MB-21738: Fix potential crash due to race deleting VBucket 63/70163/3
authorDave Rigby <daver@couchbase.com>
Mon, 21 Nov 2016 15:09:29 +0000 (15:09 +0000)
committerDave Rigby <daver@couchbase.com>
Mon, 21 Nov 2016 17:49:49 +0000 (17:49 +0000)
commit21ed005e819813aab36c6a629d97d4b7f6cb5474
tree1ab56a07c52e00c281403bf8d4a687651aa89b6f
parent8d564a0c9d1f249a7b9828e3865a759dcf5148ce
MB-21738: Fix potential crash due to race deleting VBucket

There is a potential race condition in
VBucketMap::setPersistenceCheckpointId during VBucket deletion which
can result in dereferencing a deleted pointer, triggering a segfault.

The issue is that setPersistenceCheckpointId can dereference a RCPtr
which has just become null. The issue is on line 177 - we dutifully
check if is valid, but then re-fetch the VBucket - at which point it
may have been set to null by another thread (such as when a VBucket is
deleted).

Fix is to just use the local `vb` to dereference.

Change-Id: I683cb0d0cfe37e710e98ba6bbf1ddd4cf3682a35
Reviewed-on: http://review.couchbase.org/70163
Reviewed-by: David Haikney <david.haikney@couchbase.com>
Tested-by: buildbot <build@couchbase.com>
src/vbucketmap.cc