Loading...

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: WT2.7.0
Affects Version/s: None
Component/s: None
Labels:
- 32qa

While simulating out-of-memory conditions in __wt_calloc, I triggered a NULL pointer crash in __metadata_turtle.

Sequence of events:

A create operation is triggered
__wt_metadata_insert calls __wt_meta_track_insert to keep track of the new metadata entry
__wt_meta_track_insert creates a WT_META_TRACK struct with these values:
trk->op = WT_ST_REMOVE
trk->a = NULL (because of a failed __wt_strdup call)
The create operation has failed, so __wt_meta_track_off attempts to unroll the metadata operation
__wt_metadata_remove passes the NULL key to __metadata_turtle, leading to a crash

Crash backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000002edf0ab in __metadata_turtle (key=0x0) at src/third_party/wiredtiger/src/meta/meta_table.c:18
18		switch (key[0]) {
(gdb) p key
$1 = 0x0

(gdb) bt
#0  0x0000000002edf0ab in __metadata_turtle (key=0x0) at src/third_party/wiredtiger/src/meta/meta_table.c:18
#1  0x0000000002edfc40 in __wt_metadata_remove (session=0x7ffff1c35c00, key=0x0) at src/third_party/wiredtiger/src/meta/meta_table.c:160
#2  0x0000000002ee0fc0 in __meta_track_apply (session=0x7ffff1c35c00, trk=0x603e0000a1c0, unroll=1) at src/third_party/wiredtiger/src/meta/meta_track.c:169
#3  0x0000000002ee1657 in __wt_meta_track_off (session=0x7ffff1c35c00, need_sync=1, unroll=1) at src/third_party/wiredtiger/src/meta/meta_track.c:257
#4  0x0000000002f37695 in __wt_schema_create (session=0x7ffff1c35c00, uri=0x600800098668 "table:sizeStorer", config=0x7ffff4a3e3f8 <std::string::_Rep::_S_empty_rep_storage+24> "")
    at src/third_party/wiredtiger/src/schema/schema_create.c:646
#5  0x0000000002f57740 in __session_create (wt_session=0x7ffff1c35c00, uri=0x600800098668 "table:sizeStorer", config=0x7ffff4a3e3f8 <std::string::_Rep::_S_empty_rep_storage+24> "")
    at src/third_party/wiredtiger/src/session/session_api.c:441
#6  0x000000000207300d in mongo::WiredTigerSizeStorer::WiredTigerSizeStorer (this=0x60200000e540, conn=0x60840000a200, storageUri=...) at src/mongo/db/storage/wiredtiger/wiredtiger_size_storer.cpp:64
#7  0x0000000002053191 in mongo::WiredTigerKVEngine::WiredTigerKVEngine (this=0x60220001f4e0, path=..., extraOpenOptions=..., durable=true, repair=false)
    at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp:140
#8  0x00000000020518a4 in mongo::(anonymous namespace)::WiredTigerFactory::create (this=0x600400006d10, params=..., lockFile=...) at src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp:65
#9  0x0000000001f01daf in mongo::ServiceContextMongoD::initializeGlobalStorageEngine (this=0x60240001f300) at src/mongo/db/service_context_d.cpp:144
#10 0x00000000015ae562 in mongo::_initAndListen (listenPort=27017) at src/mongo/db/db.cpp:416
#11 0x00000000015afb34 in mongo::initAndListen (listenPort=27017) at src/mongo/db/db.cpp:594
#12 0x00000000015b1305 in mongoDbMain (argc=1, argv=0x7fffffffdc98, envp=0x7fffffffdca8) at src/mongo/db/db.cpp:823
#13 0x00000000015afede in main (argc=1, argv=0x7fffffffdc98, envp=0x7fffffffdca8) at src/mongo/db/db.cpp:639

And here's where key gets allocated:

#0  __wt_meta_track_insert (session=0x7ffff1c35c00, key=0x600800098668 "table:sizeStorer") at src/third_party/wiredtiger/src/meta/meta_track.c:354
#1  0x0000000002edf7ff in __wt_metadata_insert (session=0x7ffff1c35c00, key=0x600800098668 "table:sizeStorer", value=0x600e0001b140 "app_metadata=,colgroups=,collator=,columns=,key_format=u,value_format=u")
    at src/third_party/wiredtiger/src/meta/meta_table.c:113
#2  0x0000000002f369b1 in __create_table (session=0x7ffff1c35c00, name=0x600800098668 "table:sizeStorer", exclusive=0, config=0x7ffff4a3e3f8 <std::string::_Rep::_S_empty_rep_storage+24> "")
    at src/third_party/wiredtiger/src/schema/schema_create.c:538
#3  0x0000000002f37579 in __wt_schema_create (session=0x7ffff1c35c00, uri=0x600800098668 "table:sizeStorer", config=0x7ffff4a3e3f8 <std::string::_Rep::_S_empty_rep_storage+24> "")
    at src/third_party/wiredtiger/src/schema/schema_create.c:637
#4  0x0000000002f57740 in __session_create (wt_session=0x7ffff1c35c00, uri=0x600800098668 "table:sizeStorer", config=0x7ffff4a3e3f8 <std::string::_Rep::_S_empty_rep_storage+24> "")
    at src/third_party/wiredtiger/src/session/session_api.c:441
#5  0x000000000207300d in mongo::WiredTigerSizeStorer::WiredTigerSizeStorer (this=0x60200000e540, conn=0x60840000a200, storageUri=...) at src/mongo/db/storage/wiredtiger/wiredtiger_size_storer.cpp:64
#6  0x0000000002053191 in mongo::WiredTigerKVEngine::WiredTigerKVEngine (this=0x60220001f4e0, path=..., extraOpenOptions=..., durable=true, repair=false)
    at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp:140
#7  0x00000000020518a4 in mongo::(anonymous namespace)::WiredTigerFactory::create (this=0x600400006d10, params=..., lockFile=...) at src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp:65
#8  0x0000000001f01daf in mongo::ServiceContextMongoD::initializeGlobalStorageEngine (this=0x60240001f300) at src/mongo/db/service_context_d.cpp:144
#9  0x00000000015ae562 in mongo::_initAndListen (listenPort=27017) at src/mongo/db/db.cpp:416
#10 0x00000000015afb34 in mongo::initAndListen (listenPort=27017) at src/mongo/db/db.cpp:594
#11 0x00000000015b1305 in mongoDbMain (argc=1, argv=0x7fffffffdc98, envp=0x7fffffffdca8) at src/mongo/db/db.cpp:823
#12 0x00000000015afede in main (argc=1, argv=0x7fffffffdc98, envp=0x7fffffffdca8) at src/mongo/db/db.cpp:639

Version: 6c49d69bbae5d8807fc205dbca12eecf1a60258b

is depended on by

SERVER-19282 WiredTiger changes in MongoDB 3.1.6

Closed

links to

https://github.com/wiredtiger/wiredtiger/pull/2042

Details

Description

Attachments

Issue Links

Activity

People

Dates