memtx: fix 'use after free' of garbage collected MVCC stories #7466
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CuriousGeorgiy
force-pushed
the
gh-7449-tuple-is-dirty-assertion-on-replace
branch
from
fab326e to
f01bf2f
Compare
CuriousGeorgiy
assigned alyapunov, Korablev77 and drewdzzz and unassigned CuriousGeorgiy
drewdzzz
requested changes
Jul 26, 2022
test/box-luatest/gh_7449_tuple_is_dirty_assertion_on_replace_test.lua
Outdated
Show resolved
Hide resolved
CuriousGeorgiy
force-pushed
the
gh-7449-tuple-is-dirty-assertion-on-replace
branch
from
f01bf2f to
45e900f
Compare
|
@drewdzzz fixed commit subject length, opened a corresponding issue (tarantool/checkpatch#29). |
drewdzzz
reviewed
Jul 29, 2022
CuriousGeorgiy
force-pushed
the
gh-7449-tuple-is-dirty-assertion-on-replace
branch
from
45e900f to
9d6d08a
Compare
CuriousGeorgiy
changed the title
CuriousGeorgiy
force-pushed
the
gh-7449-tuple-is-dirty-assertion-on-replace
branch
2 times, most recently
from
9353c18 to
d166e45
Compare
CuriousGeorgiy
force-pushed
the
gh-7449-tuple-is-dirty-assertion-on-replace
branch
from
d166e45 to
4745224
Compare
alyapunov
suggested changes
Sep 12, 2022
src/box/memtx_tx.c
Outdated
| @@ -2992,7 +3003,7 @@ memtx_tx_snapshot_clarify_slow(struct memtx_tx_snapshot_cleaner *cleaner, | |||
| assert(entry->from == tuple); | |||
| tuple = entry->to; | |||
| } | |||
|
|
|||
| memtx_tx_story_gc(); | |||
There was a problem hiding this comment.
Snapshot cleaner must not collect garbage at least because it may be run from different thread.
There was a problem hiding this comment.
Sorry, I didn't bear that in mind, removed it.
I added it just for the sake of more often garbage collection.
CuriousGeorgiy
force-pushed
the
gh-7449-tuple-is-dirty-assertion-on-replace
branch
3 times, most recently
from
36e3e1a to
2e77c99
Compare
drewdzzz
approved these changes
Sep 12, 2022
CuriousGeorgiy
requested review from
alyapunov
and removed request for
Korablev77
alyapunov
suggested changes
Sep 13, 2022
`directly_replaced` stories can potentially get garbage collected in `memtx_tx_handle_gap_write`, which is unexpected and leads to 'use after free': in order to fix this, limit garbage collection points only to external API calls. Wrap all possible garbage collection points with explicit warnings (see c9981a5). Closes tarantool#7449 NO_DOC=bugfix
CuriousGeorgiy
force-pushed
the
gh-7449-tuple-is-dirty-assertion-on-replace
branch
from
2e77c99 to
ba16861
Compare
alyapunov
approved these changes
Sep 15, 2022
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
directly_replacedstories can potentially get garbage collected inmemtx_tx_handle_gap_write, which is unexpected and leads to 'use afterfree': in order to fix this, limit garbage collection points only to
external API calls.
Wrap all possible garbage collection points with explicit warnings (see
c9981a5).
Closes #7449