-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
None
-
None
The Jenkins job http://build.wiredtiger.com:8080/job/wiredtiger-test-format-stress-sanitizer-old-branches/2533/console failed on a row-store configuration with a stack buffer overflow.
=================================================================
==7036==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f242acee200 at pc 0x00000064af16 bp 0x7f242acecdb0 sp 0x7f242acecda8
WRITE of size 8 at 0x7f242acee200 thread T11
#0 0x64af15 in __wt_struct_unpackv /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/../src/include/packing.i:706:9
#1 0x643836 in __wt_cursor_get_keyv /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/../src/cursor/cur_std.c:400:19
#2 0x641556 in __wt_cursor_get_key /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/../src/cursor/cur_std.c:268:11
#3 0x4fa634 in copy_blocks /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/test/format/../../../test/format/backup.c:274:9
#4 0x4f7f5c in backup /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/test/format/../../../test/format/backup.c:612:21
#5 0x7f243470b6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#6 0x7f243383da3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Address 0x7f242acee200 is located in stack of thread T11 at offset 128 in frame
#0 0x4fa04f in copy_blocks /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/test/format/../../../test/format/backup.c:243
This frame has 6 object(s):
[32, 40) 'incr_cur' (line 244)
[64, 72) 'offset' (line 247)
[96, 104) 'type' (line 247)
[128, 132) 'size' (line 248) <== Memory access at offset 128 partially overflows this variable
[144, 656) 'buf' (line 250)
[720, 1232) 'config' (line 250)
The stack from gdb looks like:
Thread 1 (Thread 0x7f242acef700 (LWP 7064)):
---Type <return> to continue, or q <return> to quit---
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f243375c8b1 in __GI_abort () at abort.c:79
#2 0x00000000004e53d7 in __sanitizer::Abort() ()
#3 0x00000000004e3da1 in __sanitizer::Die() ()
#4 0x00000000004cbe59 in __asan::ScopedInErrorReport::~ScopedInErrorReport()
()
#5 0x00000000004cd643 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
#6 0x00000000004ce26b in __asan_report_store8 ()
#7 0x000000000064af16 in __wt_struct_unpackv (session=0x7f2434da2cf0,
buffer=0x602000013f90, size=4, fmt=0xd2e740 <.str.1> "qqq",
ap=0x7f242acedf20) at ../src/include/packing.i:706
#8 0x0000000000643837 in __wt_cursor_get_keyv (cursor=0x615000030500,
flags=12800, ap=0x7f242acedf20) at ../src/cursor/cur_std.c:400
#9 0x0000000000641557 in __wt_cursor_get_key (cursor=0x615000030500)
at ../src/cursor/cur_std.c:268
#10 0x00000000004fa635 in copy_blocks (session=0x7f2434da2cf0,
bkup_c=0x615000030280, name=0x602000012dd0 "wt.wt")
at ../../../test/format/backup.c:274
#11 0x00000000004f7f5d in backup (arg=0x0) at ../../../test/format/backup.c:612
#12 0x00007f243470b6db in start_thread (arg=0x7f242acef700)
at pthread_create.c:463
#13 0x00007f243383da3f in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
- is duplicated by
-
-
- Closed
-