From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <korablev@tarantool.org>
Received: from smtp52.i.mail.ru (smtp52.i.mail.ru [94.100.177.112])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id B755A4696C4
 for <tarantool-patches@dev.tarantool.org>;
 Mon, 27 Apr 2020 03:52:19 +0300 (MSK)
From: Nikita Pettik <korablev@tarantool.org>
Date: Mon, 27 Apr 2020 03:52:13 +0300
Message-Id: <cover.1587948306.git.korablev@tarantool.org>
Subject: [Tarantool-patches] [PATCH v3 0/3] vinyl: fix uninitialized memory
	accesses
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
To: tarantool-patches@dev.tarantool.org
Cc: v.shpilevoy@tarantool.org

Branch: https://github.com/tarantool/tarantool/commits/np/gh-4864-access-to-uninit-mem
Issue: https://github.com/tarantool/tarantool/issues/4864

Changes in v2:
 - replaced error injection ERRINJ_VY_MAX_TUPLE_SIZE with
ERRINJ_VY_STMT_ALLOC (i.e. now vy_stmt_alloc() fails not due to exceed
max size, but owing to allocation failure);
 - found another one use-after-free bug in case vy_read_view_merge()
fails. Fix is merged into second patch;
 - added ERRINJ_VY_READ_VIEW_MERGE_FAIL to provide test case in
case of vy_read_view_merge() failure;
 - fixed test covering second bug: error injection value accidentally
was set to a wrong value (bad copy-paste).

Changes in v3:
 - instead of nullifing read views (which may lead to tuple leaks), let's
call proper finalizing routine vy_read_view_stmt_destroy();
 - found another one possible crash due to extra tuple format unref
in case of failed compaction; fix to that is introduced in third patch
in series.

@ChangeLog:
* Fixed crash during compaction due to tuples with size exceeding
vinyl_max_tuple_size setting.

Nikita Pettik (3):
  vinyl: init all vars before cleanup in vy_lsm_split_range()
  vinyl: clean-up unprocessed read views in *_build_read_views()
  vinyl: clean-up write iterator if vy_task_write_run() fails

 src/box/vy_lsm.c                              |   4 +-
 src/box/vy_scheduler.c                        |   4 +-
 src/box/vy_stmt.c                             |  10 +
 src/box/vy_write_iterator.c                   |  32 +-
 src/errinj.h                                  |   3 +
 test/box/errinj.result                        |   3 +
 .../gh-4864-stmt-alloc-fail-compact.result    | 333 ++++++++++++++++++
 .../gh-4864-stmt-alloc-fail-compact.test.lua  | 152 ++++++++
 test/vinyl/suite.ini                          |   2 +-
 9 files changed, 536 insertions(+), 7 deletions(-)
 create mode 100644 test/vinyl/gh-4864-stmt-alloc-fail-compact.result
 create mode 100644 test/vinyl/gh-4864-stmt-alloc-fail-compact.test.lua

-- 
2.17.1