Loading...

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: WT12.0.0, 8.3.0-rc0
Affects Version/s: None
Component/s: Not Applicable
Labels:
None

Assigned Teams:

Storage Engines, Storage Engines - Persistence
Sprint:
None
Story Points:
None

As reproduced in a patch build, the following test test_layered34 running under ASan detects a stack-buffer-overflow:

  [2025/10/15 13:04:56.598] [pid:15896]: test_layered34.test_layered34.test_layered34 -s 0 (palite.shared): starting
 [2025/10/15 13:04:56.731] =================================================================
 [2025/10/15 13:04:56.731] ==15896==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fc6d192cc60 at pc 0x7fc6ce325503 bp 0x7ffebe2c7bd0 sp 0x7ffebe2c7bc8
 [2025/10/15 13:04:56.732] WRITE of size 8 at 0x7fc6d192cc60 thread T0
 [2025/10/15 13:04:57.626]     #0 0x7fc6ce325502 in Palite::get_last_lsn(unsigned long*) /data/mci/69afa71c43b4ae4581ccfcd0c2886653/wiredtiger/ext/page_log/palite/palite.cpp:1588:14
 [2025/10/15 13:04:57.626]     #1 0x7fc6ce325841 in int std::__invoke_impl<int, int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&>(std::__invoke_memfun_deref, int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&) /opt/mongodbtoolchain/revisions/8695910c32ef0ee5eecaae4c9ca515b4b6436a40/stow/gcc-v5.bbK/lib/gcc/x86_64-mongodb-linux/14.2.0/../../../../include/c++/14.2.0/bits/invoke.h:74:14
 [2025/10/15 13:04:57.626]     #2 0x7fc6ce325744 in std::__invoke_result<int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&>::type std::__invoke<int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&>(int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&) /opt/mongodbtoolchain/revisions/8695910c32ef0ee5eecaae4c9ca515b4b6436a40/stow/gcc-v5.bbK/lib/gcc/x86_64-mongodb-linux/14.2.0/../../../../include/c++/14.2.0/bits/invoke.h:96:14
 [2025/10/15 13:04:57.627]     #3 0x7fc6ce325714 in std::invoke_result<int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&>::type std::invoke<int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&>(int (Palite::*&)(unsigned long*), Palite*&, unsigned long*&) /opt/mongodbtoolchain/revisions/8695910c32ef0ee5eecaae4c9ca515b4b6436a40/stow/gcc-v5.bbK/lib/gcc/x86_64-mongodb-linux/14.2.0/../../../../include/c++/14.2.0/functional:120:14
 [2025/10/15 13:04:57.627]     #4 0x7fc6ce2a51c1 in int safe_call<Palite, __wt_page_log, int (Palite::*)(unsigned long*), unsigned long*&>(__wt_session*, __wt_page_log*, int (Palite::*)(unsigned long*), unsigned long*&) /data/mci/69afa71c43b4ae4581ccfcd0c2886653/wiredtiger/ext/page_log/palite/palite.cpp:349:16
 [2025/10/15 13:04:57.627]     #5 0x7fc6ce299108 in palite_get_last_lsn(__wt_page_log*, __wt_session*, unsigned long*) /data/mci/69afa71c43b4ae4581ccfcd0c2886653/wiredtiger/ext/page_log/palite/palite.cpp:1671:12
 [2025/10/15 13:04:57.627]     #6 0x7fc6d1187aba in __wt_page_log__pl_get_last_lsn /data/mci/69afa71c43b4ae4581ccfcd0c2886653/wiredtiger/cmake_build/lang/python/CMakeFiles/wiredtiger_python.dir/wiredtigerPYTHON_wrap.c:3518:17
 [2025/10/15 13:04:57.627]     #7 0x7fc6d1178521 in _wrap_PageLog_pl_get_last_lsn /data/mci/69afa71c43b4ae4581ccfcd0c2886653/wiredtiger/cmake_build/lang/python/CMakeFiles/wiredtiger_python.dir/wiredtigerPYTHON_wrap.c:12136:21
 [2025/10/15 13:04:57.627]     #8 0x7fc6d4459a57 in cfunction_call /data/mci/1b391b9780c023d7257c454d049e7285/toolchain-builder/tmp/build-python-v4.sh-7l8/build-Python-3.10.4/../src/Python-3.10.4/Objects/methodobject.c:552:18
 [2025/10/15 13:04:57.628] Address 0x7fc6d192cc60 is located in stack of thread T0 at offset 96 in frame
 [2025/10/15 13:04:57.628]     #0 0x7fc6d117825f in _wrap_PageLog_pl_get_last_lsn /data/mci/69afa71c43b4ae4581ccfcd0c2886653/wiredtiger/cmake_build/lang/python/CMakeFiles/wiredtiger_python.dir/wiredtigerPYTHON_wrap.c:12107
 [2025/10/15 13:04:57.628]   This frame has 4 object(s):
 [2025/10/15 13:04:57.628]     [32, 40) 'argp1' (line 12112)
 [2025/10/15 13:04:57.628]     [64, 72) 'argp2' (line 12114)
 [2025/10/15 13:04:57.628]     [96, 100) 'temp3' (line 12116) <== Memory access at offset 96 partially overflows this variable
 [2025/10/15 13:04:57.628]     [112, 128) 'swig_obj' (line 12118)
 [2025/10/15 13:04:57.628] HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 [2025/10/15 13:04:57.628]       (longjmp and C++ exceptions *are* supported)
 [2025/10/15 13:04:57.628] SUMMARY: AddressSanitizer: stack-buffer-overflow /data/mci/69afa71c43b4ae4581ccfcd0c2886653/wiredtiger/ext/page_log/palite/palite.cpp:1588:14 in Palite::get_last_lsn(unsigned long*)
 [2025/10/15 13:04:57.628] Shadow bytes around the buggy address:
 [2025/10/15 13:04:57.629]   0x7fc6d192c980: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629]   0x7fc6d192ca00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629]   0x7fc6d192ca80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629]   0x7fc6d192cb00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629]   0x7fc6d192cb80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629] =>0x7fc6d192cc00: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2[04]f2 00 00
 [2025/10/15 13:04:57.629]   0x7fc6d192cc80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 [2025/10/15 13:04:57.629]   0x7fc6d192cd00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629]   0x7fc6d192cd80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629]   0x7fc6d192ce00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629]   0x7fc6d192ce80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
 [2025/10/15 13:04:57.629] Shadow byte legend (one shadow byte represents 8 application bytes):
 [2025/10/15 13:04:57.629]   Addressable:           00
 [2025/10/15 13:04:57.629]   Partially addressable: 01 02 03 04 05 06 07
 [2025/10/15 13:04:57.629]   Heap left redzone:       fa
 [2025/10/15 13:04:57.629]   Freed heap region:       fd
 [2025/10/15 13:04:57.629]   Stack left redzone:      f1
 [2025/10/15 13:04:57.629]   Stack mid redzone:       f2
 [2025/10/15 13:04:57.629]   Stack right redzone:     f3
 [2025/10/15 13:04:57.629]   Stack after return:      f5
 [2025/10/15 13:04:57.629]   Stack use after scope:   f8
 [2025/10/15 13:04:57.629]   Global redzone:          f9
 [2025/10/15 13:04:57.629]   Global init order:       f6
 [2025/10/15 13:04:57.629]   Poisoned by user:        f7
 [2025/10/15 13:04:57.629]   Container overflow:      fc
 [2025/10/15 13:04:57.629]   Array cookie:            ac
 [2025/10/15 13:04:57.629]   Intra object redzone:    bb
 [2025/10/15 13:04:57.629]   ASan internal:           fe
 [2025/10/15 13:04:57.629]   Left alloca redzone:     ca
 [2025/10/15 13:04:57.629]   Right alloca redzone:    cb
 [2025/10/15 13:04:57.629] ==15896==ABORTING

We should fix this asap as it will block the merge of WT-15513.

is related to

WT-15794 Verify that full page backlink_lsn points to correct previous full page

Closed

WT-15773 Fix unit test on MacOS

Closed

WT-15513 Run python testing under ASAN on mainline

In Code Review

WT-15792 Add variant tags to evergreen yml

Closed

related to

WT-15778 Fix rec_prefix_compression miscount for page delta

Closed

WT-14909 Instrument the existing DisAgg tests with verification

Closed

WT-15398 Disagg testing: test/format Multi-Mode Support: Implementation

Closed

WT-15707 Reducing the test/format runs and fix test/checkpoint issues for disagg variants

Closed

WT-15773 Fix unit test on MacOS

Closed

WT-15792 Add variant tags to evergreen yml

Closed

(5 related to)

Details

Description

Attachments

Issue Links

Activity

People

Dates