-
Notifications
You must be signed in to change notification settings - Fork 379
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
memtx: fix use-after-free of successor in
tree_iterator_start
We assumed that the successor tuple's story could not get garbage collected on clarify of result tuple in `tree_iterator_start`, since they coincide in case of regular iterators. But this is not the case for reverse iterators: the result tuple is of-by-one from the successor, which means the successor's story can get garbage collected along with the tuple itself getting deleted, leading to use-after-free of successor: remove garbage collection from `memtx_tx_tuple_clarify` and call it manually. The crash in #7756 revealed that the `put` in transaction manager's story hash table was performed incorrectly: fix it and add an assertion that nothing was replaced. Closes #7755 Closes #7756 NO_DOC=bugfix
- Loading branch information
1 parent
8dcefeb
commit 1344779
Showing
10 changed files
with
150 additions
and
18 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
changelogs/unreleased/gh-7755-memtx-rev-iters-repeatable-read-violation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
## bugfix/memtx | ||
|
||
* Fixed possibility of repeatable read violation with reverse iterators | ||
(gh-7755). |
3 changes: 3 additions & 0 deletions
3
changelogs/unreleased/gh-7756-memtx-crash-on-series-of-txs.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
## bugfix/memtx | ||
|
||
* Fixed crash on series of transactions in memtx (gh-7756). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
test/box-luatest/gh_7755_memtx_rev_iters_repeatable_read_violation_test.lua
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
local server = require('test.luatest_helpers.server') | ||
local t = require('luatest') | ||
|
||
local g = t.group(nil, t.helpers.matrix{iter = {'LT', 'LE'}}) | ||
|
||
g.before_all(function(cg) | ||
cg.server = server:new { | ||
alias = 'dflt', | ||
box_cfg = {memtx_use_mvcc_engine = true} | ||
} | ||
cg.server:start() | ||
end) | ||
|
||
g.after_all(function(cg) | ||
cg.server:drop() | ||
end) | ||
|
||
g.before_each(function(cg) | ||
cg.server:exec(function() | ||
local s = box.schema.create_space('s') | ||
s:create_index('pk') | ||
box.internal.memtx_tx_gc(1) | ||
end) | ||
end) | ||
|
||
g.after_each(function(cg) | ||
cg.server:exec(function() | ||
box.space.s:drop() | ||
end) | ||
end) | ||
|
||
--[[ | ||
Checks that repeatable read violation with reverse iterators is not possible. | ||
]] | ||
g.test_repeatable_read_violation_with_rev_iter = function(cg) | ||
cg.server:exec(function(iter) | ||
local t = require('luatest') | ||
local txn_proxy = require('test.box.lua.txn_proxy') | ||
|
||
local tx1 = txn_proxy:new() | ||
local tx2 = txn_proxy:new() | ||
local tx3 = txn_proxy:new() | ||
|
||
tx1('box.begin()') | ||
tx2('box.begin()') | ||
tx3('box.begin()') | ||
|
||
tx1('box.space.s:insert{3}') | ||
tx1('box.rollback()') | ||
|
||
tx2('box.space.s:insert{0}') | ||
local read_operation = 'box.space.s:select({2}, {iterator = "%s"})' | ||
read_operation = read_operation:format(iter) | ||
tx3(read_operation) | ||
box.space.s:insert{1} | ||
|
||
t.assert_equals(tx3(read_operation), {{}}) | ||
t.assert_equals(tx3('box.space.s:insert{3}'), | ||
{{error = 'Transaction has been aborted by conflict'}}) | ||
end, {cg.params.iter}) | ||
end |
54 changes: 54 additions & 0 deletions
54
test/box-luatest/gh_7756_memtx_crash_on_series_of_txs_test.lua
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
local server = require('test.luatest_helpers.server') | ||
local t = require('luatest') | ||
|
||
local g = t.group(nil, t.helpers.matrix{iter = {'LT', 'LE'}}) | ||
|
||
g.before_all(function(cg) | ||
cg.server = server:new { | ||
alias = 'dflt', | ||
box_cfg = {memtx_use_mvcc_engine = true} | ||
} | ||
cg.server:start() | ||
end) | ||
|
||
g.after_all(function(cg) | ||
cg.server:drop() | ||
end) | ||
|
||
g.before_each(function(cg) | ||
cg.server:exec(function() | ||
local s = box.schema.create_space('s') | ||
s:create_index('pk') | ||
box.internal.memtx_tx_gc(1) | ||
end) | ||
end) | ||
|
||
g.after_each(function(cg) | ||
cg.server:exec(function() | ||
box.space.s:drop() | ||
end) | ||
end) | ||
|
||
--[[ | ||
Checks that server does not crash on series of transactions from gh-7756. | ||
]] | ||
g.test_server_crash_on_series_of_txs = function(cg) | ||
local stream1 = cg.server.net_box:new_stream() | ||
local stream2 = cg.server.net_box:new_stream() | ||
local stream3 = cg.server.net_box:new_stream() | ||
|
||
stream1:begin() | ||
stream2:begin() | ||
stream3:begin() | ||
|
||
stream1.space.s:insert{3} | ||
stream1:rollback() | ||
|
||
stream2.space.s:insert{0} | ||
|
||
stream3.space.s:select({2}, {iterator = cg.params.iter}) | ||
|
||
cg.server:exec(function() | ||
box.space.s:insert{1} | ||
end) | ||
end |