Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-88591

seekWTCursorInternal may return early causing use-after-free

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 8.0.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Storage Execution
    • Fully Compatible
    • ALL
    • Execution Team 2024-04-01
    • 155

      https://spruce.mongodb.com/task/mongodb_mongo_master_rhel80_debug_aubsan_classic_engine_concurrency_simultaneous_2_linux_8d29ed4e648805c46d8e1b5ae7f7f9f4beddbef1_24_03_23_03_18_06/tests?execution=0&sortBy=STATUS&sortDir=ASC

      [j0] ==25781==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000642db0 at pc 0x563197421867 bp 0x7f400260e9e0 sp 0x7f400260e1a8
[j0] READ of size 9 at 0x604000642db0 thread T1612 (conn1505)
[j0]     #0 0x563197421866 in __asan_memcpy /data/mci/0daf2ee55223f87d23db2ac2806d764d/toolchain-builder/tmp/build-llvm-v4.sh-PAU/llvm-project-llvmorg/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
[j0]     #1 0x7f406ea004de in mongo::key_string::BuilderBase<mongo::key_string::Builder>::resetFromBuffer(void const*, unsigned long) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/storage/key_string.h:732:9
[j0]     #2 0x7f4051ed1707 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::copyKey() /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1109:18
[j0]     #3 0x7f4051ecde45 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::save() /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1031:9
[j0]     #4 0x7f4073230069 in mongo::RequiresIndexStage::doSaveStateRequiresCollection() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/requires_index_stage.cpp:51:5
[j0]     #5 0x7f40731fbca6 in mongo::PlanStage::saveState() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.cpp:43:16
[j0]     #6 0x7f40731fbca6 in mongo::PlanStage::saveState() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.cpp:43:16
[j0]     #7 0x7f407360cd80 in mongo::PlanExecutorImpl::saveState() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:197:16
[j0]     #8 0x7f406f08ffbb in mongo::PlanYieldPolicy::yieldOrInterrupt(mongo::OperationContext*, std::function<void ()>) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_yield_policy.cpp:139:13
[j0]     #9 0x7f407360eb82 in mongo::PlanExecutorImpl::_getNextImpl(mongo::Snapshotted<mongo::Document>*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:334:13
[j0]     #10 0x7f407360df4c in mongo::PlanExecutorImpl::getNextDocument(mongo::Document*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:272:23
[j0]     #11 0x7f40736115b0 in mongo::PlanExecutorImpl::_executePlan() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:481:23
[j0]     #12 0x7f4073612585 in mongo::PlanExecutorImpl::executeDelete() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:568:5
[j0]     #13 0x7f40641b48d1 in mongo::write_ops_exec::performSingleDeleteOp(mongo::OperationContext*, mongo::NamespaceString const&, boost::optional<mongo::UUID> const&, int, mongo::write_ops::DeleteOpEntry const&, mongo::LegacyRuntimeConstants const&, boost::optional<mongo::BSONObj> const&, mongo::OperationSource) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/ops/write_ops_exec.cpp:1813:27
[j0]     #14 0x7f40641b19bb in mongo::write_ops_exec::performDeletes(mongo::OperationContext*, mongo::write_ops::DeleteCommandRequest const&, mongo::OperationSource) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/ops/write_ops_exec.cpp:1930:47
[j0]     #15 0x7f404419db0b in mongo::(anonymous namespace)::CmdDelete::Invocation::typedRun(mongo::OperationContext*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/commands/write_commands.cpp:752:26
      [j0] 0x604000642db0 is located 32 bytes inside of 41-byte region [0x604000642d90,0x604000642db9)
[j0] freed by thread T1608 (conn1501) here:
[j0]     #0 0x563197422252 in free /data/mci/0daf2ee55223f87d23db2ac2806d764d/toolchain-builder/tmp/build-llvm-v4.sh-PAU/llvm-project-llvmorg/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
[j0]     #1 0x7f403f89a7c3 in __free_skip_list /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:492:9
[j0]     #2 0x7f403f89a9c0 in __free_skip_array /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:470:13
[j0]     #3 0x7f403f89720a in __free_page_modify /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:224:13
[j0]     #4 0x7f403f89720a in __wt_page_out /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:118:9
[j0]     #5 0x7f403f91cda7 in __split_multi /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_split.c:2136:5
[j0]     #6 0x7f403f91cda7 in __split_multi_lock /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_split.c:2169:16
[j0]     #7 0x7f403f91cda7 in __wt_split_multi /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_split.c:2196:5
[j0]     #8 0x7f403fc32671 in __evict_page_dirty_update /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/evict/evict_page.c:494:13
[j0]     #9 0x7f403fc32671 in __wt_evict /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/evict/evict_page.c:313:9
[j0]     #10 0x7f403fc2e3dd in __wt_page_release_evict /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/evict/evict_page.c:91:11
[j0]     #11 0x7f403f847495 in __wt_page_release /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/include/btree_inline.h:2074:13
[j0]     #12 0x7f403f847495 in __cursor_reset /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/include/cursor_inline.h:295:15
[j0]     #13 0x7f403fae11ef in __curfile_reset /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/cursor/cur_file.c:286:11
[j0]     #14 0x7f4051ea6ebc in mongo::WiredTigerIndexCursorGeneric::resetCursor() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/storage/wiredtiger/wiredtiger_index_cursor_generic.h:49:13
[j0]     #15 0x7f4051ed2149 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::seekWTCursor(mongo::key_string::Value const&) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1138:43
[j0]     #16 0x7f4051ed2149 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::seekForKeyStringInternal(mongo::key_string::Value const&) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1255:17
[j0]     #17 0x7f4051ecd7f2 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::seek(mongo::key_string::Value const&, mongo::SortedDataInterface::Cursor::KeyInclusion) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:996:9
[j0]     #18 0x7f407317faf2 in mongo::IndexScan::doWork(unsigned long*)::$_1::operator()() const /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/index_scan.cpp:187:40
[j0]     #19 0x7f407317faf2 in mongo::PlanStage::StageState mongo::handlePlanStageYield<mongo::IndexScan::doWork(unsigned long*)::$_1, mongo::IndexScan::doWork(unsigned long*)::$_2>(mongo::ExpressionContext*, mongo::StringData, mongo::IndexScan::doWork(unsigned long*)::$_1&&, mongo::IndexScan::doWork(unsigned long*)::$_2&&) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.h:88:16
[j0]     #20 0x7f407317df80 in mongo::IndexScan::doWork(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/index_scan.cpp:174:22
[j0]     #21 0x7f4073095caf in mongo::PlanStage::work(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.h:216:26
[j0]     #22 0x7f407314f706 in mongo::FetchStage::doWork(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/fetch.cpp:82:27
[j0]     #23 0x7f4073095caf in mongo::PlanStage::work(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.h:216:26
[j0]     #24 0x7f40730ad232 in mongo::BatchedDeleteStage::_doStaging(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/batched_delete_stage.cpp:461:28
[j0]     #25 0x7f40730acba0 in mongo::BatchedDeleteStage::doWork(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/batched_delete_stage.cpp:217:26
[j0]     #26 0x7f4073095caf in mongo::PlanStage::work(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.h:216:26
[j0]     #27 0x7f407360ec2c in mongo::PlanExecutorImpl::_getNextImpl(mongo::Snapshotted<mongo::Document>*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:338:45
[j0]     #28 0x7f407360df4c in mongo::PlanExecutorImpl::getNextDocument(mongo::Document*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:272:23
[j0]     #29 0x7f40736115b0 in mongo::PlanExecutorImpl::_executePlan() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:481:23
[j0]     #30 0x7f4073612585 in mongo::PlanExecutorImpl::executeDelete()

            Assignee:
            wei.hu@mongodb.com Wei Hu
            Reporter:
            wei.hu@mongodb.com Wei Hu
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: