Operational Defect Database
BugZero found this defect 54 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
MongoDB | 2623479
seekWTCursorInternal may return early causing use-after-free
Last update date:
3/26/2024
Affected products:
MongoDB Server
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
https://spruce.mongodb.com/task/mongodb_mongo_master_rhel80_debug_aubsan_classic_engine_concurrency_simultaneous_2_linux_8d29ed4e648805c46d8e1b5ae7f7f9f4beddbef1_24_03_23_03_18_06/tests?execution=0&sortBy=STATUS&sortDir=ASC [j0] ==25781==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000642db0 at pc 0x563197421867 bp 0x7f400260e9e0 sp 0x7f400260e1a8 [j0] READ of size 9 at 0x604000642db0 thread T1612 (conn1505) [j0] #0 0x563197421866 in __asan_memcpy /data/mci/0daf2ee55223f87d23db2ac2806d764d/toolchain-builder/tmp/build-llvm-v4.sh-PAU/llvm-project-llvmorg/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 [j0] #1 0x7f406ea004de in mongo::key_string::BuilderBase::resetFromBuffer(void const*, unsigned long) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/storage/key_string.h:732:9 [j0] #2 0x7f4051ed1707 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::copyKey() /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1109:18 [j0] #3 0x7f4051ecde45 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::save() /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1031:9 [j0] #4 0x7f4073230069 in mongo::RequiresIndexStage::doSaveStateRequiresCollection() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/requires_index_stage.cpp:51:5 [j0] #5 0x7f40731fbca6 in mongo::PlanStage::saveState() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.cpp:43:16 [j0] #6 0x7f40731fbca6 in mongo::PlanStage::saveState() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.cpp:43:16 [j0] #7 0x7f407360cd80 in mongo::PlanExecutorImpl::saveState() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:197:16 [j0] #8 0x7f406f08ffbb in mongo::PlanYieldPolicy::yieldOrInterrupt(mongo::OperationContext*, std::function) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_yield_policy.cpp:139:13 [j0] #9 0x7f407360eb82 in mongo::PlanExecutorImpl::_getNextImpl(mongo::Snapshotted*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:334:13 [j0] #10 0x7f407360df4c in mongo::PlanExecutorImpl::getNextDocument(mongo::Document*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:272:23 [j0] #11 0x7f40736115b0 in mongo::PlanExecutorImpl::_executePlan() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:481:23 [j0] #12 0x7f4073612585 in mongo::PlanExecutorImpl::executeDelete() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:568:5 [j0] #13 0x7f40641b48d1 in mongo::write_ops_exec::performSingleDeleteOp(mongo::OperationContext*, mongo::NamespaceString const&, boost::optional const&, int, mongo::write_ops::DeleteOpEntry const&, mongo::LegacyRuntimeConstants const&, boost::optional const&, mongo::OperationSource) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/ops/write_ops_exec.cpp:1813:27 [j0] #14 0x7f40641b19bb in mongo::write_ops_exec::performDeletes(mongo::OperationContext*, mongo::write_ops::DeleteCommandRequest const&, mongo::OperationSource) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/ops/write_ops_exec.cpp:1930:47 [j0] #15 0x7f404419db0b in mongo::(anonymous namespace)::CmdDelete::Invocation::typedRun(mongo::OperationContext*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/commands/write_commands.cpp:752:26 [j0] 0x604000642db0 is located 32 bytes inside of 41-byte region [0x604000642d90,0x604000642db9) [j0] freed by thread T1608 (conn1501) here: [j0] #0 0x563197422252 in free /data/mci/0daf2ee55223f87d23db2ac2806d764d/toolchain-builder/tmp/build-llvm-v4.sh-PAU/llvm-project-llvmorg/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 [j0] #1 0x7f403f89a7c3 in __free_skip_list /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:492:9 [j0] #2 0x7f403f89a9c0 in __free_skip_array /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:470:13 [j0] #3 0x7f403f89720a in __free_page_modify /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:224:13 [j0] #4 0x7f403f89720a in __wt_page_out /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_discard.c:118:9 [j0] #5 0x7f403f91cda7 in __split_multi /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_split.c:2136:5 [j0] #6 0x7f403f91cda7 in __split_multi_lock /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_split.c:2169:16 [j0] #7 0x7f403f91cda7 in __wt_split_multi /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/btree/bt_split.c:2196:5 [j0] #8 0x7f403fc32671 in __evict_page_dirty_update /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/evict/evict_page.c:494:13 [j0] #9 0x7f403fc32671 in __wt_evict /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/evict/evict_page.c:313:9 [j0] #10 0x7f403fc2e3dd in __wt_page_release_evict /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/evict/evict_page.c:91:11 [j0] #11 0x7f403f847495 in __wt_page_release /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/include/btree_inline.h:2074:13 [j0] #12 0x7f403f847495 in __cursor_reset /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/include/cursor_inline.h:295:15 [j0] #13 0x7f403fae11ef in __curfile_reset /data/mci/0ef40ccf595d55370901569ddd249026/src/src/third_party/wiredtiger/src/cursor/cur_file.c:286:11 [j0] #14 0x7f4051ea6ebc in mongo::WiredTigerIndexCursorGeneric::resetCursor() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/storage/wiredtiger/wiredtiger_index_cursor_generic.h:49:13 [j0] #15 0x7f4051ed2149 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::seekWTCursor(mongo::key_string::Value const&) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1138:43 [j0] #16 0x7f4051ed2149 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::seekForKeyStringInternal(mongo::key_string::Value const&) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:1255:17 [j0] #17 0x7f4051ecd7f2 in mongo::(anonymous namespace)::WiredTigerIndexCursorBase::seek(mongo::key_string::Value const&, mongo::SortedDataInterface::Cursor::KeyInclusion) /data/mci/fce336ea8f292b2959cf89e820c79729/src/src/mongo/db/storage/wiredtiger/wiredtiger_index.cpp:996:9 [j0] #18 0x7f407317faf2 in mongo::IndexScan::doWork(unsigned long*)::$_1::operator()() const /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/index_scan.cpp:187:40 [j0] #19 0x7f407317faf2 in mongo::PlanStage::StageState mongo::handlePlanStageYield(mongo::ExpressionContext*, mongo::StringData, mongo::IndexScan::doWork(unsigned long*)::$_1&&, mongo::IndexScan::doWork(unsigned long*)::$_2&&) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.h:88:16 [j0] #20 0x7f407317df80 in mongo::IndexScan::doWork(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/index_scan.cpp:174:22 [j0] #21 0x7f4073095caf in mongo::PlanStage::work(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.h:216:26 [j0] #22 0x7f407314f706 in mongo::FetchStage::doWork(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/fetch.cpp:82:27 [j0] #23 0x7f4073095caf in mongo::PlanStage::work(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.h:216:26 [j0] #24 0x7f40730ad232 in mongo::BatchedDeleteStage::_doStaging(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/batched_delete_stage.cpp:461:28 [j0] #25 0x7f40730acba0 in mongo::BatchedDeleteStage::doWork(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/batched_delete_stage.cpp:217:26 [j0] #26 0x7f4073095caf in mongo::PlanStage::work(unsigned long*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/exec/plan_stage.h:216:26 [j0] #27 0x7f407360ec2c in mongo::PlanExecutorImpl::_getNextImpl(mongo::Snapshotted*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:338:45 [j0] #28 0x7f407360df4c in mongo::PlanExecutorImpl::getNextDocument(mongo::Document*, mongo::RecordId*) /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:272:23 [j0] #29 0x7f40736115b0 in mongo::PlanExecutorImpl::_executePlan() /data/mci/72f2c33b25e0fbb9e955d8b91f88b7c4/src/src/mongo/db/query/plan_executor_impl.cpp:481:23 [j0] #30 0x7f4073612585 in mongo::PlanExecutorImpl::executeDelete()
Top User Comments
Steps to Reproduce
