Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-5136

Fix reading freed memory due to birthmark after uncommitted updates freed

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • WT10.0.0, 4.2.2, 4.3.2, 4.0.15
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • 8
    • Storage Engines 2019-11-18
    • v4.0

      There was a Jenkins test failure running test/format stress testing.

      The failure signature is:

      =================================================================
==678==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400329aeb5 at pc 0x0000008e705b bp 0x7efe9007cc40 sp 0x7efe9007cc38
READ of size 1 at 0x60400329aeb5 thread T16
    #0 0x8e705a in __wt_txn_upd_visible_type /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/include/txn.i:777:9
    #1 0x8d63e5 in __wt_txn_read /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/include/txn.i:820:27
    #2 0x8d60b6 in __wt_cursor_valid /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_cursor.c:340:13
    #3 0x8d869d in __wt_btcur_search /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_cursor.c:562:13
    #4 0xaa965d in __curfile_search /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/cursor/cur_file.c:195:5
    #5 0x50df8c in read_op /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/format.i:52:23
    #6 0x512ea9 in row_remove /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:1729:16
    #7 0x50aacc in ops /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:809:23
    #8 0x7efe9e4aa6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #9 0x7efe9d5dc88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60400329aeb5 is located 37 bytes inside of 38-byte region [0x60400329ae90,0x60400329aeb6)
freed by thread T22 here:
    #0 0x4c7552 in free (/mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/t+0x4c7552)
    #1 0x696808 in __wt_free_int /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/os_common/os_alloc.c:302:5
    #2 0x9019a4 in __wt_free_update_list /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_discard.c:427:9
    #3 0xa0921b in __wt_update_serial /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/include/serial.i:293:9
    #4 0xa05e48 in __wt_row_modify /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/row_modify.c:123:9
    #5 0x8de7f6 in __cursor_row_modify /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_cursor.c:422:7
    #6 0x8e0982 in __wt_btcur_remove /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_cursor.c:1030:42
    #7 0xab085f in __curfile_remove /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/cursor/cur_file.c:397:5
    #8 0x512eed in row_remove /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:1730:15
    #9 0x50aacc in ops /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:809:23
    #10 0x7efe9e4aa6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

previously allocated by thread T16 here:
    #0 0x4c7aca in calloc (/mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/t+0x4c7aca)
    #1 0x694f9a in __wt_calloc /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/os_common/os_alloc.c:50:14
    #2 0xa07b99 in __wt_update_alloc /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/row_modify.c:271:9
    #3 0x947702 in __las_page_instantiate /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_read.c:178:9
    #4 0x949752 in __page_read_lookaside /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_read.c:404:5
    #5 0x94142d in __page_read /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_read.c:530:9
    #6 0x93e15e in __wt_page_in_func /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_read.c:644:13
    #7 0xa1a23e in __wt_page_swap_func /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/include/btree.i:1637:11
    #8 0xa15ae1 in __wt_row_search /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/row_srch.c:437:20
    #9 0x8d7991 in __cursor_row_search /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_cursor.c:376:5
    #10 0x8e0ac7 in __wt_btcur_remove /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/btree/bt_cursor.c:1053:15
    #11 0xab085f in __curfile_remove /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/cursor/cur_file.c:397:5
    #12 0x512eed in row_remove /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:1730:15
    #13 0x50aacc in ops /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:809:23
    #14 0x7efe9e4aa6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T16 created by T0 here:
    #0 0x4afead in pthread_create (/mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/t+0x4afead)
    #1 0x6b3dd5 in __wt_thread_create /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/os_posix/os_thread.c:28:5
    #2 0x50688c in wts_ops /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:170:9
    #3 0x522305 in main /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/t.c:213:17
    #4 0x7efe9d4dcb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Thread T22 created by T0 here:
    #0 0x4afead in pthread_create (/mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/t+0x4afead)
    #1 0x6b3dd5 in __wt_thread_create /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/../src/os_posix/os_thread.c:28:5
    #2 0x50688c in wts_ops /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/ops.c:170:9
    #3 0x522305 in main /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer/build_posix/test/format/../../../test/format/t.c:213:17
    #4 0x7efe9d4dcb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

      This failure reproduced for me locally after two iterations of the test.

            Assignee:
            chenhao.qu@mongodb.com Chenhao Qu
            Reporter:
            alexander.gorrod@mongodb.com Alexander Gorrod
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: