Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-7026

Atomically read and set ref->addr in case of race

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • WT10.0.0, 4.9.0, 4.4.4, 4.2.13, 4.0.24
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • 8
    • v4.4, v4.2, v4.0

      Running the CONFIG in WT-6568 uncovered a memory leak when run with ASAN. The changes in WT-6568 did not cause the leak, I believe. I think that it just fixed the use-after-free bug that we'd hit much, much sooner. This has only reproduced twice for me, running 5 parallel test/format, and it fails after a few hundred iterations (200-300 iterations of 5 processes for about 1300 successful runs before we hit it). I have not been successful reproducing under valgrind yet.

      The error is:

      ==8843==ERROR: LeakSanitizer: detected memory leaks
 
Direct leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x4c767a in calloc (/mnt/data0/sue/wt.6568.mjc/build_posix/test/format/t+0x4c767a)
    #1 0x77992a in __wt_calloc /mnt/data0/sue/wt.6568.mjc/build_posix/../src/os_common/os_alloc.c:50:14
    #2 0xb1d4e5 in __split_ref_move /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:247:9
    #3 0xb1bc68 in __split_internal /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:1019:13
    #4 0xb03859 in __split_parent_climb /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:1332:15
    #5 0xafbf53 in __split_multi_lock /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:2163:13
    #6 0xafbce8 in __wt_split_multi /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:2181:5
    #7 0x6d13f7 in __evict_page_dirty_update /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_page.c:394:13
    #8 0x6cb54a in __wt_evict /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_page.c:218:9
    #9 0x6ab399 in __evict_page /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_lru.c:2278:5
    #10 0x6a78b2 in __wt_cache_eviction_worker /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_lru.c:2394:23
    #11 0xa50bf7 in __wt_cache_eviction_check /mnt/data0/sue/wt.6568.mjc/build_posix/../src/include/cache_inline.h:512:13
    #12 0xa50108 in __cursor_enter /mnt/data0/sue/wt.6568.mjc/build_posix/../src/include/cursor_inline.h:164:9
    #13 0xa38a44 in __cursor_func_init /mnt/data0/sue/wt.6568.mjc/build_posix/../src/include/cursor_inline.h:406:13
    #14 0xa36df2 in __wt_btcur_search /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_cursor.c:544:9
    #15 0xa40e71 in __wt_btcur_modify /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_cursor.c:1442:9
    #16 0x63f3ec in __curfile_modify /mnt/data0/sue/wt.6568.mjc/build_posix/../src/cursor/cur_file.c:335:5
    #17 0x521356 in row_modify /mnt/data0/sue/wt.6568.mjc/build_posix/test/format/../../../test/format/ops.c:1476:16
    #18 0x51798e in ops /mnt/data0/sue/wt.6568.mjc/build_posix/test/format/../../../test/format/ops.c:896:23
    #19 0x7fb51bfa36da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
 
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
    #0 0x4c7483 in __interceptor_malloc (/mnt/data0/sue/wt.6568.mjc/build_posix/test/format/t+0x4c7483)
    #1 0x779c3e in __wt_malloc /mnt/data0/sue/wt.6568.mjc/build_posix/../src/os_common/os_alloc.c:81:14
    #2 0x77b2df in __wt_memdup /mnt/data0/sue/wt.6568.mjc/build_posix/../src/os_common/os_alloc.c:239:5
    #3 0xb1d6b1 in __split_ref_move /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:249:9
    #4 0xb1bc68 in __split_internal /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:1019:13
    #5 0xb03859 in __split_parent_climb /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:1332:15
    #6 0xafbf53 in __split_multi_lock /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:2163:13
    #7 0xafbce8 in __wt_split_multi /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_split.c:2181:5
    #8 0x6d13f7 in __evict_page_dirty_update /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_page.c:394:13
    #9 0x6cb54a in __wt_evict /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_page.c:218:9
    #10 0x6ab399 in __evict_page /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_lru.c:2278:5
    #11 0x6a78b2 in __wt_cache_eviction_worker /mnt/data0/sue/wt.6568.mjc/build_posix/../src/evict/evict_lru.c:2394:23
    #12 0xa50bf7 in __wt_cache_eviction_check /mnt/data0/sue/wt.6568.mjc/build_posix/../src/include/cache_inline.h:512:13
    #13 0xa50108 in __cursor_enter /mnt/data0/sue/wt.6568.mjc/build_posix/../src/include/cursor_inline.h:164:9
    #14 0xa38a44 in __cursor_func_init /mnt/data0/sue/wt.6568.mjc/build_posix/../src/include/cursor_inline.h:406:13
    #15 0xa36df2 in __wt_btcur_search /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_cursor.c:544:9
    #16 0xa40e71 in __wt_btcur_modify /mnt/data0/sue/wt.6568.mjc/build_posix/../src/btree/bt_cursor.c:1442:9
    #17 0x63f3ec in __curfile_modify /mnt/data0/sue/wt.6568.mjc/build_posix/../src/cursor/cur_file.c:335:5
    #18 0x521356 in row_modify /mnt/data0/sue/wt.6568.mjc/build_posix/test/format/../../../test/format/ops.c:1476:16
    #19 0x51798e in ops /mnt/data0/sue/wt.6568.mjc/build_posix/test/format/../../../test/format/ops.c:896:23
    #20 0x7fb51bfa36da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
 
SUMMARY: AddressSanitizer: 82 byte(s) leaked in 2 allocation(s).

            Assignee:
            sue.loverso@mongodb.com Susan LoVerso
            Reporter:
            sue.loverso@mongodb.com Susan LoVerso
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: