<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:10:20 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-695] _mongoc_cluster_node_destroy segfaults in certain scenarios</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-695</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;Program terminated with signal 11, Segmentation fault.&lt;br/&gt;
#0  0x00000000ffffffff in ?? ()&lt;br/&gt;
(gdb) bt&lt;br/&gt;
#0  0x00000000ffffffff in ?? ()&lt;br/&gt;
#1  0x00007fcc757c43e2 in _mongoc_cluster_node_destroy ()&lt;br/&gt;
#2  0x00007fcc757c6f19 in _mongoc_cluster_destroy () &lt;br/&gt;
#3  0x00007fcc757c31a6 in mongoc_client_destroy () &lt;br/&gt;
#4  0x00007fcc757c396e in mongoc_client_pool_push ()&lt;/p&gt;</description>
                <environment></environment>
        <key id="207943">CDRIVER-695</key>
            <summary>_mongoc_cluster_node_destroy segfaults in certain scenarios</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="2" iconUrl="https://jira.mongodb.org/images/icons/priorities/critical.svg">Critical - P2</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="jesse@mongodb.com">A. Jesse Jiryu Davis</assignee>
                                    <reporter username="anil.kumar">Anil Kumar</reporter>
                        <labels>
                    </labels>
                <created>Tue, 2 Jun 2015 20:00:18 +0000</created>
                <updated>Wed, 5 Aug 2015 17:22:19 +0000</updated>
                            <resolved>Sun, 21 Jun 2015 10:09:07 +0000</resolved>
                                    <version>1.1.6</version>
                                    <fixVersion>1.1.8</fixVersion>
                                    <component>libmongoc</component>
                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="997332" author="xgen-internal-githook" created="Wed, 5 Aug 2015 17:22:19 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-721&quot; title=&quot;Crash destroying replset client after connection fails&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-721&quot;&gt;&lt;del&gt;CDRIVER-721&lt;/del&gt;&lt;/a&gt; mongoc_client_destroy crash after connection fails&lt;/p&gt;

&lt;p&gt;Undo two bad changes introduced while fixing &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-695&quot; title=&quot;_mongoc_cluster_node_destroy segfaults in certain scenarios&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-695&quot;&gt;&lt;del&gt;CDRIVER-695&lt;/del&gt;&lt;/a&gt;, and add&lt;br/&gt;
another safety check in _mongoc_cluster_node_destroy.&lt;br/&gt;
Branch: 1.2.0-dev&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/bea221041eb8886f8d851a76b3d80ac9a6443eee&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/bea221041eb8886f8d851a76b3d80ac9a6443eee&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="997330" author="xgen-internal-githook" created="Wed, 5 Aug 2015 17:22:18 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-695&quot; title=&quot;_mongoc_cluster_node_destroy segfaults in certain scenarios&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-695&quot;&gt;&lt;del&gt;CDRIVER-695&lt;/del&gt;&lt;/a&gt; crash destroying node after auth err&lt;/p&gt;

&lt;p&gt;Avoid scenarios like:&lt;/p&gt;

&lt;p&gt;1. Connect to 2-node replica set.&lt;/p&gt;

&lt;p&gt;2. _cluster_reconnect_replica_set enters first loop, calls ismaster on primary&lt;br/&gt;
   and finds two peers.&lt;/p&gt;

&lt;p&gt;3. nodes_len is set to 2 and the nodes list is realloc&apos;ed, but the second node&lt;br/&gt;
   is uninitialized.&lt;/p&gt;

&lt;p&gt;4. _mongoc_cluster_reconnect_replica_set enters second loop.&lt;/p&gt;

&lt;p&gt;5. Auth fails, &quot;goto CLEANUP&quot;.&lt;/p&gt;

&lt;p&gt;6. Now nodes_len is 2 but the second node is still uninitialized.&lt;/p&gt;

&lt;p&gt;7. Later, _mongoc_cluster_node_destroy iterates over both nodes.&lt;/p&gt;

&lt;p&gt;8. Destroying second, uninitialized node calls stream-&amp;gt;close, which is a random&lt;br/&gt;
   location, segfaults.&lt;br/&gt;
Branch: 1.2.0-dev&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/19d2da28257ea3ae24cf3f832d16487b5628314c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/19d2da28257ea3ae24cf3f832d16487b5628314c&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="997326" author="xgen-internal-githook" created="Wed, 5 Aug 2015 17:22:14 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-695&quot; title=&quot;_mongoc_cluster_node_destroy segfaults in certain scenarios&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-695&quot;&gt;&lt;del&gt;CDRIVER-695&lt;/del&gt;&lt;/a&gt; checked errors in cluster logic&lt;/p&gt;

&lt;p&gt;Hope to make a crash in _mongoc_cluster_node_destroy easier to diagnose.&lt;br/&gt;
Branch: 1.2.0-dev&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/c35aea088cfd43b5b62b11dddd8bc050c0ea47d2&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/c35aea088cfd43b5b62b11dddd8bc050c0ea47d2&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="952027" author="xgen-internal-githook" created="Fri, 26 Jun 2015 17:28:43 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-721&quot; title=&quot;Crash destroying replset client after connection fails&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-721&quot;&gt;&lt;del&gt;CDRIVER-721&lt;/del&gt;&lt;/a&gt; mongoc_client_destroy crash after connection fails&lt;/p&gt;

&lt;p&gt;Undo two bad changes introduced while fixing &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-695&quot; title=&quot;_mongoc_cluster_node_destroy segfaults in certain scenarios&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-695&quot;&gt;&lt;del&gt;CDRIVER-695&lt;/del&gt;&lt;/a&gt;, and add&lt;br/&gt;
another safety check in _mongoc_cluster_node_destroy.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/bea221041eb8886f8d851a76b3d80ac9a6443eee&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/bea221041eb8886f8d851a76b3d80ac9a6443eee&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="951461" author="xgen-internal-githook" created="Fri, 26 Jun 2015 01:49:33 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-721&quot; title=&quot;Crash destroying replset client after connection fails&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-721&quot;&gt;&lt;del&gt;CDRIVER-721&lt;/del&gt;&lt;/a&gt; mongoc_client_destroy crash after connection fails&lt;/p&gt;

&lt;p&gt;Undo two bad changes introduced while fixing &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-695&quot; title=&quot;_mongoc_cluster_node_destroy segfaults in certain scenarios&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-695&quot;&gt;&lt;del&gt;CDRIVER-695&lt;/del&gt;&lt;/a&gt;, and add&lt;br/&gt;
another safety check in _mongoc_cluster_node_destroy.&lt;br/&gt;
Branch: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-721&quot; title=&quot;Crash destroying replset client after connection fails&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-721&quot;&gt;&lt;del&gt;CDRIVER-721&lt;/del&gt;&lt;/a&gt;-crash-unavail-rs&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/32cd79d9278dc365fa1cc8746294cd305cb78b29&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/32cd79d9278dc365fa1cc8746294cd305cb78b29&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="946384" author="xgen-internal-githook" created="Sun, 21 Jun 2015 07:55:04 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-695&quot; title=&quot;_mongoc_cluster_node_destroy segfaults in certain scenarios&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-695&quot;&gt;&lt;del&gt;CDRIVER-695&lt;/del&gt;&lt;/a&gt; crash destroying node after auth err&lt;/p&gt;

&lt;p&gt;Avoid scenarios like:&lt;/p&gt;

&lt;p&gt;1. Connect to 2-node replica set.&lt;/p&gt;

&lt;p&gt;2. _cluster_reconnect_replica_set enters first loop, calls ismaster on primary&lt;br/&gt;
   and finds two peers.&lt;/p&gt;

&lt;p&gt;3. nodes_len is set to 2 and the nodes list is realloc&apos;ed, but the second node&lt;br/&gt;
   is uninitialized.&lt;/p&gt;

&lt;p&gt;4. _mongoc_cluster_reconnect_replica_set enters second loop.&lt;/p&gt;

&lt;p&gt;5. Auth fails, &quot;goto CLEANUP&quot;.&lt;/p&gt;

&lt;p&gt;6. Now nodes_len is 2 but the second node is still uninitialized.&lt;/p&gt;

&lt;p&gt;7. Later, _mongoc_cluster_node_destroy iterates over both nodes.&lt;/p&gt;

&lt;p&gt;8. Destroying second, uninitialized node calls stream-&amp;gt;close, which is a random&lt;br/&gt;
   location, segfaults.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/19d2da28257ea3ae24cf3f832d16487b5628314c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/19d2da28257ea3ae24cf3f832d16487b5628314c&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="942538" author="jesse" created="Wed, 17 Jun 2015 02:13:11 +0000"  >&lt;p&gt;The bug is in _cluster_reconnect_replica_set, which has two loops. The first loop tries nodes until it finds a primary. In the second loop, it iterates over the primary&apos;s peer list connecting and authenticating with each peer, including the primary itself.&lt;/p&gt;

&lt;p&gt;The crash comes when we:&lt;/p&gt;

&lt;p&gt;1. Connect to a 2-node replica set.&lt;br/&gt;
2. _cluster_reconnect_replica_set enters its first loop, calls ismaster on primary and finds two peers.&lt;br/&gt;
3. nodes_len is set to 2 and the nodes list is realloc&apos;ed, but the second node struct is uninitialized.&lt;br/&gt;
4. _mongoc_cluster_reconnect_replica_set enters its second loop.&lt;br/&gt;
5. Auth fails on the first node (the primary) so the driver breaks from the loop with &quot;goto CLEANUP&quot;.&lt;br/&gt;
6. Now nodes_len is 2 but the second node is still uninitialized!&lt;br/&gt;
7. Later, _mongoc_cluster_node_destroy iterates the nodes list, destroying them.&lt;br/&gt;
8. Since nodes_len is 2, _mongoc_cluster_node_destroy tries to destroy the second, uninitialized node.&lt;br/&gt;
9. If the second node&apos;s stream happens to be non-NULL, it calls stream-&amp;gt;close on the second node&apos;s stream, and segfaults.&lt;/p&gt;

&lt;p&gt;The fix is to properly manage nodes_len: don&apos;t increment it to N unless N nodes have actually been initialized.&lt;/p&gt;

&lt;p&gt;Additionally, zero-out all nodes right after reallocing the nodes list to ensure all data structures are NULL.&lt;/p&gt;</comment>
                            <comment id="941162" author="jesse" created="Mon, 15 Jun 2015 21:42:34 +0000"  >&lt;p&gt;Repro script using MockupDB:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://gist.github.com/ajdavis/745af939e0eb3e2c8cac&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://gist.github.com/ajdavis/745af939e0eb3e2c8cac&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;MockupDB is here:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;http://mockupdb.readthedocs.org/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://mockupdb.readthedocs.org/&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="935542" author="xgen-internal-githook" created="Tue, 9 Jun 2015 19:26:26 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-695&quot; title=&quot;_mongoc_cluster_node_destroy segfaults in certain scenarios&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-695&quot;&gt;&lt;del&gt;CDRIVER-695&lt;/del&gt;&lt;/a&gt; checked errors in cluster logic&lt;/p&gt;

&lt;p&gt;Hope to make a crash in _mongoc_cluster_node_destroy easier to diagnose.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/c35aea088cfd43b5b62b11dddd8bc050c0ea47d2&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/c35aea088cfd43b5b62b11dddd8bc050c0ea47d2&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="930419" author="jesse" created="Wed, 3 Jun 2015 14:20:13 +0000"  >&lt;p&gt;Reporter&apos;s URI something like the form:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mongodb://user:pass@host1,host2,host3/admin?replicaSet=rs&amp;amp;maxpoolsize=100&amp;amp;minpoolsize=50&amp;amp;ssl=true&amp;amp;connecttimeoutms=5000&amp;amp;socketTimeoutMS=5000&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="213117">CDRIVER-721</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsa4c7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="579">C Driver 2015Q2 sprint 3</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>