Major - P3 We have discovered an instance where we might be using a WorkingSetMember's underlaying document after it has been freed. We should investigate if there are other locations where this might happen.
The sequence of events is:
- WorkingSetCommon::fetch returns a RecordData with unowned buffer pointing to a WT_CURSOR's returned WT_ITEM data.
- We reset the WorkingSetMember document to the above, using RecordData::releaseToBson(), which also returns a BSONObj with unowned pointer. (See assignment)
- ensureStillMatches will make an owned copy of the document only if the document still matches.
- In BatchedDeleteStage::_commitBatch, there's a usage of the underlaying member document without checking if (docStillMatches = ensureStillMatches(...)) is true. Meaning we might not have ensured the member has an owned copy.
- This combines with the fact that the (cached) cursor is freed immediately due to the config fuzzer settingĀ
wiredTigerCursorCacheSize: 0 - Freeing the cursor or performing other operations on it invalidates the memory owned by the WT_CURSOR
- is related to
-
SERVER-73018 Refactor write stages to share "_preWriteFilter" machinery
-
- Closed
-