Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-5574

Rolling back a prepared transaction with `cursor_copy` results in a use-after-free

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • WT10.0.0, 4.4.0-rc0, 4.7.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • 3
    • Storage Engines 2020-03-23
    • v4.4

      To reproduce (pardon the arbitrary C++ WT wrapper):

                  session.begin();
                  WtCursor cursor = session.openCursor(tableUri);
                  cursor.setKey(1); // Seems to happen with any key type
                  cursor.setValue(1);
                  cursor.save(); // calls cursor->insert
                  session.prepare(10); // calls prepare_transaction with a timestamp of 10
                  session.rollback();
      

      Running that with debug_mode=(cursor_copy=true) and compiled with -fsanitize=address fails for me with the following allocation/free/use stacktraces:
      Allocation (on the insert call):

      previously allocated by thread T0 here:
          #0 0x51baa2 in realloc /data/mci/bc90f05be614b5760ea98b96a5a10212/toolchain-builder/tmp/build-llvm.sh-2ni/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:165:3
          #1 0x7faee7c0213f in __realloc_func /home/dgottlieb/xgen/wiredtiger/src/os_common/os_alloc.c:121
          #2 0x7faee7c02244 in __wt_realloc_noclear /home/dgottlieb/xgen/wiredtiger/src/os_common/os_alloc.c:158
          #3 0x7faee7c70715 in __wt_buf_grow_worker /home/dgottlieb/xgen/wiredtiger/src/support/scratch.c:47
          #4 0x7faee7b2fc02 in __wt_buf_grow /home/dgottlieb/xgen/wiredtiger/./src/include/buf.i:17
          #5 0x7faee7b2fc51 in __wt_buf_set /home/dgottlieb/xgen/wiredtiger/./src/include/buf.i:80
          #6 0x7faee7b30183 in __wt_txn_op_set_key /home/dgottlieb/xgen/wiredtiger/./src/include/txn.i:182
          #7 0x7faee7b33317 in __wt_row_modify /home/dgottlieb/xgen/wiredtiger/src/btree/row_modify.c:197
          #8 0x7faee7acbf86 in __cursor_row_modify /home/dgottlieb/xgen/wiredtiger/src/btree/bt_cursor.c:434
          #9 0x7faee7acd6cf in __wt_btcur_insert /home/dgottlieb/xgen/wiredtiger/src/btree/bt_cursor.c:865
          #10 0x7faee7b7c5f1 in __curfile_insert /home/dgottlieb/xgen/wiredtiger/src/cursor/cur_file.c:265
          #11 0x54ffc2 in WtCursor::save() /home/dgottlieb/xgen/scratch/./include/wt_raii.h:139:16
          #12 0x54e5b2 in main /home/dgottlieb/xgen/scratch/cursor_copy.cpp:29:20
          #13 0x7faee6b8282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
      

      Freed (inside rollback):

      freed by thread T0 here:
          #0 0x51b302 in free /data/mci/bc90f05be614b5760ea98b96a5a10212/toolchain-builder/tmp/build-llvm.sh-2ni/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
          #1 0x7faee7c0279d in __wt_free_int /home/dgottlieb/xgen/wiredtiger/src/os_common/os_alloc.c:301
          #2 0x7faee7c8b3f3 in __wt_buf_free /home/dgottlieb/xgen/wiredtiger/./src/include/buf.i:100
          #3 0x7faee7c8c9cb in __wt_txn_op_free /home/dgottlieb/xgen/wiredtiger/src/txn/txn_log.c:180
          #4 0x7faee7c81434 in __wt_txn_rollback /home/dgottlieb/xgen/wiredtiger/src/txn/txn.c:1371
          #5 0x7faee7c5d4a2 in __session_rollback_transaction /home/dgottlieb/xgen/wiredtiger/src/session/session_api.c:1740
          #6 0x550509 in WtSession::rollback() /home/dgottlieb/xgen/scratch/./include/wt_raii.h:315:16
          #7 0x54e5d9 in main /home/dgottlieb/xgen/scratch/cursor_copy.cpp:31:21
          #8 0x7faee6b8282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
      

      Read/Used (inside rollback):

      READ of size 1 at 0x602000005090 thread T0
          #0 0x48db23 in memcpy /data/mci/bc90f05be614b5760ea98b96a5a10212/toolchain-builder/tmp/build-llvm.sh-2ni/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:792:5
          #1 0x7faee7c70774 in __wt_buf_grow_worker /home/dgottlieb/xgen/wiredtiger/src/support/scratch.c:55
          #2 0x7faee7ba20ab in __wt_buf_grow /home/dgottlieb/xgen/wiredtiger/./src/include/buf.i:17
          #3 0x7faee7ba218e in __wt_buf_set /home/dgottlieb/xgen/wiredtiger/./src/include/buf.i:80
          #4 0x7faee7ba5d06 in __wt_cursor_copy_release_item /home/dgottlieb/xgen/wiredtiger/src/cursor/cur_std.c:249
          #5 0x7faee7b78a60 in __cursor_copy_release /home/dgottlieb/xgen/wiredtiger/./src/include/cursor.i:28
          #6 0x7faee7b7f539 in __curfile_close /home/dgottlieb/xgen/wiredtiger/src/cursor/cur_file.c:485
          #7 0x7faee7c8147e in __wt_txn_rollback /home/dgottlieb/xgen/wiredtiger/src/txn/txn.c:1376
          #8 0x7faee7c5d4a2 in __session_rollback_transaction /home/dgottlieb/xgen/wiredtiger/src/session/session_api.c:1740
          #9 0x550509 in WtSession::rollback() /home/dgottlieb/xgen/scratch/./include/wt_raii.h:315:16
          #10 0x54e5d9 in main /home/dgottlieb/xgen/scratch/cursor_copy.cpp:31:21
          #11 0x7faee6b8282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
          #12 0x473848 in _start (/home/dgottlieb/xgen/scratch/a.out+0x473848)
      

        1. main.c
          3 kB
        2. 5574.diff
          0.7 kB

            Assignee:
            sulabh.mahajan@mongodb.com Sulabh Mahajan
            Reporter:
            daniel.gottlieb@mongodb.com Daniel Gottlieb (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: