Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-2015

NULL pointer dereference in __block_destroy after allocation failure in __wt_block_open

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • WT2.7.0
    • Affects Version/s: None
    • Component/s: None
    • Labels:

      While simulating out-of-memory conditions in __wt_calloc, I triggered a NULL pointer dereference in __block_destroy. (Note: This build contains the fix for WT-1993.)

      Sequence of events:

      1. __wt_block_open calls __wt_strdup to set the block handle's name (line 203)
      2. __wt_strdup fails with ENOMEM and the err block is jumped to (line 266)
      3. __block_destroy then dereferences a NULL (conn)- >blocklh->slh_first pointer through a series of macro expansions

      Excerpted code:

      int
__wt_block_open(WT_SESSION_IMPL *session,
    const char *filename, const char *cfg[],
    int forced_salvage, int readonly, uint32_t allocsize, WT_BLOCK **blockp)
{
176    WT_BLOCK *block;

[...snip...]

198    /* Basic structure allocation, initialization. */
199    WT_ERR(__wt_calloc_one(session, &block));
200    block->ref = 1;
201    WT_CONN_BLOCK_INSERT(conn, block, bucket);
202
203    __wt_strdup(session, filename, &block->name);
204    block->name_hash = hash;
205    block->allocsize = allocsize;

[...snip...]

266 err:   if (block != NULL)
267        WT_TRET(__block_destroy(session, block));

      Backtrace:

      Program received signal SIGSEGV, Segmentation fault.
0x00000000036bb1cd in __block_destroy (session=0x7ffff1c92800, block=0x604e0000f080) at src/third_party/wiredtiger/src/block/block_open.c:133
133		WT_CONN_BLOCK_REMOVE(conn, block, bucket);

#0  0x00000000036bb1cd in __block_destroy (session=0x7ffff1c92800, block=0x604e0000f080) at src/third_party/wiredtiger/src/block/block_open.c:133
#1  0x00000000036bb97b in __wt_block_open (session=0x7ffff1c92800, filename=0x6006000b66b5 "WiredTiger.wt", cfg=0x6006000b6620, forced_salvage=0, readonly=0, allocsize=4096, blockp=0x60240001f010)
    at src/third_party/wiredtiger/src/block/block_open.c:267
#2  0x00000000036ba180 in __wt_block_manager_open (session=0x7ffff1c92800, filename=0x6006000b66b5 "WiredTiger.wt", cfg=0x6006000b6620, forced_salvage=0, readonly=0, allocsize=4096, bmp=0x602c0000c6f8)
    at src/third_party/wiredtiger/src/block/block_mgr.c:427
#3  0x00000000036f285d in __wt_btree_open (session=0x7ffff1c92800, op_cfg=0x0) at src/third_party/wiredtiger/src/btree/bt_handle.c:70
#4  0x000000000377b591 in __wt_conn_btree_open (session=0x7ffff1c92800, cfg=0x0, flags=8) at src/third_party/wiredtiger/src/conn/conn_dhandle.c:331
#5  0x00000000038c356e in __wt_session_get_btree (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", checkpoint=0x0, cfg=0x0, flags=8) at src/third_party/wiredtiger/src/session/session_dhandle.c:456
#6  0x00000000038c317c in __wt_session_get_btree (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", checkpoint=0x0, cfg=0x0, flags=8) at src/third_party/wiredtiger/src/session/session_dhandle.c:447
#7  0x0000000003890e67 in __create_file (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", exclusive=0, config=0x0) at src/third_party/wiredtiger/src/schema/schema_create.c:135
#8  0x0000000003894b50 in __wt_schema_create (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", config=0x0) at src/third_party/wiredtiger/src/schema/schema_create.c:647
#9  0x000000000383dcf6 in __metadata_init (session=0x7ffff1c92800) at src/third_party/wiredtiger/src/meta/meta_turtle.c:58
#10 0x000000000383e978 in __wt_turtle_init (session=0x7ffff1c92800) at src/third_party/wiredtiger/src/meta/meta_turtle.c:195
#11 0x0000000003772ce2 in wiredtiger_open (home=0x6008000219a8 "/data/db", event_handler=0x60220001f610, 
    config=0x60260000f518 "create,cache_size=4G,session_max=20000,eviction=(threads_max=4),statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait="..., 
    wt_connp=0x60220001f608) at src/third_party/wiredtiger/src/conn/conn_api.c:2023
#12 0x00000000024a4072 in mongo::WiredTigerKVEngine::WiredTigerKVEngine (this=0x60220001f600, path=..., extraOpenOptions=..., durable=true, repair=false) at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp:142
#13 0x00000000024a26ea in mongo::(anonymous namespace)::WiredTigerFactory::create (this=0x600400007210, params=..., lockFile=...) at src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp:65
#14 0x000000000234e881 in mongo::ServiceContextMongoD::initializeGlobalStorageEngine (this=0x60240001f1c0) at src/mongo/db/service_context_d.cpp:146
#15 0x00000000019c9845 in mongo::_initAndListen (listenPort=27017) at src/mongo/db/db.cpp:414
#16 0x00000000019cae17 in mongo::initAndListen (listenPort=27017) at src/mongo/db/db.cpp:592
#17 0x00000000019cc5b0 in mongoDbMain (argc=1, argv=0x7fffffffde88, envp=0x7fffffffde98) at src/mongo/db/db.cpp:821
#18 0x00000000019cb1c1 in main (argc=1, argv=0x7fffffffde88, envp=0x7fffffffde98) at src/mongo/db/db.cpp:637

      Version: d4cd3998954c867ca7fdba02c875b9a40415e437 (3.1.7-pre)

            Assignee:
            keith.bostic@mongodb.com Keith Bostic (Inactive)
            Reporter:
            kamran.khan Kamran K.
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: