[WT-2015] NULL pointer dereference in __block_destroy after allocation failure in __wt_block_open - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: WT2.7.0
Component/s: None
Labels:
- 32qa

Description

While simulating out-of-memory conditions in __wt_calloc, I triggered a NULL pointer dereference in __block_destroy. (Note: This build contains the fix for ~~WT-1993~~.)

Sequence of events:

__wt_block_open calls __wt_strdup to set the block handle's name (line 203)
__wt_strdup fails with ENOMEM and the err block is jumped to (line 266)
__block_destroy then dereferences a NULL (conn)- >blocklh->slh_first pointer through a series of macro expansions

Excerpted code:

int

__wt_block_open(WT_SESSION_IMPL *session,

    const char *filename, const char *cfg[],

    int forced_salvage, int readonly, uint32_t allocsize, WT_BLOCK **blockp)

176    WT_BLOCK *block;

[...snip...]

198    /* Basic structure allocation, initialization. */

199    WT_ERR(__wt_calloc_one(session, &block));

200    block->ref = 1;

201    WT_CONN_BLOCK_INSERT(conn, block, bucket);

203    __wt_strdup(session, filename, &block->name);

204    block->name_hash = hash;

205    block->allocsize = allocsize;

[...snip...]

266 err:   if (block != NULL)

267        WT_TRET(__block_destroy(session, block));

Backtrace:

Program received signal SIGSEGV, Segmentation fault.

0x00000000036bb1cd in __block_destroy (session=0x7ffff1c92800, block=0x604e0000f080) at src/third_party/wiredtiger/src/block/block_open.c:133

133		WT_CONN_BLOCK_REMOVE(conn, block, bucket);

#0  0x00000000036bb1cd in __block_destroy (session=0x7ffff1c92800, block=0x604e0000f080) at src/third_party/wiredtiger/src/block/block_open.c:133

#1  0x00000000036bb97b in __wt_block_open (session=0x7ffff1c92800, filename=0x6006000b66b5 "WiredTiger.wt", cfg=0x6006000b6620, forced_salvage=0, readonly=0, allocsize=4096, blockp=0x60240001f010)

    at src/third_party/wiredtiger/src/block/block_open.c:267

#2  0x00000000036ba180 in __wt_block_manager_open (session=0x7ffff1c92800, filename=0x6006000b66b5 "WiredTiger.wt", cfg=0x6006000b6620, forced_salvage=0, readonly=0, allocsize=4096, bmp=0x602c0000c6f8)

    at src/third_party/wiredtiger/src/block/block_mgr.c:427

#3  0x00000000036f285d in __wt_btree_open (session=0x7ffff1c92800, op_cfg=0x0) at src/third_party/wiredtiger/src/btree/bt_handle.c:70

#4  0x000000000377b591 in __wt_conn_btree_open (session=0x7ffff1c92800, cfg=0x0, flags=8) at src/third_party/wiredtiger/src/conn/conn_dhandle.c:331

#5  0x00000000038c356e in __wt_session_get_btree (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", checkpoint=0x0, cfg=0x0, flags=8) at src/third_party/wiredtiger/src/session/session_dhandle.c:456

#6  0x00000000038c317c in __wt_session_get_btree (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", checkpoint=0x0, cfg=0x0, flags=8) at src/third_party/wiredtiger/src/session/session_dhandle.c:447

#7  0x0000000003890e67 in __create_file (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", exclusive=0, config=0x0) at src/third_party/wiredtiger/src/schema/schema_create.c:135

#8  0x0000000003894b50 in __wt_schema_create (session=0x7ffff1c92800, uri=0x44efc20 "file:WiredTiger.wt", config=0x0) at src/third_party/wiredtiger/src/schema/schema_create.c:647

#9  0x000000000383dcf6 in __metadata_init (session=0x7ffff1c92800) at src/third_party/wiredtiger/src/meta/meta_turtle.c:58

#10 0x000000000383e978 in __wt_turtle_init (session=0x7ffff1c92800) at src/third_party/wiredtiger/src/meta/meta_turtle.c:195

#11 0x0000000003772ce2 in wiredtiger_open (home=0x6008000219a8 "/data/db", event_handler=0x60220001f610,

    config=0x60260000f518 "create,cache_size=4G,session_max=20000,eviction=(threads_max=4),statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait="...,

    wt_connp=0x60220001f608) at src/third_party/wiredtiger/src/conn/conn_api.c:2023

#12 0x00000000024a4072 in mongo::WiredTigerKVEngine::WiredTigerKVEngine (this=0x60220001f600, path=..., extraOpenOptions=..., durable=true, repair=false) at src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp:142

#13 0x00000000024a26ea in mongo::(anonymous namespace)::WiredTigerFactory::create (this=0x600400007210, params=..., lockFile=...) at src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp:65

#14 0x000000000234e881 in mongo::ServiceContextMongoD::initializeGlobalStorageEngine (this=0x60240001f1c0) at src/mongo/db/service_context_d.cpp:146

#15 0x00000000019c9845 in mongo::_initAndListen (listenPort=27017) at src/mongo/db/db.cpp:414

#16 0x00000000019cae17 in mongo::initAndListen (listenPort=27017) at src/mongo/db/db.cpp:592

#17 0x00000000019cc5b0 in mongoDbMain (argc=1, argv=0x7fffffffde88, envp=0x7fffffffde98) at src/mongo/db/db.cpp:821

#18 0x00000000019cb1c1 in main (argc=1, argv=0x7fffffffde88, envp=0x7fffffffde98) at src/mongo/db/db.cpp:637

Version: d4cd3998954c867ca7fdba02c875b9a40415e437 (3.1.7-pre)

Attachments

Issue Links

is depended on by

SERVER-19532 WiredTiger changes for MongoDB 3.1.7

Closed

SERVER-19744 WiredTiger changes for MongoDB 3.0.6

Closed

links to

https://github.com/wiredtiger/wiredtiger/pull/2085

Activity

People

Assignee:: Keith Bostic (Inactive)

Reporter:: Kamran K.

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Jul 22 2015 01:29:37 AM UTC

Updated:: Oct 12 2017 11:19:24 PM UTC

Resolved:: Jul 29 2015 05:50:30 PM UTC