Uploaded image for project: 'Apache Trafodion (Retired)'
  1. Apache Trafodion (Retired)
  2. TRAFODION-2879

Core dump due to reference to deallocated memory for EstLogProp object

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0-incubating
    • 2.3
    • sql-cmp
    • None
    • Any

    Description

      This looks like an old bug that was recently found by Eric Owhadi, with a stack trace that looks like this:

      #5  0x00007f23af4264fa in NAHeap::deallocateHeapMemory (this=0x7f237ddd66c0, 
          addr=0x7f236f70fba8) at ../common/NAMemory.cpp:3230
      #6  0x00007f23af42207b in NAMemory::deallocateMemory (this=0x7f237ddd66c0, 
          addr=0x7f236f70fba8) at ../common/NAMemory.cpp:1265
      #7  0x00007f23ada97cdd in NABasicObject::operator delete (p=0x7f236f70fba8)
          at ../export/NABasicObject.cpp:139
      #8  0x00007f23ac37fa24 in EstLogProp::~EstLogProp (this=0x7f236f70fba8, 
          __in_chrg=<value optimized out>) at ../optimizer/EstLogProp.cpp:130
      #9  0x00007f23ac38117e in IntrusiveSharedRefCount<EstLogProp>::destroyObjects (
          this=0x7f236f70fbb8) at ../common/SharedPtr.h:226
      #10 0x00007f23ac1ce7de in SharedRefCountBase<EstLogProp>::decrUseCount (
          this=0x7f236f70fbb8) at ../common/SharedPtr.h:136
      #11 0x00007f23ac1cb845 in SharedPtr<EstLogProp>::~SharedPtr (
      ---Type <return> to continue, or q <return> to quit---
          this=0x7f2382e8e2d0, __in_chrg=<value optimized out>)
          at ../common/SharedPtr.h:280
      #12 0x00007f23ac1c591e in IntrusiveSharedPtr<EstLogProp>::~IntrusiveSharedPtr (
          this=0x7f2382e8e2d0, __in_chrg=<value optimized out>)
          at ../common/SharedPtr.h:376
      #13 0x00007f23ab92d85a in CmpContext::~CmpContext (this=0x7f2382e8e090, 
          __in_chrg=<value optimized out>) at ../arkcmp/CmpContext.cpp:382
      

      I suspect that we are trying to delete the CmpContext::emptyInLogProp_ data member here.

      I think this data member is initialized incorrectly:

      • The CmpContext object lives longer than an individual statement
      • Initially, CmpContext::emptyInLogProp_ is a NULL pointer
      • For every statement (or at least for most statements), we set this data member to an object allocated from the statement heap, see CmpStatement::initQueryAnalysis() in file arkcmp/CmpStatement.cpp.
      • We don’t deallocate this data member explicitly, as far as I can see. It gets automatically deleted when we call the destructor or when we assign a different value to the IntrusiveSharedPtr.

      So, what happens is that when we destroy the statement and its heap, we leave a dangling reference to a deallocated object in the CmpContext. As we can see here, when we later destroy the context, we point to an object in deallocated memory.

      We need to do two things to fix this: First, with these shared pointers, we cannot allocate an object from the statement heap without calling the destructor for the object. Second, we cannot point from the CmpContext to an object that is allocated from the short-lived statement heap - at least not beyond the lifetime of the statement.

      Attachments

        Issue Links

          Activity

            People

              hzeller Hans Zeller
              hzeller Hans Zeller
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: