[SERVER-21416] AsyncResultsMerger's parameters may hold a reference to freed OperationContext Created: 11/Nov/15  Updated: 17/Nov/15  Resolved: 12/Nov/15

Status: Closed
Project: Core Server
Component/s: Sharding
Affects Version/s: 3.2.0-rc3
Fix Version/s: 3.2.0-rc3

Type: Bug Priority: Critical - P2
Reporter: Kaloian Manassiev Assignee: David Storch
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Sharding C (11/20/15)
Participants:
Linked BF Score: 0

 Description   

The AsyncResultsMeger parameters structure has a pointer to the OperationContext, which was used to create it. However, in getMore scenarios, the getMore comes on a separate call, which has a different OperationContext and this causes use-after-free exception:

[ShardedClusterFixture:job3:mongos] ----- BEGIN BACKTRACE -----
[ShardedClusterFixture:job3:mongos] {"backtrace":[{"b":"400000","o":"8355E2"},{"b":"400000","o":"8344F9"},{"b":"400000","o":"834878"},{"b":"2AF8CB0FE000","o":"ECA0"},{"b":"400000","o":"2FBFFB"},{"b":"400000","o":"75E6F5"},{"b":"400000","o":"75EFF0"},{"b":"400000","o":"75FDBB"},{"b":"400000","o":"76CB0B"},{"b":"400000","o":"763A32"},{"b":"400000","o":"7651AB"},{"b":"400000","o":"768B44"},{"b":"400000","o":"71AA73"},{"b":"400000","o":"771E89"},{"b":"400000","o":"772ADD"},{"b":"400000","o":"782121"},{"b":"400000","o":"771656"},{"b":"400000","o":"250AA5"},{"b":"400000","o":"7EEC65"},{"b":"2AF8CB0FE000","o":"683D"},{"b":"2AF8CB31B000","o":"D4FDD"}],"processInfo":{ "mongodbVersion" : "3.2.0-rc2-114-g820b117", "gitVersion" : "820b11793691ba0019767e686875444663bd2541", "compiledModules" : [], "uname" : { "sysname" : "Linux", "release" : "2.6.18-194.el5xen", "version" : "#1 SMP Tue Mar 16 22:01:26 EDT 2010", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000" }, { "b" : "2AF8CA55F000", "path" : "/lib64/librt.so.1", "elfType" : 3 }, { "b" : "2AF8CA768000", "path" : "/lib64/libdl.so.2", "elfType" : 3 }, { "b" : "2AF8CA96C000", "path" : "/usr/lib64/libstdc  .so.6", "elfType" : 3 }, { "b" : "2AF8CAC6D000", "path" : "/lib64/libm.so.6", "elfType" : 3 }, { "b" : "2AF8CAEF0000", "path" : "/lib64/libgcc_s.so.1", "elfType" : 3 }, { "b" : "2AF8CB0FE000", "path" : "/lib64/libpthread.so.0", "elfType" : 3 }, { "b" : "2AF8CB31B000", "path" : "/lib64/libc.so.6", "elfType" : 3 }, { "b" : "2AF8CA341000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3 } ] }}
[ShardedClusterFixture:job3:mongos]  mongos(mongo::printStackTrace(std::ostream&) 0x32) [0xc355e2]
[ShardedClusterFixture:job3:mongos]  mongos( 0x8344F9) [0xc344f9]
[ShardedClusterFixture:job3:mongos]  mongos( 0x834878) [0xc34878]
[ShardedClusterFixture:job3:mongos]  libpthread.so.0( 0xECA0) [0x2af8cb10cca0]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::RemoteCommandTargeter::selectFindHostMaxWaitTime(mongo::OperationContext*) 0xB) [0x6fbffb]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::AsyncResultsMerger::RemoteCursorData::resolveShardIdToHostAndPort(mongo::OperationContext*, mongo::ReadPreferenceSetting const&) 0x95) [0xb5e6f5]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::AsyncResultsMerger::askForNextBatch_inlock(unsigned long) 0x80) [0xb5eff0]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::AsyncResultsMerger::nextEvent() 0x1AB) [0xb5fdbb]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::RouterStageMerge::next() 0x4B) [0xb6cb0b]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ClusterClientCursorImpl::next() 0x132) [0xb63a32]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ClusterCursorManager::PinnedCursor::next() 0x1B) [0xb651ab]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ClusterFind::runGetMore(mongo::OperationContext*, mongo::GetMoreRequest const&) 0x224) [0xb68b44]
[ShardedClusterFixture:job3:mongos]  mongos( 0x71AA73) [0xb1aa73]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Command::execCommandClientBasic(mongo::OperationContext*, mongo::Command*, mongo::ClientBasic&, int, char const*, mongo::BSONObj&, mongo::BSONObjBuilder&) 0x559) [0xb71e89]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Command::runAgainstRegistered(mongo::OperationContext*, char const*, mongo::BSONObj&, mongo::BSONObjBuilder&, int) 0x2ED) [0xb72add]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Strategy::clientCommandOp(mongo::OperationContext*, mongo::Request&) 0x1B1) [0xb82121]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::Request::process(mongo::OperationContext*, int) 0x866) [0xb71656]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::ShardedMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) 0x65) [0x650aa5]
[ShardedClusterFixture:job3:mongos]  mongos(mongo::PortMessageServer::handleIncomingMsg(void*) 0x265) [0xbeec65]
[ShardedClusterFixture:job3:mongos]  libpthread.so.0( 0x683D) [0x2af8cb10483d]
[ShardedClusterFixture:job3:mongos]  libc.so.6(clone 0x6D) [0x2af8cb3effdd]
[ShardedClusterFixture:job3:mongos] -----  END BACKTRACE  -----



 Comments   
Comment by Githook User [ 12/Nov/15 ]

Author:

{u'username': u'dstorch', u'name': u'David Storch', u'email': u'david.storch@10gen.com'}

Message: SERVER-21416 remove OperationContext pointer from AsyncResultsMerger
Branch: master
https://github.com/mongodb/mongo/commit/3b60c3ea6ab9f351cf48200c809959513b393fb8

Comment by Kaloian Manassiev [ 12/Nov/15 ]

We should certainly add some invariants. However, having a dangling OperationContext pointer in the AsyncResultsMerger is a definite no-no. Having the OperationContext be passed explicitly both makes the code easier to read and removes any ambiguity of what state can be accessed when.

Comment by David Storch [ 11/Nov/15 ]

kaloian.manassiev, as we discussed, I believe there is an implicit invariant that uses of the OperationContext* inside the AsyncResultsMerger must occur while the initial find operation is still active (and hence the OperationContext is still valid). Perhaps we should resolve this ticket by adding some explicit invariants to this effect rather than removing the OperationContext pointer?

Generated at Thu Feb 08 03:57:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.