MonetDB: Jul2021 - fixed use after free and leaks

Niels Nes Tue, 21 Feb 2023 03:51:25 -0800

Changeset: 427583f8b136 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/427583f8b136
Modified Files:
        gdk/gdk_logger.c
        sql/include/sql_catalog.h
        sql/storage/bat/bat_storage.c
        sql/storage/objectset.c
        sql/storage/store.c
        testing/suppres.txt
Branch: Jul2021
Log Message:


fixed use after free and leaks
only use early cleanup for objects which do no again have objectsets


diffs (269 lines):

diff --git a/gdk/gdk_logger.c b/gdk/gdk_logger.c
--- a/gdk/gdk_logger.c
+++ b/gdk/gdk_logger.c
@@ -2740,7 +2740,7 @@ new_logfile(logger *lg)
        p = (lng) getfilepos(getFile(lg->output_log));
        if (p == -1)
                return GDK_FAIL;
-       if (lg->drops > 100000 || p > log_large || (lg->end*1024) > log_large) {
+       if (((!lg->pending || !lg->pending->next) && lg->drops > 100000) || p > 
log_large || (lg->end*1024) > log_large) {
                lg->id++;
                logger_close_output(lg);
                return logger_open_output(lg);
diff --git a/sql/include/sql_catalog.h b/sql/include/sql_catalog.h
--- a/sql/include/sql_catalog.h
+++ b/sql/include/sql_catalog.h
@@ -235,7 +235,7 @@ typedef int (*tc_cleanup_fptr) (sql_stor
 typedef void (*destroy_fptr)(sql_store store, sql_base *b);
 typedef int (*validate_fptr)(struct sql_trans *tr, sql_base *b, int delete);
 
-extern struct objectset *os_new(sql_allocator *sa, destroy_fptr destroy, bool 
temporary, bool unique, bool concurrent, sql_store store);
+extern struct objectset *os_new(sql_allocator *sa, destroy_fptr destroy, bool 
temporary, bool unique, bool concurrent, bool nested, sql_store store);
 extern struct objectset *os_dup(struct objectset *os);
 extern void os_destroy(struct objectset *os, sql_store store);
 extern int /*ok, error (name existed) and conflict (added before) */ 
os_add(struct objectset *os, struct sql_trans *tr, const char *name, sql_base 
*b);
diff --git a/sql/storage/bat/bat_storage.c b/sql/storage/bat/bat_storage.c
--- a/sql/storage/bat/bat_storage.c
+++ b/sql/storage/bat/bat_storage.c
@@ -2932,6 +2932,8 @@ commit_destroy_del( sql_trans *tr, sql_c
        (void)change;
        (void)commit_ts;
        (void)oldest;
+       if (commit_ts)
+               change->handled = true;
        return 0;
 }
 
@@ -3336,6 +3338,8 @@ log_update_col( sql_trans *tr, sql_chang
 {
        sql_column *c = (sql_column*)change->obj;
 
+       if (isDeleted(c->t))
+               change->handled = true;
        if (!isDeleted(c->t) && !isTempTable(c->t) && !tr->parent) {/* don't 
write save point commits */
                storage *s = ATOMIC_PTR_GET(&c->t->data);
                return tr_log_delta(tr, c->t, ATOMIC_PTR_GET(&c->data), 
s->segs->h, c->base.id);
@@ -3407,7 +3411,7 @@ commit_update_col( sql_trans *tr, sql_ch
        sql_column *c = (sql_column*)change->obj;
        sql_delta *delta = ATOMIC_PTR_GET(&c->data);
 
-       if (isDeleted(c->t))
+       if (change->handled || isDeleted(c->t))
                return ok;
 
        if (isTempTable(c->t))
@@ -3447,6 +3451,8 @@ log_update_idx( sql_trans *tr, sql_chang
 {
        sql_idx *i = (sql_idx*)change->obj;
 
+       if (isDeleted(i->t))
+               change->handled = true;
        if (!isDeleted(i->t) && !isTempTable(i->t) && !tr->parent) { /* don't 
write save point commits */
                storage *s = ATOMIC_PTR_GET(&i->t->data);
                return tr_log_delta(tr, i->t, ATOMIC_PTR_GET(&i->data), 
s->segs->h, i->base.id);
@@ -3488,7 +3494,7 @@ commit_update_idx( sql_trans *tr, sql_ch
        sql_idx *i = (sql_idx*)change->obj;
        sql_delta *delta = ATOMIC_PTR_GET(&i->data);
 
-       if (isDeleted(i->t))
+       if (change->handled || isDeleted(i->t))
                return ok;
 
        if (isTempTable(i->t))
@@ -3547,6 +3553,8 @@ log_update_del( sql_trans *tr, sql_chang
 {
        sql_table *t = (sql_table*)change->obj;
 
+       if (isDeleted(t))
+               change->handled = true;
        if (!isDeleted(t) && !isTempTable(t) && !tr->parent) /* don't write 
save point commits */
                return log_storage(tr, t, ATOMIC_PTR_GET(&t->data), t->base.id);
        return LOG_OK;
@@ -3575,7 +3583,7 @@ commit_update_del( sql_trans *tr, sql_ch
        sql_table *t = (sql_table*)change->obj;
        storage *dbat = ATOMIC_PTR_GET(&t->data);
 
-       if (isDeleted(t))
+       if (change->handled || isDeleted(t))
                return ok;
 
        if (isTempTable(t)) {
@@ -3657,6 +3665,9 @@ gc_col( sqlstore *store, sql_change *cha
        if (!c) /* cleaned earlier */
                return 1;
 
+       if (change->handled || isDeleted(c->t))
+               return 1;
+
        /* savepoint commit (did it merge ?) */
        if (ATOMIC_PTR_GET(&c->data) != change->data || isTempTable(c->t)) /* 
data is freed by commit */
                return 1;
@@ -3711,6 +3722,9 @@ gc_idx( sqlstore *store, sql_change *cha
        if (!i) /* cleaned earlier */
                return 1;
 
+       if (change->handled || isDeleted(i->t))
+               return 1;
+
        /* savepoint commit (did it merge ?) */
        if (ATOMIC_PTR_GET(&i->data) != change->data || isTempTable(i->t)) /* 
data is freed by commit */
                return 1;
@@ -3763,6 +3777,8 @@ tc_gc_del( sql_store Store, sql_change *
        sqlstore *store = Store;
        sql_table *t = (sql_table*)change->obj;
 
+       if (change->handled || isDeleted(t))
+               return 1;
        (void)store;
        /* savepoint commit (did it merge ?) */
        if (ATOMIC_PTR_GET(&t->data) != change->data || isTempTable(t)) /* data 
is freed by commit */
diff --git a/sql/storage/objectset.c b/sql/storage/objectset.c
--- a/sql/storage/objectset.c
+++ b/sql/storage/objectset.c
@@ -62,7 +62,8 @@ typedef struct objectset {
        bool
                temporary:1,
                unique:1, /* names are unique */
-               concurrent:1;   /* concurrent inserts are allowed */
+               concurrent:1,   /* concurrent inserts are allowed */
+           nested:1;
        sql_store store;
 } objectset;
 
@@ -533,7 +534,8 @@ try_to_mark_deleted_for_destruction(sqls
                }
 
                ov->ts = store_get_timestamp(store)+1;
-               ov_destroy_obj_recursive(store, ov);
+               if (!ov->os->nested)
+                       ov_destroy_obj_recursive(store, ov);
        }
 }
 
@@ -640,7 +642,7 @@ tc_commit_objectversion(sql_trans *tr, s
 }
 
 objectset *
-os_new(sql_allocator *sa, destroy_fptr destroy, bool temporary, bool unique, 
bool concurrent, sql_store store)
+os_new(sql_allocator *sa, destroy_fptr destroy, bool temporary, bool unique, 
bool concurrent, bool nested, sql_store store)
 {
        objectset *os = SA_NEW(sa, objectset);
        *os = (objectset) {
@@ -650,6 +652,7 @@ os_new(sql_allocator *sa, destroy_fptr d
                .temporary = temporary,
                .unique = unique,
                .concurrent = concurrent,
+               .nested = nested,
                .store = store
        };
        os->destroy = destroy;
diff --git a/sql/storage/store.c b/sql/storage/store.c
--- a/sql/storage/store.c
+++ b/sql/storage/store.c
@@ -1060,14 +1060,14 @@ load_schema(sql_trans *tr, res_table *rt
                s->system = 
*(bte*)store->table_api.table_fetch_value(rt_schemas, find_sql_column(ss, 
"system"));
                s->owner = 
*(sqlid*)store->table_api.table_fetch_value(rt_schemas, find_sql_column(ss, 
"owner"));
 
-               s->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, 
false, true, true, store);
-               s->types = os_new(tr->sa, (destroy_fptr) &type_destroy, false, 
true, true, store);
-               s->funcs = os_new(tr->sa, (destroy_fptr) &func_destroy, false, 
false, false, store);
-               s->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, false, 
true, true, store);
-               s->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, false, 
true, true, store);
-               s->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, false, 
true, true, store);
-               s->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, 
false, true, true, store);
-               s->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, false, 
false, true, store);
+               s->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, 
false, true, true, false, store);
+               s->types = os_new(tr->sa, (destroy_fptr) &type_destroy, false, 
true, true, false, store);
+               s->funcs = os_new(tr->sa, (destroy_fptr) &func_destroy, false, 
false, false, false, store);
+               s->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, false, 
true, true, false, store);
+               s->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, false, 
true, true, false, store);
+               s->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, false, 
true, true, false, store);
+               s->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, 
false, true, true, false, store);
+               s->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, false, 
false, true, false, store);
        }
 
        TRC_DEBUG(SQL_STORE, "Load schema: %s %d\n", s->base.name, s->base.id);
@@ -1696,14 +1696,14 @@ bootstrap_create_schema(sql_trans *tr, c
        s->auth_id = auth_id;
        s->owner = owner;
        s->system = TRUE;
-       s->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, false, true, 
true, store);
-       s->types = os_new(tr->sa, (destroy_fptr) &type_destroy, false, true, 
true, store);
-       s->funcs = os_new(tr->sa, (destroy_fptr) &func_destroy, false, false, 
false, store);
-       s->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, false, true, 
true, store);
-       s->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, false, true, 
true, store);
-       s->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, false, true, 
true, store);
-       s->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, false, 
true, true, store);
-       s->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, false, false, 
true, store);
+       s->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, false, true, 
true, false, store);
+       s->types = os_new(tr->sa, (destroy_fptr) &type_destroy, false, true, 
true, false, store);
+       s->funcs = os_new(tr->sa, (destroy_fptr) &func_destroy, false, false, 
false, false, store);
+       s->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, false, true, 
true, false, store);
+       s->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, false, true, 
true, false, store);
+       s->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, false, true, 
true, false, store);
+       s->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, false, 
true, true, false, store);
+       s->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, false, false, 
true, false, store);
        if (os_add(tr->cat->schemas, tr, s->base.name, &s->base)) {
                return NULL;
        }
@@ -3629,8 +3629,8 @@ sql_trans_create_(sqlstore *store, sql_t
        tr->cat = store->cat;
        if (!tr->cat) {
                store->cat = tr->cat = SA_ZNEW(tr->sa, sql_catalog);
-               store->cat->schemas = os_new(tr->sa, (destroy_fptr) 
&schema_destroy, false, true, true, store);
-               store->cat->objects = os_new(tr->sa, (destroy_fptr) 
&key_destroy, false, false, true, store);
+               store->cat->schemas = os_new(tr->sa, (destroy_fptr) 
&schema_destroy, false, true, true, true, store);
+               store->cat->objects = os_new(tr->sa, (destroy_fptr) 
&key_destroy, false, false, true, false, store);
        }
        tr->tmp = store->tmp;
        TRC_DEBUG(SQL_STORE, "New transaction: %p\n", tr);
@@ -3650,12 +3650,12 @@ schema_dup(sql_trans *tr, sql_schema *s,
        ns->system = s->system;
 
        sqlstore *store = tr->store;
-       ns->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, 
isTempSchema(s), true, true, store);
-       ns->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, isTempSchema(s), 
true, true, store);
-       ns->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, isTempSchema(s), 
true, true, store);
-       ns->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, isTempSchema(s), 
true, true, store);
-       ns->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, 
isTempSchema(s), true, true, store);
-       ns->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, 
isTempSchema(s), false, true, store);
+       ns->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, 
isTempSchema(s), true, true, false, store);
+       ns->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, isTempSchema(s), 
true, true, false, store);
+       ns->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, isTempSchema(s), 
true, true, false, store);
+       ns->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, isTempSchema(s), 
true, true, false, store);
+       ns->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, 
isTempSchema(s), true, true, false, store);
+       ns->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, 
isTempSchema(s), false, true, false, store);
 
        /* table_dup will dup keys, idxs, triggers and parts */
        struct os_iter oi;
@@ -4897,14 +4897,14 @@ sql_trans_create_schema(sql_trans *tr, c
        s->auth_id = auth_id;
        s->owner = owner;
        s->system = FALSE;
-       s->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, 
isTempSchema(s), true, true, store);
-       s->types = os_new(tr->sa, (destroy_fptr) &type_destroy, 
isTempSchema(s), true, true, store);
-       s->funcs = os_new(tr->sa, (destroy_fptr) &func_destroy, 
isTempSchema(s), false, false, store);
-       s->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, isTempSchema(s), 
true, true, store);
-       s->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, isTempSchema(s), 
true, true, store);
-       s->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, isTempSchema(s), 
true, true, store);
-       s->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, 
isTempSchema(s), true, true, store);
-       s->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, 
isTempSchema(s), false, true, store);
+       s->tables = os_new(tr->sa, (destroy_fptr) &table_destroy, 
isTempSchema(s), true, true, false, store);
+       s->types = os_new(tr->sa, (destroy_fptr) &type_destroy, 
isTempSchema(s), true, true, false, store);
+       s->funcs = os_new(tr->sa, (destroy_fptr) &func_destroy, 
isTempSchema(s), false, false, false, store);
+       s->seqs = os_new(tr->sa, (destroy_fptr) &seq_destroy, isTempSchema(s), 
true, true, false, store);
+       s->keys = os_new(tr->sa, (destroy_fptr) &key_destroy, isTempSchema(s), 
true, true, false, store);
+       s->idxs = os_new(tr->sa, (destroy_fptr) &idx_destroy, isTempSchema(s), 
true, true, false, store);
+       s->triggers = os_new(tr->sa, (destroy_fptr) &trigger_destroy, 
isTempSchema(s), true, true, false, store);
+       s->parts = os_new(tr->sa, (destroy_fptr) &part_destroy, 
isTempSchema(s), false, true, false, store);
        s->store = tr->store;
 
        if ((res = store->table_api.table_insert(tr, sysschema, &s->base.id, 
&s->base.name, &s->auth_id, &s->owner, &s->system))) {
diff --git a/testing/suppres.txt b/testing/suppres.txt
--- a/testing/suppres.txt
+++ b/testing/suppres.txt
@@ -9,3 +9,4 @@ leak:PyThread_allocate_lock
 leak:*libpython*.so*
 leak:*cpython*.so*
 leak:*libgomp.so*
+leak:*libcrypto.so*
_______________________________________________
checkin-list mailing list -- [email protected]
To unsubscribe send an email to [email protected]

MonetDB: Jul2021 - fixed use after free and leaks

Reply via email to