From: Vladimir Davydov <vdavydov.dev@gmail.com>
To: tarantool-patches@freelists.org
Subject: [PATCH 4/5] relay: close xlog cursor in relay thread
Date: Sat, 29 Dec 2018 00:21:50 +0300 [thread overview]
Message-ID: <a11435265bed850e3f39bf5163481608954543aa.1546030880.git.vdavydov.dev@gmail.com> (raw)
In-Reply-To: <cover.1546030880.git.vdavydov.dev@gmail.com>
In-Reply-To: <cover.1546030880.git.vdavydov.dev@gmail.com>
An xlog_cursor created and used by a relay via recovery context is
destroyed by the main thread once the relay thread has exited. This is
incorrect, because xlog_cursor uses cord's slab allocator and therefore
must be destroyed in the same thread it was created by, otherwise we
risk getting a use-after-free bug. So this patch moves recovery_delete()
invocation to the end of the relay thread routine.
No test is added, because our existing tests already cover this case -
crashes don't usually happen, because we are lucky. The next patch will
add some assertions to make the bug 100% reproducible.
Closes #3910
---
src/box/relay.cc | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/src/box/relay.cc b/src/box/relay.cc
index 988c01d3..8f5355ae 100644
--- a/src/box/relay.cc
+++ b/src/box/relay.cc
@@ -210,6 +210,26 @@ relay_cancel(struct relay *relay)
}
}
+/**
+ * Called by a relay thread right before termination.
+ */
+static void
+relay_exit(struct relay *relay)
+{
+ struct errinj *inj = errinj(ERRINJ_RELAY_EXIT_DELAY, ERRINJ_DOUBLE);
+ if (inj != NULL && inj->dparam > 0)
+ fiber_sleep(inj->dparam);
+
+ /*
+ * Destroy the recovery context. We MUST do it in
+ * the relay thread, because it contains an xlog
+ * cursor, which must be closed in the same thread
+ * that opened it (it uses cord's slab allocator).
+ */
+ recovery_delete(relay->r);
+ relay->r = NULL;
+}
+
static void
relay_stop(struct relay *relay)
{
@@ -277,6 +297,8 @@ int
relay_final_join_f(va_list ap)
{
struct relay *relay = va_arg(ap, struct relay *);
+ auto guard = make_scoped_guard([=] { relay_exit(relay); });
+
coio_enable();
relay_set_cord_name(relay->io.fd);
@@ -601,10 +623,7 @@ relay_subscribe_f(va_list ap)
NULL, NULL, cbus_process);
cbus_endpoint_destroy(&relay->endpoint, cbus_process);
- struct errinj *inj = errinj(ERRINJ_RELAY_EXIT_DELAY, ERRINJ_DOUBLE);
- if (inj != NULL && inj->dparam > 0)
- fiber_sleep(inj->dparam);
-
+ relay_exit(relay);
return -1;
}
--
2.11.0
next prev parent reply other threads:[~2018-12-28 21:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-28 21:21 [PATCH 0/5] Fix a couple of replication breakdown issues Vladimir Davydov
2018-12-28 21:21 ` [PATCH 1/5] recovery: stop writing to xstream on system error Vladimir Davydov
2018-12-29 9:09 ` [tarantool-patches] " Konstantin Osipov
2018-12-29 9:50 ` Vladimir Davydov
2018-12-29 10:57 ` Vladimir Davydov
2018-12-29 12:08 ` Konstantin Osipov
2018-12-28 21:21 ` [PATCH 2/5] relay: do not try to scan xlog if exiting Vladimir Davydov
2018-12-29 9:14 ` [tarantool-patches] " Konstantin Osipov
2018-12-29 9:53 ` Vladimir Davydov
2018-12-28 21:21 ` [PATCH 3/5] relay: cleanup error handling Vladimir Davydov
2018-12-28 21:21 ` Vladimir Davydov [this message]
2018-12-28 21:21 ` [PATCH 5/5] xlog: assure xlog is opened and closed in the same thread Vladimir Davydov
2018-12-29 11:40 ` [PATCH 0/5] Fix a couple of replication breakdown issues Vladimir Davydov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a11435265bed850e3f39bf5163481608954543aa.1546030880.git.vdavydov.dev@gmail.com \
--to=vdavydov.dev@gmail.com \
--cc=tarantool-patches@freelists.org \
--subject='Re: [PATCH 4/5] relay: close xlog cursor in relay thread' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox