Segfault in cur_stat.c after allocation failure

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Major - P3
    • WT2.7.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Sharding 9 (09/18/15)
    • None

      While simulating out-of-memory conditions in __wt_calloc, I triggered a segmentation fault in cur_stat.c.

      After a calloc() failure for a statistics cursor in __wt_curstat_open, the function jumps to an error block that calls __curstat_free_config, which attempts to access a field within the NULL cursor.

      Backtrace:

       =================================================================
 ==118999== ERROR: AddressSanitizer: SEGV on unknown address 0x0000000005e8 (pc 0x000003a3c0ca sp 0x7f12f97c22d0 bp 0x7f12f97c22f0 T71)
 AddressSanitizer can not provide additional info.
     #0 0x3a3c0c9 in __curstat_free_config /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:48
     #1 0x3a41641 in __wt_curstat_open /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:603
     #2 0x3b31689 in __wt_open_cursor /home/ubuntu/mongo/src/third_party/wiredtiger/src/session/session_api.c:296
     #3 0x3b32301 in __session_open_cursor /home/ubuntu/mongo/src/third_party/wiredtiger/src/session/session_api.c:359
     #4 0x26e1124 in mongo::WiredTigerUtil::getStatisticsValue(__wt_session*, std::string const&, std::string const&, int) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.cpp:267
     #5 0x26c9fa2 in mongo::StatusWith<long> mongo::WiredTigerUtil::getStatisticsValueAs<long>(__wt_session*, std::string const&, std::string const&, int, long) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.h:277
     #6 0x26c8e54 in mongo::StatusWith<long> mongo::WiredTigerUtil::getStatisticsValueAs<long>(__wt_session*, std::string const&, std::string const&, int) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.h:267
     #7 0x26be9dd in mongo::WiredTigerRecordStore::storageSize(mongo::OperationContext*, mongo::BSONObjBuilder*, int) const /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_record_store.cpp:552
     #8 0x25ae375 in mongo::KVDatabaseCatalogEntry::sizeOnDisk(mongo::OperationContext*) const /home/ubuntu/mongo/src/mongo/db/storage/kv/kv_database_catalog_entry.cpp:143
     #9 0x1de9942 in mongo::CmdListDatabases::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/ubuntu/mongo/src/mongo/db/commands/list_databases.cpp:107
     #10 0x1e9a963 in mongo::Command::run(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1353
     #11 0x1e99911 in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1266
     #12 0x1da2957 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/commands.cpp:495
     #13 0x207ad98 in mongo::(anonymous namespace)::receivedRpc(mongo::OperationContext*, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/ubuntu/mongo/src/mongo/db/instance.cpp:290     #14 0x207c3be in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/ubuntu/mongo/src/mongo/db/instance.cpp:508
     #15 0x1b468ea in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/ubuntu/mongo/src/mongo/db/db.cpp:166
     #16 0x29f6d15 in mongo::PortMessageServer::handleIncomingMsg(void*) /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:229
     #17 0x7f1329a81b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x18b97)
     #18 0x7f1328c27181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
     #19 0x7f132895447c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
 SUMMARY: AddressSanitizer: SEGV /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:48 __curstat_free_config
 Thread T71 created by T0 here:
     #0 0x7f1329a73b5b in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xab5b)
     #1 0x29f6405 in mongo::PortMessageServer::accepted(std::shared_ptr<mongo::Socket>, long long) /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:148
     #2 0x29ec7c4 in mongo::Listener::initAndListen() /home/ubuntu/mongo/src/mongo/util/net/listen.cpp:351
     #3 0x29f6725 in mongo::PortMessageServer::run() /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:176
     #4 0x1b3e368 in mongo::_initAndListen(int) /home/ubuntu/mongo/src/mongo/db/db.cpp:595
     #5 0x1b3e789 in mongo::initAndListen(int) /home/ubuntu/mongo/src/mongo/db/db.cpp:600
     #6 0x1b40139 in mongoDbMain(int, char**, char**) /home/ubuntu/mongo/src/mongo/db/db.cpp:840
     #7 0x1b3eb33 in main /home/ubuntu/mongo/src/mongo/db/db.cpp:645
     #8 0x7f132887bec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
 ==118999== ABORTING

              Assignee:
              Esha Maharishi (Inactive)
              Reporter:
              Esha Maharishi (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: