Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-5588

Only release cursor memory allocated by the API for cursor copy debug mode

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • WT10.0.0, 4.4.0-rc0, 4.7.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Storage Engines
    • 5
    • Storage Engines 2020-03-23, Storage Engines 2020-04-06
    • v4.4

      Provided as an attachment is a (barely) C++ program which demonstrates a "stack use after scope" address sanitizer failure when using bulk cursors.

      The pseudo-program:

                  WtCursor cursor = session.openCursor(tableUri, "bulk");
                  {
                      std::string value = "value";
                      cursor->set_key(cursor.get(), "key1");
                      cursor->set_value(cursor.get(), value.c_str());
                      cursor.save();
                  }
      
                  {
                      cursor->set_key(cursor.get(), "key2"); // gets into `__wt_cursor_copy_release_item(value)` which attempts to copy out the previous value set. But that variable is now out of scope.
                      cursor->set_value(cursor.get(), "value");
                      cursor.save();
                  }
      

      The output:

      ==13666==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc5e06fe60 at pc 0x000000441504 bp 0x7ffc5e06fa60 sp 0x7ffc5e06f200
      READ of size 6 at 0x7ffc5e06fe60 thread T0
          #0 0x441503 in memcpy /data/mci/bc90f05be614b5760ea98b96a5a10212/toolchain-builder/tmp/build-llvm.sh-2ni/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:792:5
          #1 0x7f081885f774 in __wt_buf_grow_worker /home/dgottlieb/xgen/wiredtiger/src/support/scratch.c:55
          #2 0x7f08187910ab in __wt_buf_grow /home/dgottlieb/xgen/wiredtiger/./src/include/buf.i:17
          #3 0x7f081879118e in __wt_buf_set /home/dgottlieb/xgen/wiredtiger/./src/include/buf.i:80
          #4 0x7f0818794d06 in __wt_cursor_copy_release_item /home/dgottlieb/xgen/wiredtiger/src/cursor/cur_std.c:249
          #5 0x7f0818791447 in __cursor_copy_release /home/dgottlieb/xgen/wiredtiger/./src/include/cursor.i:29
          #6 0x7f081879741f in __wt_cursor_set_valuev /home/dgottlieb/xgen/wiredtiger/src/cursor/cur_std.c:578
          #7 0x7f0818796fa4 in __wt_cursor_set_value /home/dgottlieb/xgen/wiredtiger/src/cursor/cur_std.c:556
          #8 0x501885 in main /home/dgottlieb/xgen/scratch/stack_use_after_scope.cpp:28:5
          #9 0x7f081777182f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
          #10 0x427228 in _start (/home/dgottlieb/xgen/scratch/a.out+0x427228)
      
      Address 0x7ffc5e06fe60 is located in stack of thread T0 at offset 224 in frame
          #0 0x5011df in main /home/dgottlieb/xgen/scratch/stack_use_after_scope.cpp:5
      
        This frame has 7 object(s):
          [32, 40) 'conn' (line 6)
          [64, 72) 'cursor' (line 7)
          [96, 104) 'session' (line 8)
          [128, 160) 'tableUri' (line 11)
          [192, 193) 'ref.tmp' (line 11)
          [208, 240) 'value' (line 22) <== Memory access at offset 224 is inside this variable
          [272, 273) 'ref.tmp15' (line 22)
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      SUMMARY: AddressSanitizer: stack-use-after-scope /data/mci/bc90f05be614b5760ea98b96a5a10212/toolchain-builder/tmp/build-llvm.sh-2ni/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:792:5 in memcpy
      Shadow bytes around the buggy address:
        0x10000bc05f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc05f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc05f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc05fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc05fb0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
      =>0x10000bc05fc0: 00 00 00 00 f2 f2 f2 f2 f8 f2 f8 f8[f8]f8 f2 f2
        0x10000bc05fd0: f2 f2 f8 f3 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc05fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc05ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc06000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10000bc06010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==13666==ABORTING
      

        1. stack_use_after_scope.cpp
          0.8 kB
        2. bad_use.cpp
          2 kB

            Assignee:
            donald.anderson@mongodb.com Donald Anderson
            Reporter:
            daniel.gottlieb@mongodb.com Daniel Gottlieb (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: