From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 6924A2D80C for ; Wed, 8 May 2019 08:11:25 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOdUb8TIbfHl for ; Wed, 8 May 2019 08:11:25 -0400 (EDT) Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 19FCD2D7E4 for ; Wed, 8 May 2019 08:11:25 -0400 (EDT) Received: by mail-lf1-f42.google.com with SMTP id n134so12532054lfn.11 for ; Wed, 08 May 2019 05:11:24 -0700 (PDT) Received: from uranus.localdomain ([5.18.103.226]) by smtp.gmail.com with ESMTPSA id y131sm2317450lfc.76.2019.05.08.05.11.22 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 08 May 2019 05:11:22 -0700 (PDT) From: Cyrill Gorcunov Subject: [tarantool-patches] [PATCH 2/2] Fix rechaining of pseudo-resurrected string keys. Date: Wed, 8 May 2019 15:10:21 +0300 Message-Id: <20190508121021.14968-4-gorcunov@gmail.com> In-Reply-To: <20190508121021.14968-1-gorcunov@gmail.com> References: <20190508121021.14968-1-gorcunov@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: tarantool-patches-bounce@freelists.org Errors-to: tarantool-patches-bounce@freelists.org Reply-To: tarantool-patches@freelists.org List-Help: List-Unsubscribe: List-software: Ecartis version 1.0.0 List-Id: tarantool-patches List-Subscribe: List-Owner: List-post: List-Archive: To: tml From: Mike Pall This is a serious bug. But extremely hard to reproduce, so it went undetected for 8 years. One needs two resurrections with different main nodes, which are both in a hash chain which gets relinked on key insertion where the colliding node is in a non-main position. Phew. Thanks to lbeiming. backport 046129dbdda5261c1b17469a2895a113d14c070a --- src/lj_tab.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/lj_tab.c b/src/lj_tab.c index 47c0cfd..c51666d 100644 --- a/src/lj_tab.c +++ b/src/lj_tab.c @@ -491,6 +491,29 @@ TValue *lj_tab_newkey(lua_State *L, GCtab *t, cTValue *key) freenode->next = nn->next; nn->next = n->next; setmref(n->next, nn); + /* + ** Rechaining a resurrected string key creates a new dilemma: + ** Another string key may have originally been resurrected via + ** _any_ of the previous nodes as a chain anchor. Including + ** a node that had to be moved, which makes them unreachable. + ** It's not feasible to check for all previous nodes, so rechain + ** any string key that's currently in a non-main positions. + */ + while ((nn = nextnode(freenode))) { + if (tvisstr(&nn->key) && !tvisnil(&nn->val)) { + Node *mn = hashstr(t, strV(&nn->key)); + if (mn != freenode) { + freenode->next = nn->next; + nn->next = mn->next; + setmref(mn->next, nn); + } else { + freenode = nn; + } + } else { + freenode = nn; + } + } + break; } else { freenode = nn; } -- 2.20.1