memtx: fix use-after-free of successor in `tree_iterator_start`
We assumed that the successor tuple's story could not get garbage collected on clarify of result tuple in `tree_iterator_start`, since they coincide in case of regular iterators. But this is not the case for reverse iterators: the result tuple is of-by-one from the successor, which means the successor's story can get garbage collected along with the tuple itself getting deleted, leading to use-after-free of successor: remove garbage collection from `memtx_tx_tuple_clarify` and call it manually. The crash in #7756 revealed that the `put` in transaction manager's story hash table was performed incorrectly: fix it and add an assertion that nothing was replaced. Closes #7755 Closes #7756 NO_DOC=bugfix
Showing
- changelogs/unreleased/gh-7755-memtx-rev-iters-repeatable-read-violation.md 4 additions, 0 deletions...ased/gh-7755-memtx-rev-iters-repeatable-read-violation.md
- changelogs/unreleased/gh-7756-memtx-crash-on-series-of-txs.md 3 additions, 0 deletions...gelogs/unreleased/gh-7756-memtx-crash-on-series-of-txs.md
- src/box/memtx_bitset.cc 2 additions, 1 deletionsrc/box/memtx_bitset.cc
- src/box/memtx_hash.cc 10 additions, 2 deletionssrc/box/memtx_hash.cc
- src/box/memtx_rtree.cc 4 additions, 2 deletionssrc/box/memtx_rtree.cc
- src/box/memtx_tree.cc 7 additions, 6 deletionssrc/box/memtx_tree.cc
- src/box/memtx_tx.c 4 additions, 3 deletionssrc/box/memtx_tx.c
- src/box/memtx_tx.h 0 additions, 3 deletionssrc/box/memtx_tx.h
- test/box-luatest/gh_7755_memtx_rev_iters_repeatable_read_violation_test.lua 61 additions, 0 deletions...h_7755_memtx_rev_iters_repeatable_read_violation_test.lua
- test/box-luatest/gh_7756_memtx_crash_on_series_of_txs_test.lua 54 additions, 0 deletions...box-luatest/gh_7756_memtx_crash_on_series_of_txs_test.lua
Loading
Please register or sign in to comment