Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-7349

Free memory access when walking through HS during eviction

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • WT10.0.0, 4.4.5, 4.9.0-rc1, 5.0.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • 5
    • Storage - Ra 2021-04-05

      An assert is hit with  

      WT_ASSERT(session, upd_value->type == WT_UPDATE_STANDARD && !upd_value->skip_buf)

      By looking at the coredump, and the value of upd_value, we see that the upd_value->type is 205, an undefined value.

      (gdb) p/x *cbt->upd_value      
      $5 = {buf = {data = 0x7fa5058219af, size = 0xcdcdcdcd, mem = 0x0, memsize = 0x0, flags = 0x0}, tw = {durable_start_ts = 0xcdcdcdcdcdcdcdcd, start_ts = 0xcdcdcdcdcdcdcdcd, 
          start_txn = 0xcdcdcdcdcdcdcdcd, durable_stop_ts = 0x0, stop_ts = 0xffffffffffffffff, stop_txn = 0xfffffffffffffff5, prepare = 0x0}, type = 0xcd, skip_buf = 0x0}

       The backtrace also shows that we are currently walking through an evict reconciliation, and placing the values into the history store.

      (gdb) bt
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      #1  0x00007fa546140921 in __GI_abort () at abort.c:79
      #2  0x000055685bad5533 in __wt_abort (session=<optimized out>) at src/third_party/wiredtiger/src/os_common/os_abort.c:30
      #3  0x000055685b9315ed in __wt_value_return (cbt=<optimized out>, upd_value=<optimized out>) at src/third_party/wiredtiger/src/btree/bt_ret.c:262
      #4  0x000055685b8e2e9b in __wt_btcur_prev (cbt=<optimized out>, truncating=<optimized out>) at src/third_party/wiredtiger/src/btree/bt_curprev.c:552
      #5  0x000055685b9eb293 in __curfile_prev (cursor=0x7fa537ff3020) at src/third_party/wiredtiger/src/cursor/cur_file.c:146
      #6  0x000055685b9fde2f in __curhs_file_cursor_prev (session=0x7fa539a7f3d0, cursor=0x7fa5352f2310) at src/third_party/wiredtiger/src/cursor/cur_hs.c:104
      #7  0x000055685b9fe4b2 in __curhs_prev_visible (session=<optimized out>, hs_cursor=<optimized out>) at src/third_party/wiredtiger/src/cursor/cur_hs.c:361
      #8  0x000055685b9f8400 in __curhs_search_near (cursor=<optimized out>, exactp=<optimized out>) at src/third_party/wiredtiger/src/cursor/cur_hs.c:683
      #9  0x000055685b9f48af in __curhs_search_near_helper (session=0x7fa539a7f3d0, cursor=0x7fa530789220, before=false) at src/third_party/wiredtiger/src/cursor/cur_hs.c:542
      #10 0x000055685ba7ba29 in __hs_insert_record (session=0x7fa539a7f3d0, cursor=0x7fa530789220, btree=<optimized out>, key=0x7fa505769040, type=1 '\001', hs_value=0x7fa538ff3700, tw=0x7fa5352f2d70)
          at src/third_party/wiredtiger/src/history/hs_rec.c:156
      #11 0x000055685ba77df6 in __wt_hs_insert_updates (session=<optimized out>, page=<optimized out>, multi=<optimized out>) at src/third_party/wiredtiger/src/history/hs_rec.c:600
      #12 0x000055685bb226db in __rec_hs_wrapup (session=<optimized out>, r=<optimized out>) at src/third_party/wiredtiger/src/reconcile/rec_write.c:2294
      #13 __rec_write_wrapup (session=0x7fa539a7f3d0, r=<optimized out>, page=0x7fa53e5fffa0) at src/third_party/wiredtiger/src/reconcile/rec_write.c:2120
      #14 0x000055685bb19656 in __reconcile (session=0x7fa539a7f3d0, ref=<optimized out>, salvage=<optimized out>, flags=<optimized out>, page_lockedp=0x7fa5352f36ef)
          at src/third_party/wiredtiger/src/reconcile/rec_write.c:219
      #15 0x000055685bb17ede in __wt_reconcile (session=<optimized out>, ref=<optimized out>, salvage=<optimized out>, flags=688) at src/third_party/wiredtiger/src/reconcile/rec_write.c:99
      #16 0x000055685ba67017 in __evict_review (session=<optimized out>, ref=<optimized out>, evict_flags=0, inmem_splitp=0x7fa5352f383f) at src/third_party/wiredtiger/src/evict/evict_page.c:702
      #17 0x000055685ba62e30 in __wt_evict (session=0x7fa539a7f3d0, ref=<optimized out>, previous_state=<optimized out>, flags=0) at src/third_party/wiredtiger/src/evict/evict_page.c:159
      #18 0x000055685ba556c8 in __evict_page (session=<optimized out>, is_server=false) at src/third_party/wiredtiger/src/evict/evict_lru.c:2311
      #19 0x000055685ba50df8 in __evict_lru_pages (session=0x7fa539a7f3d0, is_server=false) at src/third_party/wiredtiger/src/evict/evict_lru.c:1140
      #20 0x000055685ba4e6e4 in __wt_evict_thread_run (session=0x7fa539a7f3d0, thread=<optimized out>) at src/third_party/wiredtiger/src/evict/evict_lru.c:320
      #21 0x000055685bb9cdb7 in __thread_run (arg=0x7fa53e5f5ca0) at src/third_party/wiredtiger/src/support/thread_group.c:31
      #22 0x00007fa545ce06db in start_thread (arg=0x7fa5352f4700) at pthread_create.c:463
      #23 0x00007fa54622171f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      As part of inserting the history store values, we look for any higher timestamps than hs values, to potentially correct the higher timestamps. However when looking for higher timestamps we run into a corrupted update. Looking at the timestamps "0xcdcdcdcdcdcdcdcd" and referring to WT-6453, it seems to be accessing freed memory.

            jie.chen@mongodb.com Jie Chen
            jie.chen@mongodb.com Jie Chen
            0 Vote for this issue
            4 Start watching this issue