Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-2078

Segfault in cur_stat.c after allocation failure

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • WT2.7.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Sharding 9 (09/18/15)

      While simulating out-of-memory conditions in __wt_calloc, I triggered a segmentation fault in cur_stat.c.

      After a calloc() failure for a statistics cursor in __wt_curstat_open, the function jumps to an error block that calls __curstat_free_config, which attempts to access a field within the NULL cursor.

      Backtrace:

       =================================================================
       ==118999== ERROR: AddressSanitizer: SEGV on unknown address 0x0000000005e8 (pc 0x000003a3c0ca sp 0x7f12f97c22d0 bp 0x7f12f97c22f0 T71)
       AddressSanitizer can not provide additional info.
           #0 0x3a3c0c9 in __curstat_free_config /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:48
           #1 0x3a41641 in __wt_curstat_open /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:603
           #2 0x3b31689 in __wt_open_cursor /home/ubuntu/mongo/src/third_party/wiredtiger/src/session/session_api.c:296
           #3 0x3b32301 in __session_open_cursor /home/ubuntu/mongo/src/third_party/wiredtiger/src/session/session_api.c:359
           #4 0x26e1124 in mongo::WiredTigerUtil::getStatisticsValue(__wt_session*, std::string const&, std::string const&, int) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.cpp:267
           #5 0x26c9fa2 in mongo::StatusWith<long> mongo::WiredTigerUtil::getStatisticsValueAs<long>(__wt_session*, std::string const&, std::string const&, int, long) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.h:277
           #6 0x26c8e54 in mongo::StatusWith<long> mongo::WiredTigerUtil::getStatisticsValueAs<long>(__wt_session*, std::string const&, std::string const&, int) /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_util.h:267
           #7 0x26be9dd in mongo::WiredTigerRecordStore::storageSize(mongo::OperationContext*, mongo::BSONObjBuilder*, int) const /home/ubuntu/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_record_store.cpp:552
           #8 0x25ae375 in mongo::KVDatabaseCatalogEntry::sizeOnDisk(mongo::OperationContext*) const /home/ubuntu/mongo/src/mongo/db/storage/kv/kv_database_catalog_entry.cpp:143
           #9 0x1de9942 in mongo::CmdListDatabases::run(mongo::OperationContext*, std::string const&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder&) /home/ubuntu/mongo/src/mongo/db/commands/list_databases.cpp:107
           #10 0x1e9a963 in mongo::Command::run(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1353
           #11 0x1e99911 in mongo::Command::execCommand(mongo::OperationContext*, mongo::Command*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/dbcommands.cpp:1266
           #12 0x1da2957 in mongo::runCommands(mongo::OperationContext*, mongo::rpc::RequestInterface const&, mongo::rpc::ReplyBuilderInterface*) /home/ubuntu/mongo/src/mongo/db/commands.cpp:495
           #13 0x207ad98 in mongo::(anonymous namespace)::receivedRpc(mongo::OperationContext*, mongo::Client&, mongo::DbResponse&, mongo::Message&) /home/ubuntu/mongo/src/mongo/db/instance.cpp:290     #14 0x207c3be in mongo::assembleResponse(mongo::OperationContext*, mongo::Message&, mongo::DbResponse&, mongo::HostAndPort const&) /home/ubuntu/mongo/src/mongo/db/instance.cpp:508
           #15 0x1b468ea in mongo::MyMessageHandler::process(mongo::Message&, mongo::AbstractMessagingPort*) /home/ubuntu/mongo/src/mongo/db/db.cpp:166
           #16 0x29f6d15 in mongo::PortMessageServer::handleIncomingMsg(void*) /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:229
           #17 0x7f1329a81b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x18b97)
           #18 0x7f1328c27181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
           #19 0x7f132895447c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
       SUMMARY: AddressSanitizer: SEGV /home/ubuntu/mongo/src/third_party/wiredtiger/src/cursor/cur_stat.c:48 __curstat_free_config
       Thread T71 created by T0 here:
           #0 0x7f1329a73b5b in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xab5b)
           #1 0x29f6405 in mongo::PortMessageServer::accepted(std::shared_ptr<mongo::Socket>, long long) /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:148
           #2 0x29ec7c4 in mongo::Listener::initAndListen() /home/ubuntu/mongo/src/mongo/util/net/listen.cpp:351
           #3 0x29f6725 in mongo::PortMessageServer::run() /home/ubuntu/mongo/src/mongo/util/net/message_server_port.cpp:176
           #4 0x1b3e368 in mongo::_initAndListen(int) /home/ubuntu/mongo/src/mongo/db/db.cpp:595
           #5 0x1b3e789 in mongo::initAndListen(int) /home/ubuntu/mongo/src/mongo/db/db.cpp:600
           #6 0x1b40139 in mongoDbMain(int, char**, char**) /home/ubuntu/mongo/src/mongo/db/db.cpp:840
           #7 0x1b3eb33 in main /home/ubuntu/mongo/src/mongo/db/db.cpp:645
           #8 0x7f132887bec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
       ==118999== ABORTING
      

            Assignee:
            esha.maharishi@mongodb.com Esha Maharishi (Inactive)
            Reporter:
            esha.maharishi@mongodb.com Esha Maharishi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: