[SERVER-15581] ASAN heap-use-after-free in unlockAll() Created: 09/Oct/14  Updated: 11/Jul/16  Resolved: 29/Oct/14

Status: Closed
Project: Core Server
Component/s: Concurrency
Affects Version/s: 2.7.7
Fix Version/s: 2.8.0-rc0

Type: Bug Priority: Major - P3
Reporter: Max Hirschhorn Assignee: Kaloian Manassiev
Resolution: Done Votes: 0
Labels: 28qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Tested
Operating System: ALL
Participants:

 Description   

Output from address sanitizer:

==18019==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000046930 at pc 0x1012aba67 bp 0x7fff5fbfa350 sp 0x7fff5fbfa348
READ of size 8 at 0x603000046930 thread T0
==18019==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x1012aba66 in mongo::newlm::ResourceId::operator== const resource_id.h:81
    #1 0x1012ab5ab in std::equal_to<mongo::newlm::ResourceId>::operator const stl_function.h:200
    #2 0x1012e1cb4 in std::tr1::__detail::_Hash_code_base<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, false>::_M_compare const hashtable_policy.h:805
    #3 0x1012df876 in std::tr1::_Hashtable<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::allocator<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::erase hashtable:1067
    #4 0x1012c3d51 in mongo::newlm::LockerImpl::_unlockAndUpdateRequestsList lock_state.cpp:686
    #5 0x1012c46b5 in mongo::newlm::LockerImpl::unlock lock_state.cpp:540
    #6 0x1012c12e7 in mongo::newlm::LockerImpl::unlockAll lock_state.cpp:397
    #7 0x1012127ec in mongo::Lock::DBLock::unlockDB d_concurrency.cpp:276
    #8 0x10121223f in mongo::Lock::DBLock::~DBLock d_concurrency.cpp:253
    #9 0x101211ff2 in mongo::Lock::DBLock::~DBLock d_concurrency.cpp:252
    #10 0x100cf59a0 in mongo::AutoGetCollectionForRead::~AutoGetCollectionForRead client.cpp:257
    #11 0x100cf5292 in mongo::AutoGetCollectionForRead::~AutoGetCollectionForRead client.cpp:248
    #12 0x1008e3316 in mongo::AuthzManagerExternalStateMongod::findOne authz_manager_external_state_d.cpp:91
    #13 0x1008f2071 in mongo::AuthzManagerExternalStateLocal::getStoredAuthorizationVersion authz_manager_external_state_local.cpp:66
    #14 0x1008323f1 in mongo::AuthorizationManager::getAuthorizationVersion authorization_manager.cpp:271
    #15 0x100829ac7 in mongo::authindex::configureSystemIndexes auth_index_d.cpp:77
    #16 0x1000068e8 in mongo::_initAndListen db.cpp:537
    #17 0x100001b24 in mongo::initAndListen db.cpp:580
    #18 0x100009071 in mongoDbMain db.cpp:816
    #19 0x100007e8d in main db.cpp:629
    #20 0x1000017d3 in start (in mongod) + 51
    #21 0x2 in 0x00000002 (in mongod)
 
0x603000046930 is located 0 bytes inside of 32-byte region [0x603000046930,0x603000046950)
freed by thread T0 here:
    #0 0x10e150563 in wrap_free (in libclang_rt.asan_osx_dynamic.dylib) + 115
    #1 0x1012e2883 in __gnu_cxx::new_allocator<std::tr1::__detail::_Hash_node<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, false> >::deallocate new_allocator.h:97
    #2 0x1012e203a in std::tr1::_Hashtable<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::allocator<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::_M_deallocate_node hashtable:476
    #3 0x1012df9dc in std::tr1::_Hashtable<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::allocator<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::erase hashtable:1071
    #4 0x1012c3d51 in mongo::newlm::LockerImpl::_unlockAndUpdateRequestsList lock_state.cpp:686
    #5 0x1012c46b5 in mongo::newlm::LockerImpl::unlock lock_state.cpp:540
    #6 0x1012c12e7 in mongo::newlm::LockerImpl::unlockAll lock_state.cpp:397
    #7 0x1012127ec in mongo::Lock::DBLock::unlockDB d_concurrency.cpp:276
    #8 0x10121223f in mongo::Lock::DBLock::~DBLock d_concurrency.cpp:253
    #9 0x101211ff2 in mongo::Lock::DBLock::~DBLock d_concurrency.cpp:252
    #10 0x100cf59a0 in mongo::AutoGetCollectionForRead::~AutoGetCollectionForRead client.cpp:257
    #11 0x100cf5292 in mongo::AutoGetCollectionForRead::~AutoGetCollectionForRead client.cpp:248
    #12 0x1008e3316 in mongo::AuthzManagerExternalStateMongod::findOne authz_manager_external_state_d.cpp:91
    #13 0x1008f2071 in mongo::AuthzManagerExternalStateLocal::getStoredAuthorizationVersion authz_manager_external_state_local.cpp:66
    #14 0x1008323f1 in mongo::AuthorizationManager::getAuthorizationVersion authorization_manager.cpp:271
    #15 0x100829ac7 in mongo::authindex::configureSystemIndexes auth_index_d.cpp:77
    #16 0x1000068e8 in mongo::_initAndListen db.cpp:537
    #17 0x100001b24 in mongo::initAndListen db.cpp:580
    #18 0x100009071 in mongoDbMain db.cpp:816
    #19 0x100007e8d in main db.cpp:629
    #20 0x1000017d3 in start (in mongod) + 51
    #21 0x2 in 0x00000002 (in mongod)
 
previously allocated by thread T0 here:
    #0 0x10e150495 in wrap_malloc (in libclang_rt.asan_osx_dynamic.dylib) + 117
    #1 0x7fff8ddde36d in operator new(unsigned long) (in libc++abi.dylib) + 29
    #2 0x1012fe6f0 in __gnu_cxx::new_allocator<std::tr1::__detail::_Hash_node<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, false> >::allocate new_allocator.h:91
    #3 0x1012f98aa in std::tr1::_Hashtable<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::allocator<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::_M_allocate_node hashtable:452
    #4 0x1012f8b12 in std::tr1::_Hashtable<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::allocator<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::_M_insert_bucket hashtable:877
    #5 0x1012f7b77 in std::tr1::_Hashtable<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::allocator<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::_M_insert hashtable:920
    #6 0x1012dbfda in std::tr1::_Hashtable<mongo::newlm::ResourceId, std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*>, std::allocator<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::_Select1st<std::pair<mongo::newlm::ResourceId const, mongo::newlm::LockRequest*> >, std::equal_to<mongo::newlm::ResourceId>, std::tr1::hash<mongo::newlm::ResourceId>, std::tr1::__detail::_Mod_range_hashing, std::tr1::__detail::_Default_ranged_hash, std::tr1::__detail::_Prime_rehash_policy, false, false, true>::insert hashtable:398
    #7 0x1012c2a63 in mongo::newlm::LockerImpl::lock lock_state.cpp:442
    #8 0x100cf3d28 in mongo::AutoGetCollectionForRead::_init client.cpp:232
    #9 0x100cf4e10 in mongo::AutoGetCollectionForRead::AutoGetCollectionForRead client.cpp:217
    #10 0x100cf475b in mongo::AutoGetCollectionForRead::AutoGetCollectionForRead client.cpp:218
    #11 0x1008e2a30 in mongo::AuthzManagerExternalStateMongod::findOne authz_manager_external_state_d.cpp:79
    #12 0x1008f2071 in mongo::AuthzManagerExternalStateLocal::getStoredAuthorizationVersion authz_manager_external_state_local.cpp:66
    #13 0x1008323f1 in mongo::AuthorizationManager::getAuthorizationVersion authorization_manager.cpp:271
    #14 0x100829ac7 in mongo::authindex::configureSystemIndexes auth_index_d.cpp:77
    #15 0x1000068e8 in mongo::_initAndListen db.cpp:537
    #16 0x100001b24 in mongo::initAndListen db.cpp:580
    #17 0x100009071 in mongoDbMain db.cpp:816
    #18 0x100007e8d in main db.cpp:629
    #19 0x1000017d3 in start (in mongod) + 51
    #20 0x2 in 0x00000002 (in mongod)
 
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x1c0600008cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600008ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600008cf0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 fa
  0x1c0600008d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0600008d10: fa fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
=>0x1c0600008d20: 00 00 00 00 fa fa[fd]fd fd fd fa fa fd fd fd fd
  0x1c0600008d30: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa 00 00
  0x1c0600008d40: 00 06 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x1c0600008d50: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x1c0600008d60: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
  0x1c0600008d70: 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==18019==ABORTING


Generated at Thu Feb 08 03:38:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.