[CDRIVER-745] Crash in bson_destroy, called from _mongoc_cluster_disconnect_node Created: 15/Jul/15  Updated: 05/Aug/15  Resolved: 15/Jul/15

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: 1.1.9
Fix Version/s: 1.1.10

Type: Bug Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: A. Jesse Jiryu Davis
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-755 Leaks in _mongoc_cluster_ismaster Closed

 Description   

Backtrace like:

bson_destroy (bson=0x6dca700) at src/bson/bson.c:2154
_mongoc_cluster_disconnect_node (cluster=0x4982dd8, node=0x6dca600) at src/mongoc/mongoc-cluster.c:441
_mongoc_cluster_try_recv (cluster=0x4982dd8, rpc=0x68ab330, buffer=0x68ab370, hint=1, error=0x68ab130) at src/mongoc/mongoc-cluster.c:3059
_mongoc_client_recv (client=0x4982dc0, rpc=0x68ab330, buffer=0x68ab370, hint=1, error=0x68ab130) at src/mongoc/mongoc-client.c:501
_mongoc_cursor_query (cursor=0x68aaf00) at src/mongoc/mongoc-cursor.c:517
_mongoc_cursor_next (cursor=0x68aaf00, bson=0x8221a30) at src/mongoc/mongoc-cursor.c:831
mongoc_cursor_next (cursor=0x68aaf00, bson=0x8221a30) at src/mongoc/mongoc-cursor.c:759



 Comments   
Comment by Githook User [ 05/Aug/15 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'master' into 1.2.0-dev

  • master: (38 commits)
    various fixups for memory leaks and races in tests
    Fix memory leak in mongoc_uri_parse_option
    post-release bump
    1.1.10 Release
    CDRIVER-755 leaks in _mongoc_cluster_ismaster
    CDRIVER-745 test cluster node destroy, then disconnect
    CDRIVER-750 don't query recovering RS members
    spell "cyrus" correctly in install guide
    CDRIVER-745 crash in _mongoc_cluster_disconnect_node
    post-release bump
    CDRIVER-731: Do not trace SASL mutex callbacks
    debian changelog fixes for deb pkg
    1.1.9 Release
    redundant include
    CDRIVER-721 test reconnection
    CDRIVER-727 actually enable coverage in libmongoc
    update libbson to 1.1.9-dev
    CDRIVER-721 test rs and mongos, connected and not
    CDRIVER-721 additional tests
    CDRIVER-721 mongoc_client_destroy crash after connection fails
    ...

Conflicts:
CMakeLists.txt
NEWS
README.rst
build/autotools/Versions.m4
build/rpm/mongo-c-driver.spec
debian/changelog
doc/installing.page
doc/mongoc_version.page
src/libbson
src/mongoc/mongoc-cluster-private.h
src/mongoc/mongoc-cluster.c
src/mongoc/mongoc-read-prefs.c
src/mongoc/mongoc-uri.c
src/mongoc/mongoc-write-command.c
tests/mock-server.c
tests/mock-server.h
tests/test-libmongoc.c
tests/test-mongoc-client.c
tests/test-mongoc-cluster.c
tests/test-mongoc-database.c
tests/test-mongoc-read-prefs.c
tests/test-mongoc-uri.c
tests/test-sasl.c
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/e62117d12a600f6cf61eb409933af6f92a3d7c22

Comment by Githook User [ 05/Aug/15 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'master' into 1.2.0-dev

  • master: (38 commits)
    various fixups for memory leaks and races in tests
    Fix memory leak in mongoc_uri_parse_option
    post-release bump
    1.1.10 Release
    CDRIVER-755 leaks in _mongoc_cluster_ismaster
    CDRIVER-745 test cluster node destroy, then disconnect
    CDRIVER-750 don't query recovering RS members
    spell "cyrus" correctly in install guide
    CDRIVER-745 crash in _mongoc_cluster_disconnect_node
    post-release bump
    CDRIVER-731: Do not trace SASL mutex callbacks
    debian changelog fixes for deb pkg
    1.1.9 Release
    redundant include
    CDRIVER-721 test reconnection
    CDRIVER-727 actually enable coverage in libmongoc
    update libbson to 1.1.9-dev
    CDRIVER-721 test rs and mongos, connected and not
    CDRIVER-721 additional tests
    CDRIVER-721 mongoc_client_destroy crash after connection fails
    ...

Conflicts:
CMakeLists.txt
NEWS
README.rst
build/autotools/Versions.m4
build/rpm/mongo-c-driver.spec
debian/changelog
doc/installing.page
doc/mongoc_version.page
src/libbson
src/mongoc/mongoc-cluster-private.h
src/mongoc/mongoc-cluster.c
src/mongoc/mongoc-read-prefs.c
src/mongoc/mongoc-uri.c
src/mongoc/mongoc-write-command.c
tests/mock-server.c
tests/mock-server.h
tests/test-libmongoc.c
tests/test-mongoc-client.c
tests/test-mongoc-cluster.c
tests/test-mongoc-database.c
tests/test-mongoc-read-prefs.c
tests/test-mongoc-uri.c
tests/test-sasl.c
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/e62117d12a600f6cf61eb409933af6f92a3d7c22

Comment by Githook User [ 05/Aug/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-745 test cluster node destroy, then disconnect

Verifies mongoc_cluster_node_t's "tags" document is properly
reinitialized in _mongoc_cluster_node_destroy.
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/a967e8ee8d8a0a7d7cd5834155055f7b07c415e7

Comment by Githook User [ 05/Aug/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-745 crash in _mongoc_cluster_disconnect_node

In _mongoc_cluster_node_destroy, don't NULL the node->tags bson.
Reinitialize it instead, so it can be safely destroyed again if the
node is reused and disconnected.
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/a0997439c86276f0dcdb49550636b11f3e407384

Comment by Githook User [ 22/Jul/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-745 test cluster node destroy, then disconnect

Verifies mongoc_cluster_node_t's "tags" document is properly
reinitialized in _mongoc_cluster_node_destroy.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/a967e8ee8d8a0a7d7cd5834155055f7b07c415e7

Comment by A. Jesse Jiryu Davis [ 15/Jul/15 ]

No need for forward-port, "tags" document is correctly managed in mongoc_server_description_t in 1.2.0.

Comment by Githook User [ 15/Jul/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-745 crash in _mongoc_cluster_disconnect_node

In _mongoc_cluster_node_destroy, don't NULL the node->tags bson.
Reinitialize it instead, so it can be safely destroyed again if the
node is reused and disconnected.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/a0997439c86276f0dcdb49550636b11f3e407384

Comment by A. Jesse Jiryu Davis [ 15/Jul/15 ]

Not a precise repro, but in the same general vicinity. Install MockupDB and run this Python:

from time import sleep
 
from mockupdb import MockupDB
 
primary, secondary0, secondary1 = servers = [
    MockupDB(port) for port in 8000, 8001, 8002]
 
secondaries = [secondary0, secondary1]
 
for server in servers:
    server.verbose = True
    server.run()
 
hosts = [server.address_string for server in servers]
primary.autoresponds(
    'isMaster',
    ismaster=True, setName='rs', hosts=hosts)
 
for secondary in secondaries:
    secondary.autoresponds(
        'isMaster',
        ismaster=False, secondary=True, setName='rs', hosts=hosts)
 
for server in servers:
    server.autoresponds('getnonce', nonce='abcd')
    server.autoresponds('authenticate')
 
primary.receives('ping', timeout=1000).hangup()
 
# Wait for Ctrl-C.
sleep(1000)

If the server hangs up on the C Driver when it pings, the driver calls "disconnect" on a node that it's previously called "destroy" on. Since "destroy" NULLs node->tags without reinitializing it, "disconnect" crashes calling bson_destroy on the NULLed node->tags.

Generated at Wed Feb 07 21:10:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.