Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-3370

Heap use after free in txn recover code

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • WT2.9.3, 3.4.11, 3.5.10
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Storage 2017-06-19
    • v3.4

      The wt_nojournal_toggle.js test uncovered a heap-use-after-free issue:
      noformat
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:54.070+0000 d20512| =================================================================
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:54.070+0000 d20512| ==10028==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000001f94 at pc 0x559de77629be bp 0x7ffdd25dab70 sp 0x7ffdd25dab68
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:54.070+0000 d20512| READ of size 4 at 0x611000001f94 thread T0
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.866+0000 d20512| #0 0x559de77629bd in __wt_txn_recover /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/txn/txn_recover.c:464:7
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.866+0000 d20512| #1 0x559de75a9dec in __wt_connection_workers /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/conn/conn_open.c:240:2
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.867+0000 d20512| #2 0x559de7589585 in wiredtiger_open /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/conn/conn_api.c:2457:2
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.870+0000 d20512| #3 0x559de7515d14 in mongo::WiredTigerKVEngine::WiredTigerKVEngine(std::_cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mongo::ClockSource*, std::_cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, bool, bool, bool, bool) /data/mci/7a731747d22c189f83050f4754db6334/src/src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp:318:15
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.871+0000 d20512| #4 0x559de74e3ff9 in mongo::(anonymous namespace)::WiredTigerFactory::create(mongo::StorageGlobalParams const&, mongo::StorageEngineLockFile const*) const /data/mci/7a731747d22c189f83050f4754db6334/src/src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp:91:17
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.873+0000 d20512| #5 0x559de7941ec7 in mongo::ServiceContextMongoD::initializeGlobalStorageEngine() /data/mci/7a731747d22c189f83050f4754db6334/src/src/mongo/db/service_context_d.cpp:204:31
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.881+0000 d20512| #6 0x559de715ce08 in mongo::(anonymous namespace)::_initAndListen(int) /data/mci/7a731747d22c189f83050f4754db6334/src/src/mongo/db/db.cpp:503:27
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.882+0000 d20512| #7 0x559de715388f in mongo::(anonymous namespace)::initAndListen(int) /data/mci/7a731747d22c189f83050f4754db6334/src/src/mongo/db/db.cpp:736:16
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.883+0000 d20512| #8 0x559de715388f in mongoDbMain(int, char*, char*) /data/mci/7a731747d22c189f83050f4754db6334/src/src/mongo/db/db.cpp:1098
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:57.883+0000 d20512| #9 0x559de715388f in main /data/mci/7a731747d22c189f83050f4754db6334/src/src/mongo/db/db.cpp:779
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.792+0000 d20512| #10 0x7f768515082f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.792+0000 d20512| #11 0x559de70845b8 in _start (/data/mci/56e225ae6057bf30fddd61e434aaee0d/src/mongod+0x12b25b8)
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.793+0000 d20512|
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.793+0000 d20512| 0x611000001f94 is located 20 bytes inside of 240-byte region [0x611000001f80,0x611000002070)
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.793+0000 d20512| freed by thread T0 here:
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.793+0000 d20512| #0 0x559de71231be in __interceptor_realloc /data/mci/be9af688d396a09d5ad1b3be40387f7c/toolchain-builder/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:77:3
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.793+0000 d20512| #1 0x559de761e090 in __realloc_func /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/os_common/os_alloc.c:130:11
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.794+0000 d20512| #2 0x559de7762e01 in __recovery_setup_file /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/txn/txn_recover.c:322:3
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.794+0000 d20512| #3 0x559de7763663 in __recovery_file_scan /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/txn/txn_recover.c:405:3
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.794+0000 d20512| #4 0x559de7761ceb in __wt_txn_recover /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/txn/txn_recover.c:460:3
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.794+0000 d20512| #5 0x559de75a9dec in __wt_connection_workers /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/conn/conn_open.c:240:2
      [js_test:wt_nojournal_toggle] 2017-06-07T03:18:59.795+0000 d20512| #6 0x559de7589585 in wiredtiger_open /data/mci/7a731747d22c189f83050f4754db6334/src/src/third_party/wiredtiger/src/conn/conn_api.c:2457:2
      noformat

            Assignee:
            sue.loverso@mongodb.com Susan LoVerso
            Reporter:
            sue.loverso@mongodb.com Susan LoVerso
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: