Loading...

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 3.6.0-rc7, WT3.0.0, 3.7.1
Affects Version/s: None
Component/s: None
Labels:
None

Sprint:
Storage 2017-11-13, Storage 2017-12-04
Story Points:
None

Seen when running Python tests with gcc -fsanitize=address (requires LD_PRELOAD=/usr/lib64/libasan.so.4 and ASAN_OPTIONS=detect_leaks=0):

ERROR: test_pack.test_pack.test_packing (subunit.RemotedTestCase)
=================================================================
==7890==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000214d9 at pc 0x7efcad2f836e bp 0x7fffca858730 sp 0x7fffca857ed8
READ of size 10 at 0x6020000214d9 thread T0
    #0 0x7efcad2f836d  (/usr/lib64/libasan.so.4+0x5136d)
    #1 0x7efca0a28008 in __pack_write ../src/include/packing.i:345
    #2 0x7efca0a2f970 in __wt_schema_project_merge ../src/schema/schema_project.c:470
    #3 0x7efca08ff2a6 in __wt_apply_single_idx ../src/cursor/cur_table.c:120
    #4 0x7efca08ff61a in __apply_idx ../src/cursor/cur_table.c:154
    #5 0x7efca0904914 in __curtable_insert ../src/cursor/cur_table.c:533
    #6 0x7efca0dc3a5e in _wrap_Cursor_insert /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:4275
    #7 0x7efcacfe2eab in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17feab)
    #8 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #9 0x7efcacfe1432 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17e432)
    #10 0x7efcacfe1d98 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17ed98)
    #11 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #12 0x7efcacf33986  (/lib64/libpython2.7.so.1.0+0xd0986)
    #13 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #14 0x7efcacfdfc42 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17cc42)
    #15 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #16 0x7efcacf337ed  (/lib64/libpython2.7.so.1.0+0xd07ed)
    #17 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #18 0x7efcacf2888d  (/lib64/libpython2.7.so.1.0+0xc588d)
    #19 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #20 0x7efcacfb6a2a  (/lib64/libpython2.7.so.1.0+0x153a2a)
    #21 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #22 0x7efcacfdf453 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17c453)
    #23 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #24 0x7efcacfe1432 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17e432)
    #25 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #26 0x7efcacfe1432 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17e432)
    #27 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #28 0x7efcacf33986  (/lib64/libpython2.7.so.1.0+0xd0986)
    #29 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #30 0x7efcacfdfc42 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17cc42)
    #31 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #32 0x7efcacf337ed  (/lib64/libpython2.7.so.1.0+0xd07ed)
    #33 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #34 0x7efcacf2888d  (/lib64/libpython2.7.so.1.0+0xc588d)
    #35 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #36 0x7efcacfb6a2a  (/lib64/libpython2.7.so.1.0+0x153a2a)
    #37 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
    #38 0x7efcacfdf453 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17c453)
    #39 0x7efcacfe1d98 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17ed98)
    #40 0x7efcacfe1d98 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17ed98)
    #41 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
    #42 0x7efcacfe4608 in PyEval_EvalCode (/lib64/libpython2.7.so.1.0+0x181608)
    #43 0x7efcacfbc81e  (/lib64/libpython2.7.so.1.0+0x15981e)
    #44 0x7efcacfbc8c9 in PyRun_FileExFlags (/lib64/libpython2.7.so.1.0+0x1598c9)
    #45 0x7efcacfbd8cd in PyRun_SimpleFileExFlags (/lib64/libpython2.7.so.1.0+0x15a8cd)
    #46 0x7efcacfb061d in Py_Main (/lib64/libpython2.7.so.1.0+0x14d61d)
    #47 0x7efcac176509 in __libc_start_main (/lib64/libc.so.6+0x20509)
    #48 0x55d4a4b02779 in _start (/usr/bin/python2.7+0x779)

0x6020000214d9 is located 0 bytes to the right of 9-byte region [0x6020000214d0,0x6020000214d9)
allocated by thread T0 here:
    #0 0x7efcad385c40 in realloc (/usr/lib64/libasan.so.4+0xdec40)
    #1 0x7efca09ad016 in __realloc_func ../src/os_common/os_alloc.c:130
    #2 0x7efca09ad154 in __wt_realloc_noclear ../src/os_common/os_alloc.c:171
    #3 0x7efca0a75bfe in __wt_buf_grow_worker ../src/support/scratch.c:48
    #4 0x7efca0a2671e in __wt_buf_grow ../src/include/buf.i:18
    #5 0x7efca0a2e667 in __wt_schema_project_slice ../src/schema/schema_project.c:369
    #6 0x7efca0900ab7 in __wt_curtable_set_value ../src/cursor/cur_table.c:258
    #7 0x7efca0dc6a2c in __wt_cursor__set_value /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3480
    #8 0x7efca0dc6a2c in _wrap_Cursor__set_value /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:4747

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.4+0x5136d)
Shadow bytes around the buggy address:
  0x0c047fffc240: fa fa 07 fa fa fa 03 fa fa fa 04 fa fa fa 00 fa
  0x0c047fffc250: fa fa fd fd fa fa 04 fa fa fa fd fa fa fa fd fa
  0x0c047fffc260: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fffc270: fa fa fd fd fa fa 00 03 fa fa 00 05 fa fa 00 fa
  0x0c047fffc280: fa fa 00 00 fa fa 02 fa fa fa 00 fa fa fa 04 fa
=>0x0c047fffc290: fa fa 01 fa fa fa 00 00 fa fa 00[01]fa fa 00 fa
  0x0c047fffc2a0: fa fa 00 fa fa fa 00 01 fa fa fa fa fa fa 00 00
  0x0c047fffc2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffc2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7890==ABORTING

This is surprising because that test has been around forever and nothing in that area has changed recently.

Details

Description

Attachments

Activity

People

Dates