-
Type:
Bug
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
Clang reports:
60: file, row-store (611 seconds)
=================================================================
==23631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00001fe60 at pc 0x0000006dfe4e bp 0x7f2c67f97d50 sp
0x7f2c67f97d48
READ of size 1 at 0x60c00001fe60 thread T3147
#0 0x6dfe4d in __split_parent /home/ec2-user/work/wiredtiger/src/btree/bt_split.c:880:2
#1 0x6d7d17 in __split_insert /home/ec2-user/work/wiredtiger/src/btree/bt_split.c:1930:13
#2 0x6d7d17 in __wt_split_insert /home/ec2-user/work/wiredtiger/src/btree/bt_split.c:2003
#3 0x546b2d in __evict_review /home/ec2-user/work/wiredtiger/src/evict/evict_page.c:436:12
#4 0x546b2d in __wt_evict /home/ec2-user/work/wiredtiger/src/evict/evict_page.c:81
#5 0x542d60 in __evict_page /home/ec2-user/work/wiredtiger/src/evict/evict_lru.c:1488:2
#6 0x5419ad in __wt_cache_eviction_worker /home/ec2-user/work/wiredtiger/src/evict/evict_lru.c:1567:17
#7 0x7c749c in __wt_cache_eviction_check /home/ec2-user/work/wiredtiger/./src/include/cache.i:245:10
#8 0x7c749c in __cursor_enter /home/ec2-user/work/wiredtiger/./src/include/cursor.i:59
#9 0x7c749c in __curfile_enter /home/ec2-user/work/wiredtiger/./src/include/cursor.i:93
#10 0x7c749c in __cursor_func_init /home/ec2-user/work/wiredtiger/./src/include/cursor.i:266
#11 0x7c56f6 in __wt_btcur_search /home/ec2-user/work/wiredtiger/src/btree/bt_cursor.c:335:3
#12 0x7429bd in __curfile_search /home/ec2-user/work/wiredtiger/src/cursor/cur_file.c:200:2
#13 0x4f064b in row_remove /home/ec2-user/work/wiredtiger/test/format/ops.c:1155:13
#14 0x4f064b in ops /home/ec2-user/work/wiredtiger/test/format/ops.c:437
#15 0x7f2c7dee2dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
#16 0x7f2c7d0c7bdc in __clone (/lib64/libc.so.6+0xf6bdc)
0x60c00001fe60 is located 32 bytes inside of 120-byte region [0x60c00001fe40,0x60c00001feb8)
freed by thread T3150 here:
#0 0x4c6d92 in free (/mnt/fast/bostic/work/wiredtiger/test/format/t+0x4c6d92)
#1 0x6a12cf in __wt_page_out /home/ec2-user/work/wiredtiger/src/btree/bt_discard.c:139:2
#2 0x546174 in __evict_page_dirty_update /home/ec2-user/work/wiredtiger/src/evict/evict_page.c:315:3
#3 0x546174 in __wt_evict /home/ec2-user/work/wiredtiger/src/evict/evict_page.c:124
#4 0x542d60 in __evict_page /home/ec2-user/work/wiredtiger/src/evict/evict_lru.c:1488:2
#5 0x5419ad in __wt_cache_eviction_worker /home/ec2-user/work/wiredtiger/src/evict/evict_lru.c:1567:17
#6 0x7c749c in __wt_cache_eviction_check /home/ec2-user/work/wiredtiger/./src/include/cache.i:245:10
#7 0x7c749c in __cursor_enter /home/ec2-user/work/wiredtiger/./src/include/cursor.i:59
#8 0x7c749c in __curfile_enter /home/ec2-user/work/wiredtiger/./src/include/cursor.i:93
#9 0x7c749c in __cursor_func_init /home/ec2-user/work/wiredtiger/./src/include/cursor.i:266
#10 0x7c7edd in __wt_btcur_search_near /home/ec2-user/work/wiredtiger/src/btree/bt_cursor.c:425:3
#11 0x74320b in __curfile_search_near /home/ec2-user/work/wiredtiger/src/cursor/cur_file.c:222:2
#12 0x4f3d22 in read_row /home/ec2-user/work/wiredtiger/test/format/ops.c:645:9
#13 0x4f04f3 in ops /home/ec2-user/work/wiredtiger/test/format/ops.c:494:8
#14 0x7f2c7dee2dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
previously allocated by thread T3121 here:
#0 0x4c71eb in calloc (/mnt/fast/bostic/work/wiredtiger/test/format/t+0x4c71eb)
#1 0x57a35b in __wt_calloc /home/ec2-user/work/wiredtiger/src/os_posix/os_alloc.c:60:11
#2 0x6b1014 in __wt_page_alloc /home/ec2-user/work/wiredtiger/src/btree/bt_page.c:63:2
#3 0x6b1d55 in __wt_page_inmem /home/ec2-user/work/wiredtiger/src/btree/bt_page.c:194:2
#4 0x6b8711 in __page_read /home/ec2-user/work/wiredtiger/src/btree/bt_read.c:394:2
#5 0x6b8711 in __wt_page_in_func /home/ec2-user/work/wiredtiger/src/btree/bt_read.c:488
#6 0x70055f in __wt_page_swap_func /home/ec2-user/work/wiredtiger/./src/include/btree.i:1310:8
#7 0x70055f in __tree_walk_internal /home/ec2-user/work/wiredtiger/src/btree/bt_walk.c:504
#8 0x7b5378 in __wt_btcur_next /home/ec2-user/work/wiredtiger/src/btree/bt_curnext.c:666:3
#9 0x741dbe in __curfile_next /home/ec2-user/work/wiredtiger/src/cursor/cur_file.c:113:13
#10 0x72224c in __wt_las_sweep /home/ec2-user/work/wiredtiger/src/cache/cache_las.c:334:27
#11 0x5244ad in __sweep_server /home/ec2-user/work/wiredtiger/src/conn/conn_sweep.c:285:4
#12 0x7f2c7dee2dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
The problem is we've swapped the new page-index into place in the parent, after which eviction finds and evicts the page, after which the split code references the page->type field.
- is depended on by
-
SERVER-22388 WiredTiger changes for MongoDB 3.3.2
-
- Closed
-
-
-
- Closed
-
- links to