[WT-2078] Segfault in cur_stat.c after allocation failure - MongoDB

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: WT2.7.0
Component/s: None
Labels:
None

Sprint:
Sharding 9 (09/18/15)

Description

While simulating out-of-memory conditions in __wt_calloc, I triggered a segmentation fault in cur_stat.c.

After a calloc() failure for a statistics cursor in __wt_curstat_open, the function jumps to an error block that calls __curstat_free_config, which attempts to access a field within the NULL cursor.

Backtrace:

 =================================================================

 ==118999== ERROR: AddressSanitizer: SEGV on unknown address 0x0000000005e8 (pc 0x000003a3c0ca sp 0x7f12f97c22d0 bp 0x7f12f97c22f0 T71)

 AddressSanitizer can not provide additional info.

     #0 0x3a3c0c9 in __curstat_free_config /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:48

     #1 0x3a41641 in __wt_curstat_open /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:603

     #2 0x3b31689 in __wt_open_cursor /home/ubuntu/mongo/src/third_party/wiredtiger/src/session/session_api.c:296

     #3 0x3b32301 in __session_open_cursor /home/ubuntu/mongo/src/third_party/wiredtiger/src/session/session_api.c:359

     #4 0x26e1124 in mongo::WiredTigerUtil::getStatisticsValue(__wt_session*, std::string const&, std::string const&, int) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.cpp:267

     #5 0x26c9fa2 in mongo::StatusWith<long> mongo::WiredTigerUtil::getStatisticsValueAs<long>(__wt_session*, std::string const&, std::string const&, int, long) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.h:277

     #6 0x26c8e54 in mongo::StatusWith<long> mongo::WiredTigerUtil::getStatisticsValueAs<long>(__wt_session*, std::string const&, std::string const&, int) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.h:267

     #7 0x26be9dd in mongo::WiredTigerRecordStore::storageSize(mongo::OperationContext*, mongo::BSONObjBuilder*, int) const /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_record_store.cpp:552

     #8 0x25ae375 in mongo::KVDatabaseCatalogEntry::sizeOnDisk(mongo::OperationContext*) const /home/ubuntu/mongo/src/mongo/db/storage/kv/kv_database_catalog_entry.cpp:143

     #9 0x1de9942 in mongo::CmdListDatabases::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/ubuntu/mongo/src/mongo/db/commands/list_databases.cpp:107

     #10 0x1e9a963 in mongo::Command::run(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1353

     #11 0x1e99911 in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1266

     #12 0x1da2957 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/commands.cpp:495

     #13 0x207ad98 in mongo::(anonymous namespace)::receivedRpc(mongo::OperationContext*, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/ubuntu/mongo/src/mongo/db/instance.cpp:290     #14 0x207c3be in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/ubuntu/mongo/src/mongo/db/instance.cpp:508

     #15 0x1b468ea in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/ubuntu/mongo/src/mongo/db/db.cpp:166

     #16 0x29f6d15 in mongo::PortMessageServer::handleIncomingMsg(void*) /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:229

     #17 0x7f1329a81b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x18b97)

     #18 0x7f1328c27181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312

     #19 0x7f132895447c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

 SUMMARY: AddressSanitizer: SEGV /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:48 __curstat_free_config

 Thread T71 created by T0 here:

     #0 0x7f1329a73b5b in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xab5b)

     #1 0x29f6405 in mongo::PortMessageServer::accepted(std::shared_ptr<mongo::Socket>, long long) /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:148

     #2 0x29ec7c4 in mongo::Listener::initAndListen() /home/ubuntu/mongo/src/mongo/util/net/listen.cpp:351

     #3 0x29f6725 in mongo::PortMessageServer::run() /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:176

     #4 0x1b3e368 in mongo::_initAndListen(int) /home/ubuntu/mongo/src/mongo/db/db.cpp:595

     #5 0x1b3e789 in mongo::initAndListen(int) /home/ubuntu/mongo/src/mongo/db/db.cpp:600

     #6 0x1b40139 in mongoDbMain(int, char**, char**) /home/ubuntu/mongo/src/mongo/db/db.cpp:840

     #7 0x1b3eb33 in main /home/ubuntu/mongo/src/mongo/db/db.cpp:645

     #8 0x7f132887bec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

 ==118999== ABORTING

Attachments

Issue Links

is depended on by

SERVER-20060 WiredTiger changes for MongoDB 3.1.8

Closed

links to

pull request

Activity

People

Assignee:: Esha Maharishi

Reporter:: Esha Maharishi

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: Sep 01 2015 07:07:46 PM UTC

Updated:: Oct 12 2017 11:14:17 PM UTC

Resolved:: Sep 10 2015 01:00:48 AM UTC