[WT-5756] heap-use-after-free in __wt_row_modify - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: WT10.0.0, 4.4.0-rc0, 4.7.0
Component/s: None
Labels:
- dh-test-critical

Story Points:
5
Sprint:
Storage Engines 2020-03-09

Description

A heap-use-after-free error was captured by the format stress sanitizer smoke job after merging durable history branch into develop. The error occurred while attempting a row modify on a row-store file_type.

Evergreen failed log here

[2020/03/04 12:21:16.769]     ==4896==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080008aab47 at pc 0x0000004c2996 bp 0x7f58dd8206f0 sp 0x7f58dd81fea0

[2020/03/04 12:21:16.769]     READ of size 47 at 0x6080008aab47 thread T22

[2020/03/04 12:21:16.769]         #0 0x4c2995 in __asan_memcpy /data/mci/6d25660c910a6c7a2027a8b66804ae0f/toolchain-builder/tmp/build-llvm.sh-A40/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3

[2020/03/04 12:21:16.769]         #1 0x57d42e in __wt_update_alloc /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/row_modify.c:276:9

[2020/03/04 12:21:16.769]         #2 0x57aa9f in __wt_row_modify /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/row_modify.c:102:13

[2020/03/04 12:21:16.769]         #3 0x9e5fa5 in __cursor_row_modify_v /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_cursor.c:405:13

[2020/03/04 12:21:16.769]         #4 0x9d96af in __btcur_update /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_cursor.c:1305:15

[2020/03/04 12:21:16.769]         #5 0x9da527 in __wt_btcur_reserve /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_cursor.c:1537:11

[2020/03/04 12:21:16.769]         #6 0x61c574 in __curfile_reserve /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/cursor/cur_file.c:446:5

[2020/03/04 12:21:16.769]         #7 0x509fef in row_reserve /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/ops.c:1280:16

[2020/03/04 12:21:16.769]         #8 0x504469 in ops /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/ops.c:713:23

[2020/03/04 12:21:16.769]         #9 0x7f58e34b36da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

[2020/03/04 12:21:16.769]         #10 0x7f58e25e588e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[2020/03/04 12:21:16.769]     0x6080008aab47 is located 39 bytes inside of 86-byte region [0x6080008aab20,0x6080008aab76)

[2020/03/04 12:21:16.769]     freed by thread T1 here:

[2020/03/04 12:21:16.769]         #0 0x4c3562 in free /data/mci/6d25660c910a6c7a2027a8b66804ae0f/toolchain-builder/tmp/build-llvm.sh-A40/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3

[2020/03/04 12:21:16.769]         #1 0x736f58 in __wt_free_int /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/os_common/os_alloc.c:301:5

[2020/03/04 12:21:16.769]         #2 0x9f950c in __wt_free_update_list /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_discard.c:446:9

[2020/03/04 12:21:16.769]         #3 0x9fa833 in __free_update /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_discard.c:428:13

[2020/03/04 12:21:16.769]         #4 0x9f78ea in __free_page_modify /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_discard.c:202:13

[2020/03/04 12:21:16.769]         #5 0x9f5cc0 in __wt_page_out /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_discard.c:107:9

[2020/03/04 12:21:16.769]         #6 0x9f4fb8 in __wt_ref_out /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_discard.c:41:5

[2020/03/04 12:21:16.769]         #7 0x69420a in __evict_page_dirty_update /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_page.c:396:13

[2020/03/04 12:21:16.769]         #8 0x68f986 in __wt_evict /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_page.c:193:9

[2020/03/04 12:21:16.769]         #9 0x670402 in __evict_page /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_lru.c:2246:5

[2020/03/04 12:21:16.769]         #10 0x669290 in __evict_lru_pages /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_lru.c:1118:20

[2020/03/04 12:21:16.769]         #11 0x673ed1 in __evict_pass /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_lru.c:715:19

[2020/03/04 12:21:16.769]         #12 0x6685ec in __evict_server /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_lru.c:376:5

[2020/03/04 12:21:16.769]         #13 0x667d58 in __wt_evict_thread_run /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_lru.c:288:15

[2020/03/04 12:21:16.769]         #14 0x8aa2c3 in __thread_run /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/support/thread_group.c:31:9

[2020/03/04 12:21:16.769]         #15 0x7f58e34b36da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

[2020/03/04 12:21:16.769]     previously allocated by thread T22 here:

[2020/03/04 12:21:16.769]         #0 0x4c3ada in calloc /data/mci/6d25660c910a6c7a2027a8b66804ae0f/toolchain-builder/tmp/build-llvm.sh-A40/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:155:3

[2020/03/04 12:21:16.769]         #1 0x7356da in __wt_calloc /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/os_common/os_alloc.c:50:14

[2020/03/04 12:21:16.769]         #2 0x57d221 in __wt_update_alloc /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/row_modify.c:273:5

[2020/03/04 12:21:16.769]         #3 0x57aa9f in __wt_row_modify /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/row_modify.c:102:13

[2020/03/04 12:21:16.769]         #4 0x9e5fa5 in __cursor_row_modify_v /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_cursor.c:405:13

[2020/03/04 12:21:16.769]         #5 0x9d8cc7 in __btcur_update /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_cursor.c:1245:42

[2020/03/04 12:21:16.769]         #6 0x9d7edc in __wt_btcur_modify /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/btree/bt_cursor.c:1495:15

[2020/03/04 12:21:16.769]         #7 0x620d40 in __curfile_modify /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/cursor/cur_file.c:333:5

[2020/03/04 12:21:16.769]         #8 0x50bb2d in row_modify /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/ops.c:1350:16

[2020/03/04 12:21:16.769]         #9 0x504a6b in ops /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/ops.c:767:23

[2020/03/04 12:21:16.769]         #10 0x7f58e34b36da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

[2020/03/04 12:21:16.769]     Thread T22 created by T0 here:

[2020/03/04 12:21:16.769]         #0 0x4ac1fd in pthread_create /data/mci/6d25660c910a6c7a2027a8b66804ae0f/toolchain-builder/tmp/build-llvm.sh-A40/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3

[2020/03/04 12:21:16.769]         #1 0x7557b5 in __wt_thread_create /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/os_posix/os_thread.c:28:5

[2020/03/04 12:21:16.769]         #2 0x5013fb in wts_ops /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/ops.c:188:9

[2020/03/04 12:21:16.769]         #3 0x51d7b6 in main /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/t.c:280:13

[2020/03/04 12:21:16.769]         #4 0x7f58e24e5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

[2020/03/04 12:21:16.769]     Thread T1 created by T0 here:

[2020/03/04 12:21:16.769]         #0 0x4ac1fd in pthread_create /data/mci/6d25660c910a6c7a2027a8b66804ae0f/toolchain-builder/tmp/build-llvm.sh-A40/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3

[2020/03/04 12:21:16.769]         #1 0x7557b5 in __wt_thread_create /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/os_posix/os_thread.c:28:5

[2020/03/04 12:21:16.769]         #2 0x8a78ed in __thread_group_resize /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/support/thread_group.c:201:9

[2020/03/04 12:21:16.769]         #3 0x8a8426 in __wt_thread_group_create /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/support/thread_group.c:285:5

[2020/03/04 12:21:16.769]         #4 0x66a89e in __wt_evict_create /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/evict/evict_lru.c:477:5

[2020/03/04 12:21:16.769]         #5 0x5d8161 in __wt_connection_workers /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/conn/conn_open.c:230:5

[2020/03/04 12:21:16.769]         #6 0x5985cc in wiredtiger_open /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/../src/conn/conn_api.c:2679:5

[2020/03/04 12:21:16.769]         #7 0x52961c in wts_open /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/wts.c:272:5

[2020/03/04 12:21:16.769]         #8 0x51d34a in main /data/mci/00c5c3b97f8d738e93e2ecd05541083c/wiredtiger/build_posix/test/format/../../../test/format/t.c:271:9

[2020/03/04 12:21:16.769]         #9 0x7f58e24e5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

[2020/03/04 12:21:16.769]     SUMMARY: AddressSanitizer: heap-use-after-free /data/mci/6d25660c910a6c7a2027a8b66804ae0f/toolchain-builder/tmp/build-llvm.sh-A40/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy

[2020/03/04 12:21:16.769]     Shadow bytes around the buggy address:

[2020/03/04 12:21:16.769]       0x0c108010d510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa

[2020/03/04 12:21:16.769]       0x0c108010d520: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa

[2020/03/04 12:21:16.769]       0x0c108010d530: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa

[2020/03/04 12:21:16.769]       0x0c108010d540: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd

[2020/03/04 12:21:16.769]       0x0c108010d550: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd

[2020/03/04 12:21:16.769]     =>0x0c108010d560: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fa

[2020/03/04 12:21:16.769]       0x0c108010d570: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00

[2020/03/04 12:21:16.769]       0x0c108010d580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa

[2020/03/04 12:21:16.769]       0x0c108010d590: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00

[2020/03/04 12:21:16.769]       0x0c108010d5a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa

[2020/03/04 12:21:16.769]       0x0c108010d5b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd

[2020/03/04 12:21:16.769]     Shadow byte legend (one shadow byte represents 8 application bytes):

[2020/03/04 12:21:16.769]       Addressable:           00

[2020/03/04 12:21:16.769]       Partially addressable: 01 02 03 04 05 06 07

[2020/03/04 12:21:16.769]       Heap left redzone:       fa

[2020/03/04 12:21:16.769]       Freed heap region:       fd

[2020/03/04 12:21:16.769]       Stack left redzone:      f1

[2020/03/04 12:21:16.769]       Stack mid redzone:       f2

[2020/03/04 12:21:16.769]       Stack right redzone:     f3

[2020/03/04 12:21:16.769]       Stack after return:      f5

[2020/03/04 12:21:16.769]       Stack use after scope:   f8

[2020/03/04 12:21:16.769]       Global redzone:          f9

[2020/03/04 12:21:16.769]       Global init order:       f6

[2020/03/04 12:21:16.769]       Poisoned by user:        f7

[2020/03/04 12:21:16.769]       Container overflow:      fc

[2020/03/04 12:21:16.769]       Array cookie:            ac

[2020/03/04 12:21:16.769]       Intra object redzone:    bb

[2020/03/04 12:21:16.769]       ASan internal:           fe

[2020/03/04 12:21:16.769]       Left alloca redzone:     ca

[2020/03/04 12:21:16.769]       Right alloca redzone:    cb

[2020/03/04 12:21:16.769]       Shadow gap:              cc

[2020/03/04 12:21:16.769]     ==4896==ABORTING

Attachments

Issue Links

is related to

WT-5749 Only pass a non-NULL WT_ITEM value when allocating a WT_UPDATE with associated data

Closed

related to

WT-5745 Don't copy a value into tombstones

Closed

Activity

People

Assignee:: Chenhao Qu

Reporter:: Ravi Giri

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: Mar 04 2020 11:10:25 PM UTC

Updated:: Sep 08 2020 11:25:47 PM UTC

Resolved:: Mar 06 2020 01:10:01 AM UTC