Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-4851

heap-use-after-free when block manager grows buffer during final checkpoint

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Minor - P4 Minor - P4
    • WT3.2.1, 4.3.1, 4.2.0-rc2
    • Affects Version/s: None
    • Component/s: None
    • None
    • 2
    • Storage Engines 2019-06-17
    • v4.2

      http://build.wiredtiger.com:8080/job/wiredtiger-clang-sanitizer/3613/

      ==2367==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000001260 at pc 0x00000096dd8a bp 0x7ffcdf2711f0 sp 0x7ffcdf2711e8
WRITE of size 1 at 0x615000001260 thread T0
    #0 0x96dd89 in __wt_vpack_uint /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/include/intpack.i:212:6
    #1 0x96dd89 in __block_write_off /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_write.c:305
    #2 0x96dd89 in __wt_block_write_off /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_write.c:420
    #3 0x9be4f4 in __wt_block_extlist_write /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_ext.c:1312:2
    #4 0x9af4a0 in __ckpt_update /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_ckpt.c:750:2
    #5 0x9ae886 in __wt_block_checkpoint /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_ckpt.c:677:10
    #6 0x74f407 in __wt_bt_write /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/btree/bt_io.c:384:2
    #7 0x5eb4a8 in __rec_write_wrapup /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:2434:4
    #8 0x5e65aa in __wt_reconcile /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:179:25
    #9 0x5e84a7 in __rec_root_write /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:501:10
    #10 0x5e84a7 in __wt_reconcile /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:250
    #11 0x7b6287 in __wt_sync_file /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/btree/bt_sync.c:337:4
    #12 0x6ecd5e in __checkpoint_tree /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1677:3
    #13 0x6e7dc0 in __checkpoint_tree_helper /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1793:8
    #14 0x6e7dc0 in __checkpoint_apply /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:217
    #15 0x6e7dc0 in __txn_checkpoint /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:908
    #16 0x6e7dc0 in __txn_checkpoint_wrapper /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1106
    #17 0x6e336b in __wt_txn_checkpoint /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1170:3
    #18 0x5289ad in __conn_close /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/conn/conn_api.c:1135:4
    #19 0x519134 in wt_shutdown /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/test/checkpoint/../../../test/checkpoint/test_checkpoint.c:251:8
    #20 0x519134 in main /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/test/checkpoint/../../../test/checkpoint/test_checkpoint.c:175
    #21 0x7fed8430eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #22 0x41ac89 in _start (/mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/test/checkpoint/t+0x41ac89)

0x615000001260 is located 96 bytes inside of 512-byte region [0x615000001200,0x615000001400)
freed by thread T0 here:
    #0 0x4dafc0 in realloc (/mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/test/checkpoint/t+0x4dafc0)
    #1 0x5b8ed2 in __realloc_func /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/os_common/os_alloc.c:130:11
    #2 0x5b91cd in __wt_realloc_aligned /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/os_common/os_alloc.c:249:10
    #3 0x660ca2 in __wt_buf_grow_worker /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/support/scratch.c:46:4
    #4 0x9b0438 in __wt_buf_grow /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/include/buf.i:18:6
    #5 0x9b0438 in __wt_buf_extend /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/include/buf.i:35
    #6 0x9b0438 in __wt_block_checkpoint_final /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_ckpt_scan.c:105
    #7 0x96bfba in __block_write_off /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_write.c:256:3
    #8 0x96bfba in __wt_block_write_off /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_write.c:420
    #9 0x9be4f4 in __wt_block_extlist_write /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_ext.c:1312:2
    #10 0x9af4a0 in __ckpt_update /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_ckpt.c:750:2
    #11 0x9ae886 in __wt_block_checkpoint /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/block/block_ckpt.c:677:10
    #12 0x74f407 in __wt_bt_write /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/btree/bt_io.c:384:2
    #13 0x5eb4a8 in __rec_write_wrapup /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:2434:4
    #14 0x5e65aa in __wt_reconcile /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:179:25
    #15 0x5e84a7 in __rec_root_write /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:501:10
    #16 0x5e84a7 in __wt_reconcile /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/reconcile/rec_write.c:250
    #17 0x7b6287 in __wt_sync_file /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/btree/bt_sync.c:337:4
    #18 0x6ecd5e in __checkpoint_tree /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1677:3
    #19 0x6e7dc0 in __checkpoint_tree_helper /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1793:8
    #20 0x6e7dc0 in __checkpoint_apply /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:217
    #21 0x6e7dc0 in __txn_checkpoint /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:908
    #22 0x6e7dc0 in __txn_checkpoint_wrapper /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1106
    #23 0x6e336b in __wt_txn_checkpoint /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/txn/txn_ckpt.c:1170:3
    #24 0x5289ad in __conn_close /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/../src/conn/conn_api.c:1135:4
    #25 0x519134 in wt_shutdown /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/test/checkpoint/../../../test/checkpoint/test_checkpoint.c:251:8
    #26 0x519134 in main /mnt/data0/jenkins/workspace/wiredtiger-clang-sanitizer/build_posix/test/checkpoint/../../../test/checkpoint/test_checkpoint.c:175
    #27 0x7fed8430eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

            Assignee:
            keith.bostic@mongodb.com Keith Bostic (Inactive)
            Reporter:
            keith.bostic@mongodb.com Keith Bostic (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: