From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp52.i.mail.ru (smtp52.i.mail.ru [94.100.177.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id B755A4696C4 for ; Mon, 27 Apr 2020 03:52:19 +0300 (MSK) From: Nikita Pettik Date: Mon, 27 Apr 2020 03:52:13 +0300 Message-Id: Subject: [Tarantool-patches] [PATCH v3 0/3] vinyl: fix uninitialized memory accesses List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: tarantool-patches@dev.tarantool.org Cc: v.shpilevoy@tarantool.org Branch: https://github.com/tarantool/tarantool/commits/np/gh-4864-access-to-uninit-mem Issue: https://github.com/tarantool/tarantool/issues/4864 Changes in v2: - replaced error injection ERRINJ_VY_MAX_TUPLE_SIZE with ERRINJ_VY_STMT_ALLOC (i.e. now vy_stmt_alloc() fails not due to exceed max size, but owing to allocation failure); - found another one use-after-free bug in case vy_read_view_merge() fails. Fix is merged into second patch; - added ERRINJ_VY_READ_VIEW_MERGE_FAIL to provide test case in case of vy_read_view_merge() failure; - fixed test covering second bug: error injection value accidentally was set to a wrong value (bad copy-paste). Changes in v3: - instead of nullifing read views (which may lead to tuple leaks), let's call proper finalizing routine vy_read_view_stmt_destroy(); - found another one possible crash due to extra tuple format unref in case of failed compaction; fix to that is introduced in third patch in series. @ChangeLog: * Fixed crash during compaction due to tuples with size exceeding vinyl_max_tuple_size setting. Nikita Pettik (3): vinyl: init all vars before cleanup in vy_lsm_split_range() vinyl: clean-up unprocessed read views in *_build_read_views() vinyl: clean-up write iterator if vy_task_write_run() fails src/box/vy_lsm.c | 4 +- src/box/vy_scheduler.c | 4 +- src/box/vy_stmt.c | 10 + src/box/vy_write_iterator.c | 32 +- src/errinj.h | 3 + test/box/errinj.result | 3 + .../gh-4864-stmt-alloc-fail-compact.result | 333 ++++++++++++++++++ .../gh-4864-stmt-alloc-fail-compact.test.lua | 152 ++++++++ test/vinyl/suite.ini | 2 +- 9 files changed, 536 insertions(+), 7 deletions(-) create mode 100644 test/vinyl/gh-4864-stmt-alloc-fail-compact.result create mode 100644 test/vinyl/gh-4864-stmt-alloc-fail-compact.test.lua -- 2.17.1