Details
-
Bug
-
Resolution: Fixed
-
Critical
-
5.5.0
-
Untriaged
-
Unknown
Description
As identified by UndefinedSanitizer; if we attempt to eject an item which is compressed then during the HashTable statistics update we unconditionally dereference the value pointer; which is now null:
void HashTable::Statistics::epilogue(const StoredValue& v) { |
// After performing updates to sv; increase all statistics which sv matches. |
...
|
if (mcbp::datatype::is_snappy(v.getDatatype())) { |
size_t uncompressed_length = cb::compression::get_uncompressed_length( |
cb::compression::Algorithm::Snappy,
|
{v.getValue()->getData(), v.valuelen()});
|
uncompressedMemSize.fetch_add(v.metaDataSize() + uncompressed_length);
|
} else { |
...
|
In the case of UBSan this aborts the program; but I would expect this could lead to a segfault in the full stack.
Attachments
| For Gerrit Dashboard: MB-30190 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 95886,2 | MB-30190: Check if Blob is present before calculating uncompressedLength | vulcan | kv_engine | Status: MERGED | +2 | +1 |
| 95925,2 | Merge branch 'vulcan' into 'master' | master | kv_engine | Status: MERGED | +2 | +1 |