Todd Lipcon has submitted this change and it was merged. Change subject: KUDU-777. Fix potential use-after-free after major delta compaction ......................................................................
KUDU-777. Fix potential use-after-free after major delta compaction This fixes the following race which could cause a crash: - compaction policy is running on T1 - while constructing a RowSetTree, we call RowSet::GetBounds() -- this calls base_data_->GetBounds() and returns Slices which point to storage owned by the CFileSet - T2 completes a major delta compaction on the same rowset, which ends up destroying the original base_data_, thus invalidating the slices - T1 continues and tries to access the slices, causing use-after-free The fix is the most straight-forward one: we change GetBounds() to return std::strings instead of Slices. There might be a small perf difference here, but this call never shows up on hot paths like read or write operations. I looped build/latest/bin/mt-tablet-test --gtest_filter=MultiThreadedTabletTest/1.DeleteAndReinsert 1000 times in an ASAN build. Before the patch, it failed 2/1000 with a use-after-free on the bounds Slice. With the patch, it passed 1000/1000. Change-Id: Ife1adaa3125642fc96364be69f42989800241256 Reviewed-on: http://gerrit.cloudera.org:8080/2731 Reviewed-by: Adar Dembo <[email protected]> Tested-by: Kudu Jenkins --- M src/kudu/tablet/cfile_set.cc M src/kudu/tablet/cfile_set.h M src/kudu/tablet/diskrowset.cc M src/kudu/tablet/diskrowset.h M src/kudu/tablet/memrowset.cc M src/kudu/tablet/memrowset.h M src/kudu/tablet/mock-rowsets.h M src/kudu/tablet/rowset.cc M src/kudu/tablet/rowset.h M src/kudu/tablet/rowset_info.cc M src/kudu/tablet/rowset_info.h M src/kudu/tablet/rowset_tree-test.cc M src/kudu/tablet/rowset_tree.cc 13 files changed, 63 insertions(+), 64 deletions(-) Approvals: Adar Dembo: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/2731 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ife1adaa3125642fc96364be69f42989800241256 Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <[email protected]>
