[SERVER-21568] use after free in bt_split.c Created: 19/Nov/15 Updated: 07/Dec/15 Resolved: 20/Nov/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Storage |
| Affects Version/s: | 3.2.0-rc3 |
| Fix Version/s: | 3.2.0-rc4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Michael Grundy | Assignee: | Michael Cahill (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Steps To Reproduce: | Apply the attached patch that contains the election_timing_workload test and associated framework changes. run:
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Running election timing tests with a workload, the Primary will crash, frequently, after oplog truncation. Output from an ASAN build:
db version v3.2.0-rc3-49-ga0771ea mongod has the fix for |
| Comments |
| Comment by Githook User [ 02/Dec/15 ] |
|
Author: {u'username': u'michaelcahill', u'name': u'Michael Cahill', u'email': u'michael.cahill@mongodb.com'}Message: Import wiredtiger-wiredtiger-mongodb-3.0.7-20-g27d0cbd.tar.gz from wiredtiger branch mongodb-3.0 ref: deb2d81..27d0cbd 6feaa28 |
| Comment by Githook User [ 02/Dec/15 ] |
|
Author: {u'username': u'agorrod', u'name': u'Alex Gorrod', u'email': u'alexander.gorrod@mongodb.com'}Message: (cherry picked from commit 2d01a566) Conflicts: |
| Comment by Michael Cahill (Inactive) [ 20/Nov/15 ] |
|
Should be fixed by https://github.com/mongodb/mongo/commit/fb959fb6020ade800db8674b598a04a1ab4c7e67 |
| Comment by Githook User [ 20/Nov/15 ] |
|
Author: {u'username': u'agorrod', u'name': u'Alex Gorrod', u'email': u'alexander.gorrod@mongodb.com'}Message: Merge pull request #2323 from wiredtiger/
|
| Comment by Githook User [ 20/Nov/15 ] |
|
Author: {u'username': u'agorrod', u'name': u'Alex Gorrod', u'email': u'alexander.gorrod@mongodb.com'}Message: Merge pull request #2323 from wiredtiger/
|
| Comment by Githook User [ 20/Nov/15 ] |
|
Author: {u'username': u'michaelcahill', u'name': u'Michael Cahill', u'email': u'michael.cahill@mongodb.com'}Message: |
| Comment by Githook User [ 20/Nov/15 ] |
|
Author: {u'username': u'michaelcahill', u'name': u'Michael Cahill', u'email': u'michael.cahill@mongodb.com'}Message: The ref->page_del structure can be freed as soon as it becomes globally visible. Do that when we have the ref locked to avoid unnecessarily spinning on the page state. |
| Comment by Githook User [ 20/Nov/15 ] |
|
Author: {u'username': u'michaelcahill', u'name': u'Michael Cahill', u'email': u'michael.cahill@mongodb.com'}Message: If a page was truncated, then subsequently there were more inserts onto that page so it was reinstantiated and the page ended up splitting, WiredTiger would attempt to free a data structure twice. |
| Comment by Michael Cahill (Inactive) [ 20/Nov/15 ] |
| Comment by Michael Grundy [ 19/Nov/15 ] |
|
Rolling back the majority write that was in flight when the primary was stopped might be related. I wasn't able to reproduce this in a simpler test case that didn't have the primary being stopped. |
| Comment by Daniel Pasette (Inactive) [ 19/Nov/15 ] |