Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-5604

heap-use-after-free when updating variable length column-store

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None

      A heap-use-after-free error was captured by the format stress sanitizer job after merging durable history branch into develop. The error fired while attempting a cursor modify on a variable length column-store.

      http://build.wiredtiger.com:8080/job/wiredtiger-test-format-stress-sanitizer-ppc/9258/

      ==12897==ERROR: AddressSanitizer: heap-use-after-free on address 0x0a38000615c7 at pc 0x0000100dd38c bp 0x3fff7a1fb970 sp 0x3fff7a1fb990
READ of size 34 at 0x0a38000615c7 thread T6
    #0 0x100dd388 in __asan_memcpy /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_interceptors.cc:463
    #1 0x101e9fc4 in __wt_update_alloc /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/row_modify.c:273:9
    #2 0x1084f518 in __wt_col_modify /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/col_modify.c:187:13
    #3 0x10704758 in __cursor_col_modify_v /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:428:13
    #4 0x106f5330 in __btcur_update /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:1341:15
    #5 0x106f6228 in __wt_btcur_reserve /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:1558:11
    #6 0x102a0fb8 in __curfile_reserve /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/cursor/cur_file.c:446:5
    #7 0x10162a04 in col_reserve /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/ops.c:1329:16
    #8 0x1015b084 in ops /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/ops.c:745:23
    #9 0x1010df9c in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_thread.cc:257
    #10 0x1003a778 in asan_thread_start(void*) /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_interceptors.cc:305
    #11 0x3fff7fbb8940 in start_thread (/lib64/power8/libpthread.so.0+0x8940)
    #12 0x3fff7f90763c in __clone (/lib64/power8/libc.so.6+0x11763c)

0x0a38000615c7 is located 39 bytes inside of 73-byte region [0x0a38000615a0,0x0a38000615e9)
freed by thread T4 here:
    #0 0x100f8f7c in __interceptor_cfree.localalias.1 /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:55
    #1 0x103e6734 in __wt_free_int /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/os_common/os_alloc.c:301:5
    #2 0x1071c050 in __wt_free_update_list /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_discard.c:423:9
    #3 0x1071d25c in __free_skip_list /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_discard.c:383:13
    #4 0x1071d74c in __free_skip_array /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_discard.c:363:13
    #5 0x10719d38 in __free_page_modify /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_discard.c:186:13
    #6 0x10717e38 in __wt_page_out /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_discard.c:107:9
    #7 0x10716f00 in __wt_ref_out /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_discard.c:41:5
    #8 0x10323848 in __evict_page_dirty_update /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_page.c:395:13
    #9 0x1031e0f0 in __wt_evict /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_page.c:192:9
    #10 0x102f8a28 in __evict_page /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:2231:5
    #11 0x102f01f8 in __evict_lru_pages /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:1102:20
    #12 0x102eef64 in __wt_evict_thread_run /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/evict/evict_lru.c:311:9
    #13 0x10584938 in __thread_run /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/support/thread_group.c:31:9
    #14 0x1010df9c in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_thread.cc:257
    #15 0x1003a778 in asan_thread_start(void*) /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_interceptors.cc:305
    #16 0x3fff7fbb8940 in start_thread (/lib64/power8/libpthread.so.0+0x8940)
    #17 0x3fff7f90763c in __clone (/lib64/power8/libc.so.6+0x11763c)

previously allocated by thread T6 here:
    #0 0x100f93bc in calloc /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x103e4954 in __wt_calloc /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/os_common/os_alloc.c:50:14
    #2 0x101e9d74 in __wt_update_alloc /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/row_modify.c:270:5
    #3 0x1084f518 in __wt_col_modify /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/col_modify.c:187:13
    #4 0x10704758 in __cursor_col_modify_v /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:428:13
    #5 0x106f4600 in __btcur_update /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:1266:42
    #6 0x106f3660 in __wt_btcur_modify /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/btree/bt_cursor.c:1516:15
    #7 0x102a5c64 in __curfile_modify /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/../src/cursor/cur_file.c:333:5
    #8 0x10165130 in col_modify /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/ops.c:1405:16
    #9 0x1015b750 in ops /home/jenkins/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-ppc/build_posix/test/format/../../../test/format/ops.c:798:23
    #10 0x1010df9c in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_thread.cc:257
    #11 0x1003a778 in asan_thread_start(void*) /home/dhows/llvm-git/projects/compiler-rt/lib/asan/asan_interceptors.cc:305
    #12 0x3fff7fbb8940 in start_thread (/lib64/power8/libpthread.so.0+0x8940)

      Format configuration:

      ############################################
#  RUN PARAMETERS
############################################
abort=0
alter=0
assert_commit_timestamp=0
assert_read_timestamp=0
auto_throttle=1
backups=0
bitcnt=7
bloom=1
bloom_bit_count=42
bloom_hash_count=9
bloom_oldest=0
cache=84
cache_minimum=20
checkpoints=on
checkpoint_log_size=29
checkpoint_wait=17
checksum=uncompressed
chunk_size=6
compaction=0
compression=lz4
data_extend=0
data_source=table
delete_pct=2
dictionary=1
direct_io=0
encryption=none
evict_max=4
file_type=variable-length column-store
firstfit=0
huffman_key=0
huffman_value=0
independent_thread_rng=1
in_memory=0
insert_pct=2
internal_key_truncation=1
internal_page_max=9
isolation=snapshot
key_gap=7
key_max=63
key_min=25
leaf_page_max=14
leak_memory=0
logging=0
logging_archive=0
logging_compression=none
logging_file_max=312351
logging_prealloc=0
lsm_worker_threads=4
major_timeout=0
memory_page_max=7
merge_max=4
mmap=0
modify_pct=5
ops=0
prefix_compression=1
prefix_compression_min=6
prepare=0
quiet=1
random_cursor=0
read_pct=69
rebalance=1
repeat_data_pct=80
reverse=0
rows=1000000
runs=1
salvage=1
split_pct=85
statistics=0
statistics_server=0
threads=6
timer=4
timing_stress_aggressive_sweep=0
timing_stress_checkpoint=0
timing_stress_hs_sweep=0
timing_stress_split_1=0
timing_stress_split_2=0
timing_stress_split_3=0
timing_stress_split_4=0
timing_stress_split_5=0
timing_stress_split_6=0
timing_stress_split_7=0
timing_stress_split_8=0
transaction_timestamps=1
transaction-frequency=100
truncate=1
value_max=4070
value_min=6
verify=1
wiredtiger_config=
write_pct=22
############################################

            Assignee:
            backlog-server-storage-engines [DO NOT USE] Backlog - Storage Engines Team
            Reporter:
            luke.chen@mongodb.com Luke Chen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: