Tarantool development patches archive
 help / color / mirror / Atom feed
From: Vladimir Davydov <vdavydov.dev@gmail.com>
To: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
Cc: tarantool-patches@freelists.org, kostja@tarantool.org
Subject: Re: [tarantool-patches] [PATCH 1/1] vinyl: fix crash in vinyl_iterator_secondary_next
Date: Sat, 12 May 2018 03:30:09 +0300	[thread overview]
Message-ID: <20180512003009.7wwgg3ecdsfibzcy@esperanza> (raw)
In-Reply-To: <dff067540ee7081cc4e488f283b7475f72b0c937.1526080999.git.v.shpilevoy@tarantool.org>

On Sat, May 12, 2018 at 02:24:41AM +0300, Vladislav Shpilevoy wrote:
> +
> +--
> +-- gh-3393: vinyl secondary index iterator must take in the hopper
> +-- that a tuple can disappear from the primary index after the
> +-- secondary index lookup.
> +--
> +s = box.schema.create_space('test', {engine = 'vinyl'})
> +pk = s:create_index('pk')
> +sk = s:create_index('sk', {parts = {{2, 'unsigned'}, {1, 'unsigned'}}})
> +s:replace{1, 2}
> +s:replace{3, 4}
> +box.snapshot()
> +ret = nil
> +function iterate(i) ret = i.next() end
> +box.begin()
> +s:replace{5, 6} -- Start a transaction in the engine.
> +iter = create_iterator(sk, {4}, {iterator = 'GE'})
> +errinj.set("ERRINJ_VY_DELAY_PK_LOOKUP", true)
> +f = fiber.create(iterate, iter)
> +s:delete{3}
> +errinj.set("ERRINJ_VY_DELAY_PK_LOOKUP", false)
> +while not ret do fiber.sleep(0.1) end

Here's what happens here:

 1. You create an iterator in a transaction and pass it to a new fiber.
    Let us denote the current fiber as fiber A and the new fiber as
    fiber B.
 2. Fiber B uses the iterator to read the secondary key {4}, then it
    yields right before fetching the tuple {3, 4} from the primary key.
 3. In the mid time fiber A deletes tuple {3, 4} by writing DELETE{3, 4}
    to the transaction write set.
 4. Fiber B continues execution and since it's bound to transaction
    corresponding to fiber A, it finds DELETE{3, 4} in the transaction
    write set and crashes.

I don't think this has anything to do with the original bug you're
pursuing. The use case is quite unnatural obviously. I guess we should
simply prohibit it (i.e. abort read iterator if it is passed to another
fiber). I surmise the crash our customer is experiencing is caused by a
bug in read iterator restore procedure, which was probably brought about
by one of my recent patches.

That said, NAK for this patch.

> +ret
> +iter.iterate_over()
> +box.commit()
> +s:drop()

      parent reply	other threads:[~2018-05-12  0:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-11 23:24 Vladislav Shpilevoy
2018-05-11 23:52 ` [tarantool-patches] " Konstantin Osipov
2018-05-12  0:30 ` Vladimir Davydov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180512003009.7wwgg3ecdsfibzcy@esperanza \
    --to=vdavydov.dev@gmail.com \
    --cc=kostja@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --cc=v.shpilevoy@tarantool.org \
    --subject='Re: [tarantool-patches] [PATCH 1/1] vinyl: fix crash in vinyl_iterator_secondary_next' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox