From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounce@freelists.org>
Received: from localhost (localhost [127.0.0.1])
	by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id B56722541F
	for <tarantool-patches@freelists.org>; Mon, 15 Apr 2019 19:50:48 -0400 (EDT)
Received: from turing.freelists.org ([127.0.0.1])
	by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id tOm6Zcux7D6C for <tarantool-patches@freelists.org>;
	Mon, 15 Apr 2019 19:50:48 -0400 (EDT)
Received: from smtp55.i.mail.ru (smtp55.i.mail.ru [217.69.128.35])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 050BA253B0
	for <tarantool-patches@freelists.org>; Mon, 15 Apr 2019 19:50:47 -0400 (EDT)
From: Nikita Pettik <korablev@tarantool.org>
Subject: [tarantool-patches] [PATCH] sql: update ptr to VDBE after its creation in sql_txn
Date: Tue, 16 Apr 2019 02:25:22 +0300
Message-Id: <20190415232522.10188-1-korablev@tarantool.org>
Sender: tarantool-patches-bounce@freelists.org
Errors-to: tarantool-patches-bounce@freelists.org
Reply-To: tarantool-patches@freelists.org
List-Help: <mailto:ecartis@freelists.org?Subject=help>
List-Unsubscribe: <mailto:tarantool-patches-request@freelists.org?Subject=unsubscribe>
List-software: Ecartis version 1.0.0
List-Id: tarantool-patches <tarantool-patches.freelists.org>
List-Subscribe: <mailto:tarantool-patches-request@freelists.org?Subject=subscribe>
List-Owner: <mailto:>
List-post: <mailto:tarantool-patches@freelists.org>
List-Archive: <http://www.freelists.org/archives/tarantool-patches>
To: tarantool-patches@freelists.org
Cc: v.shpilevoy@tarantool.org, Nikita Pettik <korablev@tarantool.org>

VDBE object is used in struct sql_txn to add new autoincrement ids in
sequence_next(). List of these ids is returned later as a query
execution result. sql_txn is created once SQL statement is executed
inside transaction and exists till commit or rollback. After its
creation it contains pointer to current VDBE. Each VDBE is freed after
statement is executed. Hence, after first SQL statement within
transaction is executed, sql_txn will point to freed memory (dangling
pointer). This leads to crash in the next processed statement. Fix to
this bug is simple: we must re-assign pointer to VDBE in sql_txn before
VDBE execution.

Closes #4157
---
Branch: https://github.com/tarantool/tarantool/tree/np/gh-4157-fix-autoincrement-in-transaction
Issue: https://github.com/tarantool/tarantool/issues/4157

 src/box/sql/vdbeaux.c                     |  1 +
 test/sql/transitive-transactions.result   | 28 ++++++++++++++++++++++++++++
 test/sql/transitive-transactions.test.lua | 15 +++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/src/box/sql/vdbeaux.c b/src/box/sql/vdbeaux.c
index 0cc3c1487..1a9762d5e 100644
--- a/src/box/sql/vdbeaux.c
+++ b/src/box/sql/vdbeaux.c
@@ -110,6 +110,7 @@ sql_vdbe_prepare(struct Vdbe *vdbe)
 			if (txn->psql_txn == NULL)
 				return -1;
 		}
+		txn->psql_txn->vdbe = vdbe;
 	}
 	return 0;
 }
diff --git a/test/sql/transitive-transactions.result b/test/sql/transitive-transactions.result
index 883cc00f6..ee9b4218d 100644
--- a/test/sql/transitive-transactions.result
+++ b/test/sql/transitive-transactions.result
@@ -134,3 +134,31 @@ box.execute('DROP TABLE parent;');
 ---
 - row_count: 1
 ...
+-- gh-4157: autoincrement within transaction started in SQL
+-- leads to seagfault.
+--
+box.execute('CREATE TABLE t (id INT PRIMARY KEY AUTOINCREMENT);');
+---
+- row_count: 1
+...
+box.execute('START TRANSACTION')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('SAVEPOINT sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.execute('ROLLBACK TO sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.commit();
+---
+...
+box.space.T:select();
+---
+- - [1]
+  - [2]
+  - [3]
+  - [4]
+  - [6]
+...
+box.space.T:drop();
+---
+...
diff --git a/test/sql/transitive-transactions.test.lua b/test/sql/transitive-transactions.test.lua
index 97b06e592..54f12739e 100644
--- a/test/sql/transitive-transactions.test.lua
+++ b/test/sql/transitive-transactions.test.lua
@@ -67,3 +67,18 @@ box.execute('PRAGMA defer_foreign_keys = 0;')
 -- Cleanup
 box.execute('DROP TABLE child;');
 box.execute('DROP TABLE parent;');
+
+-- gh-4157: autoincrement within transaction started in SQL
+-- leads to seagfault.
+--
+box.execute('CREATE TABLE t (id INT PRIMARY KEY AUTOINCREMENT);');
+box.execute('START TRANSACTION')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('INSERT INTO t VALUES (null), (null);')
+box.execute('SAVEPOINT sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.execute('ROLLBACK TO sp;')
+box.execute('INSERT INTO t VALUES (null);')
+box.commit();
+box.space.T:select();
+box.space.T:drop();
-- 
2.15.1