[SERVER-12260] batch_upconvert_test fails under address sanitizer Created: 06/Jan/14  Updated: 11/Jul/16  Resolved: 06/Jan/14

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.5

Type: Bug Priority: Major - P3
Reporter: Andrew Morrow (Inactive) Assignee: Mathias Stearn
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-11903 Remove BSONElement::validate() Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

scons --cache --dbg=on --sanitize=address --allocator=system --cc=/usr/bin/clang --cxx=/usr/bin/clang++ && ./build/unittests/batch_upconvert_test 2>&1 | asan_symbolize | c++filt

Using

clang++ --version
Ubuntu clang version 3.4-1~exp1 (trunk) (based on LLVM 3.4)
Target: x86_64-pc-linux-gnu
Thread model: posix

Participants:

 Description   

When run under address sanitizer, the batch_upconvert_test fails, claiming a heap overflow:

2014-01-06T11:50:45.344-0500 going to run suite: WriteBatchUpconvert
2014-01-06T11:50:45.344-0500 	 going to run test: BasicInsert
=================================================================
==8784==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000dd92 at pc 0x5b0d70 bp 0x7fffbac42090 sp 0x7fffbac42060
READ of size 1 at 0x60600000dd92 thread T0
==8784==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x5b0d6f in __interceptor_strcmp ??:?
    #1 0x6c24b9 in mongo::(anonymous namespace)::validateBSONIterative(mongo::(anonymous namespace)::Buffer*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/bson/bson_validate.cpp:293
    #2 0x6c0781 in mongo::validateBSON(char const*, unsigned long) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/bson/bson_validate.cpp:359
    #3 0x9fac9f in mongo::DbMessage::nextJsObj() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/db/dbmessage.h:213
    #4 0x9f4d88 in mongo::msgToBatchInserts(mongo::Message const&, std::vector<mongo::BatchedCommandRequest*, std::allocator<mongo::BatchedCommandRequest*> >*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/s/write_ops/batch_upconvert.cpp:80
    #5 0x9f40bf in mongo::msgToBatchRequests(mongo::Message const&, std::vector<mongo::BatchedCommandRequest*, std::allocator<mongo::BatchedCommandRequest*> >*) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/s/write_ops/batch_upconvert.cpp:51
    #6 0x5f6bc4 in (anonymous namespace)::UnitTest__WriteBatchUpconvert__BasicInsert::_doTest() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/s/write_ops/batch_upconvert_test.cpp:62
    #7 0xc19dad in mongo::unittest::Test::run() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:125
    #8 0x5f5b35 in void mongo::unittest::Suite::runTestObject<(anonymous namespace)::UnitTest__WriteBatchUpconvert__BasicInsert>() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.h:308
    #9 0x635453 in boost::detail::function::void_function_invoker0<void (*)(), void>::invoke(boost::detail::function::function_buffer&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/boost/boost/function/function_template.hpp:112
    #10 0xc5051e in boost::function0<void>::operator()() const /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/boost/boost/function/function_template.hpp:759
    #11 0xc29330 in mongo::unittest::TestHolder::run() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.h:206
    #12 0xc1dda2 in mongo::unittest::Suite::run(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:182
    #13 0xc217b9 in mongo::unittest::Suite::run(std::vector<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:247
    #14 0xc5256b in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest_main.cpp:28
    #15 0x7f14985b3ea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #16 0x5f504c in _start ??:?
 
0x60600000dd92 is located 0 bytes to the right of 50-byte region [0x60600000dd60,0x60600000dd92)
allocated by thread T0 here:
    #0 0x5e0179 in __interceptor_malloc ??:?
    #1 0x5fb2b1 in mongo::Message::setData(int, char const*, unsigned long) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/util/net/message.h:283
    #2 0x5f6b4a in (anonymous namespace)::UnitTest__WriteBatchUpconvert__BasicInsert::_doTest() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/s/write_ops/batch_upconvert_test.cpp:58
    #3 0xc19dad in mongo::unittest::Test::run() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:125
    #4 0x5f5b35 in void mongo::unittest::Suite::runTestObject<(anonymous namespace)::UnitTest__WriteBatchUpconvert__BasicInsert>() /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.h:308
    #5 0x635453 in boost::detail::function::void_function_invoker0<void (*)(), void>::invoke(boost::detail::function::function_buffer&) /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/boost/boost/function/function_template.hpp:112
    #6 0xc5051e in boost::function0<void>::operator()() const /home/andrew/Documents/10gen/dev/src/mongodb/src/third_party/boost/boost/function/function_template.hpp:759
    #7 0xc29330 in mongo::unittest::TestHolder::run() const /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.h:206
    #8 0xc1dda2 in mongo::unittest::Suite::run(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:182
    #9 0xc217b9 in mongo::unittest::Suite::run(std::vector<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest.cpp:247
    #10 0xc5256b in main /home/andrew/Documents/10gen/dev/src/mongodb/src/mongo/unittest/unittest_main.cpp:28
    #11 0x7f14985b3ea4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
 
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c0c7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9ba0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fff9bb0: 00 00[02]fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9bc0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9bd0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9be0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9bf0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9c00: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==8784==ABORTING



 Comments   
Comment by Githook User [ 06/Jan/14 ]

Author:

{u'username': u'RedBeard0531', u'name': u'Mathias Stearn', u'email': u'mathias@10gen.com'}

Message: SERVER-12260 Don't look for _id field name after EOO

Fixes a bug in implementation of SERVER-11903
Branch: master
https://github.com/mongodb/mongo/commit/8bfce9bcce36c2250f17fb51cadbdabb74754e10

Comment by Mathias Stearn [ 06/Jan/14 ]

This can happen for objects without an _id field at the top-level when it tries to get the name of the EOO element even though there isn't one. I'll put up a fix soon.

Generated at Thu Feb 08 03:28:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.