Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-1993

NULL pointer dereference in __block_destroy after allocation failure

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • WT2.7.0
    • Affects Version/s: None
    • Component/s: None

      While simulating out-of-memory conditions in __wt_calloc, I triggered a NULL pointer dereference in __block_destroy.

      Sequence of events:

      1. __wt_block_open calls __wt_calloc_one to initialize a block handle (line 200)
      2. __wt_calloc_one fails with ENOMEM and the err block is jumped to (line 267)
      3. __block_destroy is called with block == NULL, which leads to a NULL pointer dereference (line 133)

      Excerpted code:

      static int
__block_destroy(WT_SESSION_IMPL *session, WT_BLOCK *block)
{
128  	WT_CONNECTION_IMPL *conn;
129  	WT_DECL_RET;
130  	uint64_t bucket;
131
132     conn = S2C(session);
133     bucket = block->name_hash % WT_HASH_ARRAY_SIZE;

[....snip....]

int
__wt_block_open(WT_SESSION_IMPL *session,
    const char *filename, const char *cfg[],
    int forced_salvage, int readonly, uint32_t allocsize, WT_BLOCK **blockp)
{
	WT_BLOCK *block;
	WT_CONFIG_ITEM cval;
	WT_CONNECTION_IMPL *conn;
	WT_DECL_RET;
	uint64_t bucket, hash;

[....snip....]

199  	/* Basic structure allocation, initialization. */
200  	WT_ERR(__wt_calloc_one(session, &block));

[....snip....]

267  err:	  WT_TRET(__block_destroy(session, block));

      ASan report:

      ==31572== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000002d64834 sp 0x7fff86097be0 bp 0x7fff86097c20 T0)
AddressSanitizer can not provide additional info.

#0 0x2d64833 in __block_destroy /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/block/block_open.c:133
#1 0x2d6585d in __wt_block_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/block/block_open.c:267
#2 0x2d63aec in __wt_block_manager_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/block/block_mgr.c:427
#3 0x2d9bb03 in __wt_btree_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/btree/bt_handle.c:70
#4 0x2e22789 in __wt_conn_btree_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/conn/conn_dhandle.c:331
#5 0x2f65a28 in __wt_session_get_btree /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/session/session_dhandle.c:456
#6 0x2f65636 in __wt_session_get_btree /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/session/session_dhandle.c:447
#7 0x2f33606 in __create_file /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:119
#8 0x2f372ef in __wt_schema_create /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:631
#9 0x2f347a9 in __create_colgroup /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:250
#10 0x2f36bb5 in __create_table /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:556
#11 0x2f37565 in __wt_schema_create /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:637
#12 0x2f5772c in __session_create /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/session/session_api.c:441
#13 0x2054605 in mongo::WiredTigerKVEngine::createRecordStore(mongo::OperationContext*, mongo::StringData, mongo::StringData, mongo::CollectionOptions const&) /home/s/code/mongo/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp:270
#14 0x1f568a9 in mongo::KVStorageEngine::KVStorageEngine(mongo::KVEngine*, mongo::KVStorageEngineOptions const&) /home/s/code/mongo/mongo/src/mongo/db/storage/kv/kv_storage_engine.cpp:88
#15 0x2051acd in mongo::(anonymous namespace)::WiredTigerFactory::create(mongo::StorageGlobalParams const&, mongo::StorageEngineLockFile const&) const /home/s/code/mongo/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp:76
#16 0x1f01dae in mongo::ServiceContextMongoD::initializeGlobalStorageEngine() /home/s/code/mongo/mongo/src/mongo/db/service_context_d.cpp:144
#17 0x15ae561 in mongo::_initAndListen(int) /home/s/code/mongo/mongo/src/mongo/db/db.cpp:416
#18 0x15afb33 in mongo::initAndListen(int) /home/s/code/mongo/mongo/src/mongo/db/db.cpp:594
#19 0x15b1304 in mongoDbMain(int, char**, char**) /home/s/code/mongo/mongo/src/mongo/db/db.cpp:823
#20 0x15afedd in main /home/s/code/mongo/mongo/src/mongo/db/db.cpp:639
#21 0x7fe86d94dec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#22 0x15ab728 in _start (/home/s/code/mongo/mongo/mongod+0x15ab728)

      Version: 6c49d69bbae5d8807fc205dbca12eecf1a60258b

            Assignee:
            keith.bostic@mongodb.com Keith Bostic (Inactive)
            Reporter:
            kamran.khan Kamran K.
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: