mirror of
https://github.com/MariaDB/server.git
synced 2025-01-29 18:20:07 +01:00
4ebac0fc86
MariaDB server crashes on ARM (weak memory model architecture) while concurrently executing l_find to load node->key and add_to_purgatory to store node->key = NULL. l_find then uses key (which is NULL), to pass it to a comparison function. The specific problem is the out-of-order execution that happens on a weak memory model architecture. Two essential reorderings are possible, which need to be prevented. a) As l_find has no barriers in place between the optimistic read of the key field lf_hash.cc#L117 and the verification of link lf_hash.cc#L124, the processor can reorder the load to happen after the while-loop. In that case, a concurrent thread executing add_to_purgatory on the same node can be scheduled to store NULL at the key field lf_alloc-pin.c#L253 before key is loaded in l_find. b) A node is marked as deleted by a CAS in l_delete lf_hash.cc#L247 and taken off the list with an upfollowing CAS lf_hash.cc#L252. Only if both CAS succeed, the key field is written to by add_to_purgatory. However, due to a missing barrier, the relaxed store of key lf_alloc-pin.c#L253 can be moved ahead of the two CAS operations, which makes the value of the local purgatory list stored by add_to_purgatory visible to all threads operating on the list. As the node is not marked as deleted yet, the same error occurs in l_find. This change three accesses to be atomic. * optimistic read of key in l_find lf_hash.cc#L117 * read of link for verification lf_hash.cc#L124 * write of key in add_to_purgatory lf_alloc-pin.c#L253 Reviewers: Sergei Vojtovich, Sergei Golubchik Fixes: MDEV-23510 / d30c1331a18d875e553f3fcf544997e4f33fb943 |
||
|---|---|---|
| .. | ||
| crc32 | ||
| array.c | ||
| base64.c | ||
| ChangeLog | ||
| charset-def.c | ||
| charset.c | ||
| CMakeLists.txt | ||
| crc32ieee.cc | ||
| errors.c | ||
| file_logger.c | ||
| get_password.c | ||
| guess_malloc_library.c | ||
| hash.c | ||
| lf_alloc-pin.c | ||
| lf_dynarray.c | ||
| lf_hash.cc | ||
| list.c | ||
| ma_dyncol.c | ||
| mf_arr_appstr.c | ||
| mf_cache.c | ||
| mf_dirname.c | ||
| mf_fn_ext.c | ||
| mf_format.c | ||
| mf_getdate.c | ||
| mf_iocache.c | ||
| mf_iocache2.c | ||
| mf_keycache.c | ||
| mf_keycaches.c | ||
| mf_loadpath.c | ||
| mf_pack.c | ||
| mf_path.c | ||
| mf_qsort.c | ||
| mf_qsort2.c | ||
| mf_radix.c | ||
| mf_same.c | ||
| mf_sort.c | ||
| mf_soundex.c | ||
| mf_tempdir.c | ||
| mf_tempfile.c | ||
| mf_unixpath.c | ||
| mf_wcomp.c | ||
| mulalloc.c | ||
| my_access.c | ||
| my_addr_resolve.c | ||
| my_alarm.c | ||
| my_alloc.c | ||
| my_atomic_writes.c | ||
| my_basename.c | ||
| my_bit.c | ||
| my_bitmap.c | ||
| my_chmod.c | ||
| my_chsize.c | ||
| my_compare.c | ||
| my_compress.c | ||
| my_conio.c | ||
| my_context.c | ||
| my_copy.c | ||
| my_cpu.c | ||
| my_create.c | ||
| my_default.c | ||
| my_delete.c | ||
| my_div.c | ||
| my_dlerror.c | ||
| my_error.c | ||
| my_file.c | ||
| my_fopen.c | ||
| my_fstream.c | ||
| my_gethwaddr.c | ||
| my_getncpus.c | ||
| my_getopt.c | ||
| my_getpagesize.c | ||
| my_getsystime.c | ||
| my_getwd.c | ||
| my_init.c | ||
| my_largepage.c | ||
| my_lib.c | ||
| my_libwrap.c | ||
| my_likely.c | ||
| my_lock.c | ||
| my_lockmem.c | ||
| my_malloc.c | ||
| my_memmem.c | ||
| my_mess.c | ||
| my_minidump.cc | ||
| my_mkdir.c | ||
| my_mmap.c | ||
| my_new.cc | ||
| my_once.c | ||
| my_open.c | ||
| my_port.c | ||
| my_pread.c | ||
| my_pthread.c | ||
| my_quick.c | ||
| my_rdtsc.c | ||
| my_read.c | ||
| my_redel.c | ||
| my_rename.c | ||
| my_rnd.c | ||
| my_safehash.c | ||
| my_safehash.h | ||
| my_seek.c | ||
| my_setuser.c | ||
| my_sleep.c | ||
| my_static.c | ||
| my_static.h | ||
| my_symlink.c | ||
| my_symlink2.c | ||
| my_sync.c | ||
| my_thr_init.c | ||
| my_uuid.c | ||
| my_win_popen.cc | ||
| my_wincond.c | ||
| my_winerr.c | ||
| my_winfile.c | ||
| my_winthread.c | ||
| my_wintoken.c | ||
| my_write.c | ||
| mysys_priv.h | ||
| psi_noop.c | ||
| ptr_cmp.c | ||
| queues.c | ||
| safemalloc.c | ||
| stacktrace.c | ||
| string.c | ||
| test_charset.c | ||
| test_dir.c | ||
| test_thr_mutex.c | ||
| test_xml.c | ||
| testhash.c | ||
| thr_alarm.c | ||
| thr_lock.c | ||
| thr_mutex.c | ||
| thr_rwlock.c | ||
| thr_timer.c | ||
| tree.c | ||
| typelib.c | ||
| waiting_threads.c | ||
| wqueue.c | ||