Summary

In __wti_rec_row_int (and the column-store equivalent __wti_rec_col_int), WTI_CHILD_RELEASE_ERR is called before __wti_rec_image_copy(val). When the reconciled child has an off-page WT_ADDR, val->buf.data is set to a direct pointer into child->WT_ADDR::block_cookie. Releasing the hazard pointer at that point allows a concurrent __wt_split_rewrite to call __wt_ref_addr_free, freeing the WT_ADDR and its block_cookie allocation. The subsequent image_copy then reads freed memory.

Impact

Latent Use After Free / ASAN hit, reproducible under concurrent split workloads. Affects develop generally.

Files

• src/reconcile/rec_row.c
• src/reconcile/rec_col.c

Fix

Move WTI_CHILD_RELEASE_ERR to after both image_copy calls:

// src/reconcile/rec_row.c (same pattern in rec_col.c)
 F_CLR(ref, WT_REF_FLAG_REC_MULTIPLE);
-WTI_CHILD_RELEASE_ERR(session, cms.hazard, ref);
 __wti_rec_image_copy(session, r, key);
 __wti_rec_image_copy(session, r, val);   /* val->buf.data safe until here */
+WTI_CHILD_RELEASE_ERR(session, cms.hazard, ref);

Notes

Discovered during development on the WT-16973 clean-scrub eviction branch (PR #13605). The fix is independent of that feature and should be applied directly to develop.