[SERVER-16654] ParallelConnectionMetadata::cleanup can cause the cursor to access deleted connection Created: 23/Dec/14  Updated: 06/Dec/22  Resolved: 09/Nov/15

Status: Closed
Project: Core Server
Component/s: Sharding
Affects Version/s: 2.4.12, 2.8.0-rc3
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Randolph Tan Assignee: [DO NOT USE] Backlog - Sharding Team
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-15056 Sharded connection cleanup on setup e... Closed
Assigned Teams:
Sharding
Operating System: ALL
Sprint: Sharding C (11/20/15)
Participants:

 Description   

ParallelConnectionMetadata::cleanup calls ShardConnection::done, which can potentially delete the underlying connection (https://github.com/mongodb/mongo/blob/r2.8.0-rc3/src/mongo/client/connpool.cpp#L66-73). This is also the same connection pointer stored in the cursor and when it's destructor gets called, it can try to access the pointer (https://github.com/mongodb/mongo/blob/r2.8.0-rc3/src/mongo/client/dbclientcursor.cpp#L364-372).

Sample stacktrace from special local 2.4.12 build with special fail points to make it fail easier:

 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo17printStackAndExitEi+0x65)[0x965f65]
 m30999| /lib/x86_64-linux-gnu/libc.so.6(+0x370b0)[0x7f3885d7d0b0]
 m30999| /lib/x86_64-linux-gnu/libc.so.6(+0x150fe9)[0x7f3885e96fe9]
 m30999| /home/ren/mongo-copy/mongos(_ZNK5mongo18DBClientReplicaSet11_getMonitorEv+0xa9)[0x6b8269]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo18DBClientReplicaSet11checkMasterEv+0x24)[0x6b8314]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo18DBClientReplicaSet3sayERNS_7MessageEbPSs+0x7e)[0x6bbc6e]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo14DBClientCursorD1Ev+0x578)[0x6c6238]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo14DBClientCursorD0Ev+0x9)[0x6c65e9]
 m30999| /home/ren/mongo-copy/mongos(_ZN5boost6detail12shared_countD2Ev+0x39)[0x6736c9]
 m30999| /home/ren/mongo-copy/mongos(_ZN5boost6detail17sp_counted_impl_pIN5mongo23ParallelConnectionStateEE7disposeEv+0x2a)[0x6f6efa]
 m30999| /home/ren/mongo-copy/mongos(_ZN5boost6detail12shared_countD2Ev+0x39)[0x6736c9]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo26ParallelConnectionMetadata7cleanupEb+0x172)[0x6e47a2]
 m30999| /home/ren/mongo-copy/mongos(_ZNSt8_Rb_treeIN5mongo5ShardESt4pairIKS1_NS0_26ParallelConnectionMetadataEESt10_Select1stIS5_ESt4lessIS1_ESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeIS5_E+0x4b)[0x6f84bb]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo27ParallelSortClusteredCursorD1Ev+0xcd)[0x6e585d]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo27ParallelSortClusteredCursorD0Ev+0x9)[0x6e59e9]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo13ShardStrategy7queryOpERNS_7RequestE+0x11cd)[0x8c434d]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo7Request7processEi+0x18f)[0x8aa74f]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo21ShardedMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE+0x60)[0x679090]
 m30999| /home/ren/mongo-copy/mongos(_ZN5mongo17PortMessageServer17handleIncomingMsgEPv+0x471)[0x951501]
 m30999| /lib/x86_64-linux-gnu/libpthread.so.0(+0x7f8e)[0x7f3886b44f8e]



 Comments   
Comment by Randolph Tan [ 04/Nov/15 ]

This no longer affects the current master as ParallelSortClusteredCursor usage is now limited to commands and commands don't store DBClientCursor.

Generated at Thu Feb 08 03:41:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.