Fix heap-use-after-free in test_backup26

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • WT12.0.0
    • Affects Version/s: None
    • Component/s: Checkpoints
    • None

      Running -s 7 test_backup26.test_backup26.test_backup26 with ASAN results in the following heap-use-after-free error:

      [pid:194659]: None ... [pid:194659]: test_backup26.test_backup26.test_backup26 -s 7 (ten_percent.target_list): starting
=================================================================
==194659==ERROR: AddressSanitizer: heap-use-after-free on address 0x51b0008e14bc at pc 0x793937972956 bp 0x7ffc9a6e3550 sp 0x7ffc9a6e3548
READ of size 1 at 0x51b0008e14bc thread T0
    #0 0x793937972955 in __wt_txn_commit /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/txn/txn.c:1596:26
    #1 0x7939371d2fda in __checkpoint_db_internal /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:1729:16
    #2 0x7939371c7512 in __checkpoint_db_wrapper /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:2001:11
    #3 0x7939371c6791 in __wt_checkpoint_db /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:2080:9
    #4 0x793937809cb4 in __session_checkpoint /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/session/session_api.c:2443:11
    #5 0x79393989e07a in _wrap_Session_checkpoint /home/peter.macko/Projects/feature-parallel-checkpoint-2/build-asan/lang/python/CMakeFiles/wiredtiger_python.dir/wiredtigerPYTHON_wrap.c:7772:21
    #6 0x79393bf3cf07 in cfunction_call /data/mci/5f2892723a4181132b0cf82c439e609c/toolchain-builder/tmp/build-python-v4.sh-NiT/build-Python-3.10.4/../src/Python-3.10.4/Objects/methodobject.c:552:18

0x51b0008e14bc is located 60 bytes inside of 1514-byte region [0x51b0008e1480,0x51b0008e1a6a)
freed by thread T8 here:
    #0 0x79393c305656 in free /data/mci/2fb7e319f52a55913d99ff99d311c455/toolchain-builder/tmp/build-llvm-v5.sh-HPN/llvm-project-llvmorg/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7939375f9066 in __wt_free_int /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/os_common/os_alloc.c:274:5
    #2 0x793936f7d879 in __wt_free_update_list /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_discard.c:537:9
    #3 0x793936f7f9be in __free_update /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_discard.c:519:13
    #4 0x793936f7bc91 in __free_page_modify /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_discard.c:243:13
    #5 0x793936f79190 in __wt_page_out /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_discard.c:137:9
    #6 0x79393709e175 in __split_multi /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_split.c:2336:5
    #7 0x793937070141 in __split_multi_lock /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_split.c:2369:16
    #8 0x79393706fc4b in __wt_split_multi /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_split.c:2396:5
    #9 0x7939374f03be in __evict_page_dirty_update /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/evict/evict_page.c:661:13
    #10 0x7939374ea889 in __wt_evict /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/evict/evict_page.c:469:9
    #11 0x7939374c289e in __evict_page /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/evict/evict_lru.c:3093:5
    #12 0x7939374c7cf3 in __evict_lru_pages /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/evict/evict_lru.c:1418:20
    #13 0x7939374bacd3 in __evict_thread_run /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/evict/evict_lru.c:355:9
    #14 0x79393794ddcc in __thread_run /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/support/thread_group.c:32:9
    #15 0x79393c3032c6 in asan_thread_start(void*) /data/mci/2fb7e319f52a55913d99ff99d311c455/toolchain-builder/tmp/build-llvm-v5.sh-HPN/llvm-project-llvmorg/compiler-rt/lib/asan/asan_interceptors.cpp:239:28

previously allocated by thread T0 here:
    #0 0x79393c305ab9 in calloc /data/mci/2fb7e319f52a55913d99ff99d311c455/toolchain-builder/tmp/build-llvm-v5.sh-HPN/llvm-project-llvmorg/compiler-rt/lib/asan/asan_malloc_linux.cpp:75:3
    #1 0x7939375f6b94 in __wt_calloc /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/os_common/os_alloc.c:68:14
    #2 0x79393716a19b in __wt_upd_alloc /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/include/txn_inline.h:1436:5
    #3 0x7939371669a0 in __wt_row_modify /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/row_modify.c:142:13
    #4 0x793936f0db03 in __cursor_modify /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_cursor.c:541:13
    #5 0x793936f0ce96 in __wt_btcur_insert /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/btree/bt_cursor.c:1104:9
    #6 0x793937356412 in __curfile_insert /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/cursor/cur_file.c:389:5
    #7 0x7939375d5015 in __wt_metadata_update /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/meta/meta_table.c:250:5
    #8 0x7939375c10a9 in __ckpt_set /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/meta/meta_ckpt.c:332:9
    #9 0x7939375ca2f2 in __wt_meta_ckptlist_set /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/meta/meta_ckpt.c:1392:5
    #10 0x7939371ca46a in __checkpoint_tree /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:2865:5
    #11 0x7939371dc9f6 in __checkpoint_tree_helper /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:2996:11
    #12 0x7939371dc54c in __checkpoint_apply_to_dhandles /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:339:9
    #13 0x7939371cfd42 in __checkpoint_db_internal /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:1589:5
    #14 0x7939371c7512 in __checkpoint_db_wrapper /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:2001:11
    #15 0x7939371c6791 in __wt_checkpoint_db /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/checkpoint/checkpoint_txn.c:2080:9
    #16 0x793937809cb4 in __session_checkpoint /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/session/session_api.c:2443:11
    #17 0x79393989e07a in _wrap_Session_checkpoint /home/peter.macko/Projects/feature-parallel-checkpoint-2/build-asan/lang/python/CMakeFiles/wiredtiger_python.dir/wiredtigerPYTHON_wrap.c:7772:21
    #18 0x79393bf3cf07 in cfunction_call /data/mci/5f2892723a4181132b0cf82c439e609c/toolchain-builder/tmp/build-python-v4.sh-NiT/build-Python-3.10.4/../src/Python-3.10.4/Objects/methodobject.c:552:18

Thread T8 created by T0 here:
    #0 0x79393c2eaf71 in pthread_create /data/mci/2fb7e319f52a55913d99ff99d311c455/toolchain-builder/tmp/build-llvm-v5.sh-HPN/llvm-project-llvmorg/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
    #1 0x79393761eafc in __wt_thread_create /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/os_posix/os_thread.c:71:5
    #2 0x79393794a45e in __thread_group_resize /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/support/thread_group.c:206:9
    #3 0x79393794aff2 in __wt_thread_group_create /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/support/thread_group.c:290:5
    #4 0x7939374ba3d6 in __wt_evict_threads_create /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/evict/evict_lru.c:600:5
    #5 0x7939372ba8c6 in __wti_connection_workers /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/conn/conn_open.c:314:5
    #6 0x79393721d2f8 in wiredtiger_open /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/conn/conn_api.c:3549:5
    #7 0x7939398a6410 in _wrap_wiredtiger_open /home/peter.macko/Projects/feature-parallel-checkpoint-2/build-asan/lang/python/CMakeFiles/wiredtiger_python.dir/wiredtigerPYTHON_wrap.c:9663:21
    #8 0x79393bf3cf07 in cfunction_call /data/mci/5f2892723a4181132b0cf82c439e609c/toolchain-builder/tmp/build-python-v4.sh-NiT/build-Python-3.10.4/../src/Python-3.10.4/Objects/methodobject.c:552:18

SUMMARY: AddressSanitizer: heap-use-after-free /home/peter.macko/Projects/feature-parallel-checkpoint-2/src/txn/txn.c:1596:26 in __wt_txn_commit
Shadow bytes around the buggy address:
  0x51b0008e1200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51b0008e1280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51b0008e1300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x51b0008e1380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51b0008e1400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x51b0008e1480: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x51b0008e1500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51b0008e1580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51b0008e1600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51b0008e1680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51b0008e1700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==194659==ABORTING

            Assignee:
            Peter Macko
            Reporter:
            Peter Macko
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: