From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 11CB66EC41; Thu, 12 Aug 2021 12:52:22 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 11CB66EC41 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1628761942; bh=iQIXZBVN+COF+pY9OdqT2A8HFGAS5vBIz86jtp/7ELk=; h=To:Cc:Date:In-Reply-To:References:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=If6vP0/zFEu0UbgGDeKtZvVUH6jDO3p/ZaOlT9Lf7VNP6QbGXBhVWa1n0VFZdz9un LllWMI2NIu1ADhjQWJprytTfdrfR/3t/H1YZG/8hEuS7NIDSI0PM7qsADsCAegjzcv 4Va3Y9dsOdzXuP/P7huhUvhfUN/2TnXpnkc4L5RY= Received: from smtp33.i.mail.ru (smtp33.i.mail.ru [94.100.177.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id F30EE6EC44 for ; Thu, 12 Aug 2021 12:50:51 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org F30EE6EC44 Received: by smtp33.i.mail.ru with esmtpa (envelope-from ) id 1mE7MQ-0005NV-Vg; Thu, 12 Aug 2021 12:50:51 +0300 To: tarantool-patches@dev.tarantool.org, vdavydov@tarantool.org, v.shpilevoy@tarantool.org Cc: mechanik20051988 Date: Thu, 12 Aug 2021 12:50:41 +0300 Message-Id: <23539c443b03faac42ba1b072a98269d2d2b6102.1628759886.git.mechanik20051988@tarantool.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD92087353F0EC44DD906AB4890CDABF0C5CB76CEE71D3E4007182A05F538085040A65FC83C963A183CDE6C477D3977F0613A6CF6A3C2704EC4C2F54DAF21B64099 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE76D4A2B7BAC4DEDB8EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F790063761B0653E4D5FA7998638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D8CDF309850A1CAD7981C4CE5E22065A15117882F4460429724CE54428C33FAD305F5C1EE8F4F765FC1A9C11735BBA05FBA471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F44604297287769387670735204B6963042765DA4B2CC0D3CB04F14752D2E47CDBA5A96583BA9C0B312567BB2376E601842F6C81A19E625A9149C048EE41BF15D38FB6CB3A6B91AC3BD56FC247D8FC6C240DEA7642DBF02ECDB25306B2B78CF848AE20165D0A6AB1C7CE11FEE3F8BD4E506CFA3D88C0837EA9F3D19764C4224003CC836476EA7A3FFF5B025636E2021AF6380DFAD1A18204E546F3947CB11811A4A51E3B096D1867E19FE1407959CC434672EE6371089D37D7C0E48F6C8AA50765F7900637B7457ED07BBA7E3EEFF80C71ABB335746BA297DBC24807EABDAD6C7F3747799A X-B7AD71C0: AC4F5C86D027EB782CDD5689AFBDA7A213B5FB47DCBC3458834459D11680B505D6C3EEE6BC5FD6D58095CFC97C2E7E04 X-C1DE0DAB: C20DE7B7AB408E4181F030C43753B8186998911F362727C414F749A5E30D975C69415AB31670C86CE56A568ABA9D2A7CFD3D4D60B732400A9C2B6934AE262D3EE7EAB7254005DCED7532B743992DF240BDC6A1CF3F042BAD6DF99611D93F60EFA183FDCE24978B01699F904B3F4130E343918A1A30D5E7FCCB5012B2E24CD356 X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D34C2BE7381A0AD3DF13769D7A9974AF4D0D938DAC3B0DCE1864625C538DE4CC0211A0892093AEB2FE31D7E09C32AA3244CD9F4589913A6B6A14EA2D24843BE4C497C0C08F7987826B9927AC6DF5659F194 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojKW4rnL99YhIa++Dd5KrTvQ== X-Mailru-Sender: 583F1D7ACE8F49BD29FC049B2A5BF96395EA2367FC8BA7F5805C6E3EAD5851D01135FE713E83A314B79567116EAC6FCF4E830D9205DBEA545646F0D3C63A617F27ACC94E9A535D22112434F685709FCF0DA7A0AF5A3A8387 X-Mras: Ok Subject: [Tarantool-patches] [PATCH v4 4/9] salad: fix segfault in case when mhash table allocation failure X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: mechanik20051988 via Tarantool-patches Reply-To: mechanik20051988 Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: mechanik20051988 There was no check for successful memory allocation in `new` and `clear` functions for mhash table. And if the memory was not allocated, a null pointer dereference occured. --- src/lib/salad/mhash.h | 99 +++++++++++++++++++++++++++--------------- test/unit/mhash_body.c | 4 +- 2 files changed, 66 insertions(+), 37 deletions(-) diff --git a/src/lib/salad/mhash.h b/src/lib/salad/mhash.h index b555cad4c..74235eeaa 100644 --- a/src/lib/salad/mhash.h +++ b/src/lib/salad/mhash.h @@ -157,7 +157,7 @@ struct _mh(t) { #define MH_DENSITY 0.7 struct _mh(t) * _mh(new)(); -void _mh(clear)(struct _mh(t) *h); +int _mh(clear)(struct _mh(t) *h); void _mh(delete)(struct _mh(t) *h); void _mh(resize)(struct _mh(t) *h, mh_arg_t arg); int _mh(start_resize)(struct _mh(t) *h, mh_int_t buckets, mh_int_t batch, @@ -399,23 +399,50 @@ _mh(del_resize)(struct _mh(t) *h, mh_int_t x, struct _mh(t) * _mh(new)() { - struct _mh(t) *h = (struct _mh(t) *) calloc(1, sizeof(*h)); - h->shadow = (struct _mh(t) *) calloc(1, sizeof(*h)); + struct _mh(t) *h = (struct _mh(t) *)calloc(1, sizeof(*h)); + if (h == NULL) + return NULL; + h->shadow = (struct _mh(t) *)calloc(1, sizeof(*h)); + if (h->shadow == NULL) + goto fail; h->prime = 0; h->n_buckets = __ac_prime_list[h->prime]; - h->p = (mh_node_t *) calloc(h->n_buckets, sizeof(mh_node_t)); + h->p = (mh_node_t *)calloc(h->n_buckets, sizeof(mh_node_t)); + if (h->p == NULL) + goto fail; #if !mh_bytemap - h->b = (uint32_t *) calloc(h->n_buckets / 16 + 1, sizeof(uint32_t)); + h->b = (uint32_t *)calloc(h->n_buckets / 16 + 1, sizeof(uint32_t)); #else - h->b = (uint8_t *) calloc(h->n_buckets, sizeof(uint8_t)); + h->b = (uint8_t *)calloc(h->n_buckets, sizeof(uint8_t)); #endif + if (h->b == NULL) + goto fail; h->upper_bound = h->n_buckets * MH_DENSITY; return h; + +fail: + free(h->p); + free(h->shadow); + free(h); + return NULL; } -void +int _mh(clear)(struct _mh(t) *h) { + mh_int_t n_buckets = __ac_prime_list[h->prime]; + mh_node_t *p = (mh_node_t *)calloc(n_buckets, sizeof(mh_node_t)); + if (p == NULL) + return -1; +#if !mh_bytemap + uint32_t *b = (uint32_t *)calloc(n_buckets / 16 + 1, sizeof(uint32_t)); +#else + uint8_t *b = (uint8_t *)calloc(n_buckets, sizeof(uint8_t)); +#endif + if (b == NULL) { + free(p); + return -1; + } if (h->shadow->p) { free(h->shadow->p); free(h->shadow->b); @@ -424,15 +451,12 @@ _mh(clear)(struct _mh(t) *h) free(h->p); free(h->b); h->prime = 0; - h->n_buckets = __ac_prime_list[h->prime]; - h->p = (mh_node_t *) calloc(h->n_buckets, sizeof(mh_node_t)); -#if !mh_bytemap - h->b = (uint32_t *) calloc(h->n_buckets / 16 + 1, sizeof(uint32_t)); -#else - h->b = (uint8_t *) calloc(h->n_buckets, sizeof(uint8_t)); -#endif + h->n_buckets = n_buckets; + h->p = p; + h->b = b; h->size = 0; h->upper_bound = h->n_buckets * MH_DENSITY; + return 0; } void @@ -515,42 +539,47 @@ _mh(start_resize)(struct _mh(t) *h, mh_int_t buckets, mh_int_t batch, /* hash size is already greater than requested */ return 0; } - while (h->prime < __ac_HASH_PRIME_SIZE - 1) { - if (__ac_prime_list[h->prime] >= buckets) + mh_int_t new_prime = h->prime; + while (new_prime < __ac_HASH_PRIME_SIZE - 1) { + if (__ac_prime_list[new_prime] >= buckets) break; - h->prime += 1; + new_prime += 1; } - - h->batch = batch > 0 ? batch : h->n_buckets / (256 * 1024); - if (h->batch < 256) { + mh_int_t new_batch = batch > 0 ? batch : h->n_buckets / (256 * 1024); + if (new_batch < 256) { /* * Minimal batch must be greater or equal to * 1 / (1 - f), where f is upper bound percent * = MH_DENSITY */ - h->batch = 256; + new_batch = 256; } - struct _mh(t) *s = h->shadow; - memcpy(s, h, sizeof(*h)); - s->resize_position = 0; - s->n_buckets = __ac_prime_list[h->prime]; - s->upper_bound = s->n_buckets * MH_DENSITY; - s->n_dirty = 0; - s->size = 0; - s->p = (mh_node_t *) malloc(s->n_buckets * sizeof(mh_node_t)); - if (s->p == NULL) + mh_int_t n_buckets = __ac_prime_list[new_prime]; + mh_node_t *p = (mh_node_t *)malloc(n_buckets * sizeof(mh_node_t)); + if (p == NULL) return -1; #if !mh_bytemap - s->b = (uint32_t *) calloc(s->n_buckets / 16 + 1, sizeof(uint32_t)); + uint32_t *b = (uint32_t *)calloc(n_buckets / 16 + 1, sizeof(uint32_t)); #else - s->b = (uint8_t *) calloc(s->n_buckets, sizeof(uint8_t)); + uint8_t *b = (uint8_t *)calloc(n_buckets, sizeof(uint8_t)); #endif - if (s->b == NULL) { - free(s->p); - s->p = NULL; + if (b == NULL) { + free(p); return -1; } + + h->prime = new_prime; + h->batch = new_batch; + struct _mh(t) *s = h->shadow; + memcpy(s, h, sizeof(*h)); + s->resize_position = 0; + s->n_buckets = n_buckets; + s->upper_bound = s->n_buckets * MH_DENSITY; + s->n_dirty = 0; + s->size = 0; + s->p = p; + s->b = b; _mh(resize)(h, arg); return 0; diff --git a/test/unit/mhash_body.c b/test/unit/mhash_body.c index 458817fb1..324c72a43 100644 --- a/test/unit/mhash_body.c +++ b/test/unit/mhash_body.c @@ -23,7 +23,7 @@ h = init(); destroy(h); h = init(); -clear(h); +fail_unless(clear(h) == 0); /* access not yet initialized hash */ clr(9); @@ -59,7 +59,7 @@ tst(7); tst(8); tst(9); -clear(h); +fail_unless(clear(h) == 0); /* after clear no items should exist */ clr(1); -- 2.20.1