[tarantool-patches] [PATCH] sql: update ptr to VDBE after its creation in sql_txn

Tarantool development patches archive
 help / color / mirror / Atom feed

From: Nikita Pettik <korablev@tarantool.org>
To: tarantool-patches@freelists.org
Cc: v.shpilevoy@tarantool.org, Nikita Pettik <korablev@tarantool.org>
Subject: [tarantool-patches] [PATCH] sql: update ptr to VDBE after its creation in sql_txn
Date: Tue, 16 Apr 2019 02:25:22 +0300	[thread overview]
Message-ID: <20190415232522.10188-1-korablev@tarantool.org> (raw)

VDBE object is used in struct sql_txn to add new autoincrement ids in
sequence_next(). List of these ids is returned later as a query
execution result. sql_txn is created once SQL statement is executed
inside transaction and exists till commit or rollback. After its
creation it contains pointer to current VDBE. Each VDBE is freed after
statement is executed. Hence, after first SQL statement within
transaction is executed, sql_txn will point to freed memory (dangling
pointer). This leads to crash in the next processed statement. Fix to
this bug is simple: we must re-assign pointer to VDBE in sql_txn before
VDBE execution.

Closes #4157
---
Branch: https://github.com/tarantool/tarantool/tree/np/gh-4157-fix-autoincrement-in-transaction
Issue: https://github.com/tarantool/tarantool/issues/4157

 src/box/sql/vdbeaux.c                     |  1 +
 test/sql/transitive-transactions.result   | 28 ++++++++++++++++++++++++++++
 test/sql/transitive-transactions.test.lua | 15 +++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/src/box/sql/vdbeaux.c b/src/box/sql/vdbeaux.c
index 0cc3c1487..1a9762d5e 100644
--- a/src/box/sql/vdbeaux.c
+++ b/src/box/sql/vdbeaux.c
@@ -110,6 +110,7 @@ sql_vdbe_prepare(struct Vdbe *vdbe)
 			if (txn->psql_txn == NULL)
 				return -1;
 		}
+		txn->psql_txn->vdbe = vdbe;
 	}
 	return 0;
 }
diff --git a/test/sql/transitive-transactions.result b/test/sql/transitive-transactions.result
index 883cc00f6..ee9b4218d 100644
--- a/test/sql/transitive-transactions.result
+++ b/test/sql/transitive-transactions.result
@@ -134,3 +134,31 @@ box.execute('DROP TABLE parent;');
 ---
 - row_count: 1
 ...
+-- gh-4157: autoincrement within transaction started in SQL
+-- leads to seagfault.
+--
+box.execute('CREATE TABLE t (id INT PRIMARY KEY AUTOINCREMENT);');
+---
+- row_count: 1
+...
+box.execute('START TRANSACTION')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('SAVEPOINT sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.execute('ROLLBACK TO sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.commit();
+---
+...
+box.space.T:select();
+---
+- - [1]
+  - [2]
+  - [3]
+  - [4]
+  - [6]
+...
+box.space.T:drop();
+---
+...
diff --git a/test/sql/transitive-transactions.test.lua b/test/sql/transitive-transactions.test.lua
index 97b06e592..54f12739e 100644
--- a/test/sql/transitive-transactions.test.lua
+++ b/test/sql/transitive-transactions.test.lua
@@ -67,3 +67,18 @@ box.execute('PRAGMA defer_foreign_keys = 0;')
 -- Cleanup
 box.execute('DROP TABLE child;');
 box.execute('DROP TABLE parent;');
+
+-- gh-4157: autoincrement within transaction started in SQL
+-- leads to seagfault.
+--
+box.execute('CREATE TABLE t (id INT PRIMARY KEY AUTOINCREMENT);');
+box.execute('START TRANSACTION')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('SAVEPOINT sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.execute('ROLLBACK TO sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.commit();
+box.space.T:select();
+box.space.T:drop();
-- 
2.15.1

next             reply	other threads:[~2019-04-15 23:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-15 23:25 Nikita Pettik [this message]
2019-04-16 14:35 ` [tarantool-patches] " Vladislav Shpilevoy
2019-04-18 19:20   ` n.pettik
2019-04-18 20:06     ` Vladislav Shpilevoy
2019-04-25  8:58 ` Kirill Yukhin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190415232522.10188-1-korablev@tarantool.org \
    --to=korablev@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --cc=v.shpilevoy@tarantool.org \
    --subject='Re: [tarantool-patches] [PATCH] sql: update ptr to VDBE after its creation in sql_txn' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox