[
https://issues.apache.org/jira/browse/CASSANDRA-9530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeff Jirsa updated CASSANDRA-9530:
----------------------------------
Description:
If a sstable is corrupted so that the length of a given value is bogus, we'll
still happily try to allocate a buffer of that bogus size to read the value,
which can easily lead to an OOM.
We should probably protect against this. In practice, a given value can be so
big since it's limited by the protocol frame size in the first place. Maybe we
could add a max_value_size_in_mb setting and we'd considered a sstable
corrupted if it was containing a value bigger than that.
I'll note that this ticket would be a good occasion to improve
{{BlacklistingCompactionsTest}}. Typically, it currently generate empty values
which makes it pretty much impossible to get the problem described here. And as
described in CASSANDRA-9478, it also doesn't test properly for thing like early
opening of compaction results. We could try to randomize as much of the
parameters of this test as possible to make it more likely to catch any type of
corruption that could happen.
was:
If a sstable is corrupted so that the length of a given is bogus, we'll still
happily try to allocate a buffer of that bogus size to read the value, which
can easily lead to an OOM.
We should probably protect against this. In practice, a given value can be so
big since it's limited by the protocol frame size in the first place. Maybe we
could add a max_value_size_in_mb setting and we'd considered a sstable
corrupted if it was containing a value bigger than that.
I'll note that this ticket would be a good occasion to improve
{{BlacklistingCompactionsTest}}. Typically, it currently generate empty values
which makes it pretty much impossible to get the problem described here. And as
described in CASSANDRA-9478, it also doesn't test properly for thing like early
opening of compaction results. We could try to randomize as much of the
parameters of this test as possible to make it more likely to catch any type of
corruption that could happen.
> SSTable corruption can trigger OOM
> ----------------------------------
>
> Key: CASSANDRA-9530
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9530
> Project: Cassandra
> Issue Type: Bug
> Components: Local Write-Read Paths
> Reporter: Sylvain Lebresne
> Assignee: Alex Petrov
> Fix For: 3.0.7, 3.7, 3.8
>
>
> If a sstable is corrupted so that the length of a given value is bogus, we'll
> still happily try to allocate a buffer of that bogus size to read the value,
> which can easily lead to an OOM.
> We should probably protect against this. In practice, a given value can be so
> big since it's limited by the protocol frame size in the first place. Maybe
> we could add a max_value_size_in_mb setting and we'd considered a sstable
> corrupted if it was containing a value bigger than that.
> I'll note that this ticket would be a good occasion to improve
> {{BlacklistingCompactionsTest}}. Typically, it currently generate empty
> values which makes it pretty much impossible to get the problem described
> here. And as described in CASSANDRA-9478, it also doesn't test properly for
> thing like early opening of compaction results. We could try to randomize as
> much of the parameters of this test as possible to make it more likely to
> catch any type of corruption that could happen.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
