZER for any commit post SERVER-56351 .
Sprint:
Service Arch 2021-11-01
Linked BF Score:
50
Story Points:
4
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

~~SERVER-56351~~ introduced a destructor for OpMsgFuzzerFixture that uses ClientStrand to bind the test client to the current thread when executed (here):

OpMsgFuzzerFixture::~OpMsgFuzzerFixture() {
    CollectionShardingStateFactory::clear(_serviceContext);

    {
        auto clientGuard = _clientStrand->bind();
        auto opCtx = _serviceContext->makeOperationContext(clientGuard.get());
        Lock::GlobalLock glk(opCtx.get(), MODE_X);
        auto databaseHolder = DatabaseHolder::get(opCtx.get());
        databaseHolder->closeAll(opCtx.get());
    }

    shutdownGlobalStorageEngineCleanly(_serviceContext);
}

Binding a client strand internally calls into _setCurrent that in turn calls into ThreadName::set to set the current thread's name:

void ClientStrand::_setCurrent() noexcept {
    invariant(_isBound.load());
    invariant(_client);

    LOGV2_DEBUG(
        5127801, kDiagnosticLogLevel, "Setting the Client", "client"_attr = _client->desc());

    // Set the Client for this thread so calls to Client::getCurrent() works as expected.
    Client::setCurrent(std::move(_client));

    // Set up the thread name.
    _oldThreadName = ThreadName::set(ThreadContext::get(), _threadName);
    if (_oldThreadName) {
        LOGV2_DEBUG(5127802, kDiagnosticLogLevel, "Set thread name", "name"_attr = *_threadName);
    }
}

During termination of the test, however, it appears that dereferencing the thread local to get ThreadContext::get() returns nullptr:

[cpp_libfuzzer_test:op_msg_fuzzer] SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mongo/util/decorable.h:84:28 in
[cpp_libfuzzer_test:op_msg_fuzzer] AddressSanitizer:DEADLYSIGNAL
[cpp_libfuzzer_test:op_msg_fuzzer] =================================================================
[cpp_libfuzzer_test:op_msg_fuzzer] ==12365==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x55aea54da19e bp 0x7ffca099be90 sp 0x7ffca099be70 T0)
[cpp_libfuzzer_test:op_msg_fuzzer] ==12365==The signal is caused by a READ memory access.
[cpp_libfuzzer_test:op_msg_fuzzer] ==12365==Hint: address points to the zero page.
[cpp_libfuzzer_test:op_msg_fuzzer]     #0 0x55aea54da19d in std::__uniq_ptr_impl<unsigned char, std::default_delete<unsigned char []> >::_M_ptr() const /opt/mongodbtoolchain/revisions/0d5a071f1db663c050a1d7f330c13f46e62d6d4f/stow/gcc-v3.ulc/lib/gcc/x86_64-mongodb-linux/8.5.0/../../../../include/c++/8.5.0/bits/unique_ptr.h:150:42
[cpp_libfuzzer_test:op_msg_fuzzer]     #1 0x55aeb36890a3 in std::unique_ptr<unsigned char [], std::default_delete<unsigned char []> >::get() const /opt/mongodbtoolchain/revisions/0d5a071f1db663c050a1d7f330c13f46e62d6d4f/stow/gcc-v3.ulc/lib/gcc/x86_64-mongodb-linux/8.5.0/../../../../include/c++/8.5.0/bits/unique_ptr.h:598:21
[cpp_libfuzzer_test:op_msg_fuzzer]     #2 0x55aeb36890a3 in mongo::DecorationContainer<mongo::ThreadContext>::getDecoration(mongo::DecorationContainer<mongo::ThreadContext>::DecorationDescriptor) /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decoration_container.h:168
[cpp_libfuzzer_test:op_msg_fuzzer]     #3 0x55aeb367f3e8 in mongo::(anonymous namespace)::ThreadNameSconce& mongo::DecorationContainer<mongo::ThreadContext>::getDecoration<mongo::(anonymous namespace)::ThreadNameSconce>(mongo::DecorationContainer<mongo::ThreadContext>::DecorationDescriptorWithType<mongo::(anonymous namespace)::ThreadNameSconce>) /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decoration_container.h:183:33
[cpp_libfuzzer_test:op_msg_fuzzer]     #4 0x55aeb367f3e8 in mongo::Decorable<mongo::ThreadContext>::Decoration<mongo::(anonymous namespace)::ThreadNameSconce>::operator()(mongo::ThreadContext&) const /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decorable.h:80
[cpp_libfuzzer_test:op_msg_fuzzer]     #5 0x55aeb367f3e8 in mongo::Decorable<mongo::ThreadContext>::Decoration<mongo::(anonymous namespace)::ThreadNameSconce>::operator()(mongo::ThreadContext*) const /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/decorable.h:84
[cpp_libfuzzer_test:op_msg_fuzzer]     #6 0x55aeb367e2b8 in mongo::ThreadName::set(boost::intrusive_ptr<mongo::ThreadContext>, boost::intrusive_ptr<mongo::ThreadName>) /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/util/concurrency/thread_name.cpp:204:20
[cpp_libfuzzer_test:op_msg_fuzzer]     #7 0x55aeb2be4801 in mongo::ClientStrand::_setCurrent() /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/db/client_strand.cpp:70:22
[cpp_libfuzzer_test:op_msg_fuzzer]     #8 0x55aea5292ef8 in mongo::ClientStrand::bind() /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/db/client_strand.h:151:16
[cpp_libfuzzer_test:op_msg_fuzzer]     #9 0x55aea5292ef8 in mongo::OpMsgFuzzerFixture::~OpMsgFuzzerFixture() /data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/src/mongo/db/op_msg_fuzzer_fixture.cpp:133
[cpp_libfuzzer_test:op_msg_fuzzer]     #10 0x7f90028bc160 in __run_exit_handlers /build/glibc-S9d2JN/glibc-2.27/stdlib/exit.c:108
[cpp_libfuzzer_test:op_msg_fuzzer]     #11 0x7f90028bc259 in exit /build/glibc-S9d2JN/glibc-2.27/stdlib/exit.c:139
[cpp_libfuzzer_test:op_msg_fuzzer]     #12 0x55aea5129b40 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /data/mci/dfb39050aa31abca2c40371c920c586e/toolchain-builder/tmp/build-llvm.sh-GjU/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:768:5
[cpp_libfuzzer_test:op_msg_fuzzer]     #13 0x55aea5152462 in main /data/mci/dfb39050aa31abca2c40371c920c586e/toolchain-builder/tmp/build-llvm.sh-GjU/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
[cpp_libfuzzer_test:op_msg_fuzzer]     #14 0x7f900289abf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
[cpp_libfuzzer_test:op_msg_fuzzer]     #15 0x55aea5106029 in _start (/data/mci/cf4c5d480d66775786e7d4ad6010fa16/src/build/install/bin/op_msg_fuzzer+0x32538029)

This ticket should investigate the root cause for this behavior and fix it.

causes

SERVER-66464 use LLVMFuzzerRunDriver for OpMsgFuzzerFixture

Open

is related to

SERVER-66456 remove ThreadContext

Closed

SERVER-66385 Remove ThreadName's dependence on ThreadContext (& vice versa apparently)

Closed

related to

SERVER-66455 Undo ~OpMsgFuzzerFixture fix

Closed

Assignee:: Amirsaman Memaripour
Reporter:: Amirsaman Memaripour
Participants:: Amirsaman Memaripour, Githook User
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: Jul 01 2021 02:02:16 PM UTC
Updated:: Oct 29 2023 09:51:26 PM UTC
Resolved:: Oct 27 2021 09:58:00 PM UTC
Confidence Status Last Update:: 26/Oct/21 3:35 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates