MB-34435: ActiveStream::setDead: Check for valid vb

daverigby · daverigby · commit 398aa25f832d · 2019-06-03T15:11:47.000Z
Before attempting to remove any queued ACKs, check the vbucket is valid - it may have already been deleted. As detected by ASan: ==30588==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002f8 (pc 0x7fc1c437a4b6 bp 0x7fc1bfb35730 sp 0x7fc1bfb35500 T7) ==30588==The signal is caused by a READ memory access. ==30588==Hint: address points to the zero page. #0 0x7fc1c437a4b5 in std::__atomic_base<unsigned int>::load(std::memory_order) const /usr/local/include/c++/7.3.0/bits/atomic_base.h:396 #1 0x7fc1c437a4b5 in bool folly::SharedMutexImpl<...>::lockSharedImpl<...::WaitForever&) build/tlm/deps/folly.exploded/include/folly/SharedMutex.h:1239 #2 0x7fc1c437a4b5 in folly::SharedMutexImpl<...>::lock_shared() build/tlm/deps/folly.exploded/include/folly/SharedMutex.h:375 #3 0x7fc1c437a4b5 in folly::SharedMutexImpl<...>::ReadHolder() build/tlm/deps/folly.exploded/include/folly/SharedMutex.h:1315 #4 0x7fc1c437a4b5 in ActiveStream::setDead(end_stream_status_t) kv_engine/engines/ep/src/dcp/active_stream.cc:1135 #5 0x7fc1c44a3f3a in operator() kv_engine/engines/ep/src/dcp/producer.cc:1489 #6 0x7fc1c44a3f3a in for_each<...> /local/include/c++/7.3.0/bits/stl_algo.h:3884 #7 0x7fc1c44a3f3a in DcpProducer::setDisconnect() kv_engine/engines/ep/src/dcp/producer.cc:1491 #8 0x7fc1c4428f02 in DcpConnMap::disconnect(void const*) kv_engine/engines/ep/src/dcp/dcpconnmap.cc:316 #9 0x7fc1c45897a0 in EventuallyPersistentEngine::handleDisconnect(void const*) kv_engine/engines/ep/src/ep_engine.cc:5792 #10 0x7fc1c45897a0 in EvpHandleDisconnect kv_engine/engines/ep/src/ep_engine.cc:1682 #11 0x447119 in perform_callbacks(ENGINE_EVENT_TYPE, void const*, void const*) kv_engine/daemon/memcached.cc:301 #12 0x62cb94 in Connection::propagateDisconnect() const kv_engine/daemon/connection.cc:1506 #13 0x62cb94 in Connection::close() kv_engine/daemon/connection.cc:1487 #14 0x784fec in StateMachine::conn_pending_close() kv_engine/daemon/statemachine.cc:577 #15 0x784fec in StateMachine::execute() kv_engine/daemon/statemachine.cc:129 #16 0x63ccff in Connection::runStateMachinery() kv_engine/daemon/connection.cc:1312 #17 0x63cfcb in Connection::runEventLoop(short) kv_engine/daemon/connection.cc:1386 #18 0x681ab8 in run_event_loop(Connection*, short) kv_engine/daemon/connections.cc:147 #19 0x45df77 in event_handler(int, short, void*) kv_engine/daemon/memcached.cc:855 #20 0x7fc1ccc1f086 in event_persist_closure deps/packages/build/libevent/libevent-prefix/src/libevent/event.c:1580 #21 0x7fc1ccc1f086 in event_process_active_single_queue deps/packages/build/libevent/libevent-prefix/src/libevent/event.c:1639 #22 0x7fc1ccc1f5fe in event_process_active deps/packages/build/libevent/libevent-prefix/src/libevent/event.c:1738 #23 0x7fc1ccc1f5fe in event_base_loop deps/packages/build/libevent/libevent-prefix/src/libevent/event.c:1961 #24 0x5aa3df in worker_libevent kv_engine/daemon/thread.cc:218 #25 0x7fc1cd4b8868 in CouchbaseThread::run() platform/src/cb_pthreads.cc:58 #26 0x7fc1cd4b8868 in platform_thread_wrap platform/src/cb_pthreads.cc:71 #27 0x7fc1cb35b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #28 0x7fc1cb09141c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c) Change-Id: Ic806fdfa6aca458a0dc1b82f046bca76dcb75d40 Reviewed-on: http://review.couchbase.org/110054 Reviewed-by: Daniel Owen <owend@couchbase.com> Tested-by: Dave Rigby <daver@couchbase.com>
diff --git a/engines/ep/src/dcp/active_stream.cc b/engines/ep/src/dcp/active_stream.cc
@@ -1130,6 +1130,9 @@ uint32_t ActiveStream::setDead(end_stream_status_t status) {
     // (owned by a backfill) and clear a seqno ack from a new ActiveStream.
     if (supportSyncReplication()) {
         auto vb = engine->getVBucket(vb_);
+        if (!vb) {
+            return 0;
+        }
         // Take the vb state lock so that we don't change the state of
         // this vb
         folly::SharedMutex::ReadHolder vbStateLh(vb->getStateLock());
