MB-21738: Fix potential crash due to race deleting VBucket 63/70163/3
authorDave Rigby <daver@couchbase.com>
Mon, 21 Nov 2016 15:09:29 +0000 (15:09 +0000)
committerDave Rigby <daver@couchbase.com>
Mon, 21 Nov 2016 17:49:49 +0000 (17:49 +0000)
There is a potential race condition in
VBucketMap::setPersistenceCheckpointId during VBucket deletion which
can result in dereferencing a deleted pointer, triggering a segfault.

The issue is that setPersistenceCheckpointId can dereference a RCPtr
which has just become null. The issue is on line 177 - we dutifully
check if is valid, but then re-fetch the VBucket - at which point it
may have been set to null by another thread (such as when a VBucket is
deleted).

Fix is to just use the local `vb` to dereference.

Change-Id: I683cb0d0cfe37e710e98ba6bbf1ddd4cf3682a35
Reviewed-on: http://review.couchbase.org/70163
Reviewed-by: David Haikney <david.haikney@couchbase.com>
Tested-by: buildbot <build@couchbase.com>
src/vbucketmap.cc

index cff9d3a..f388481 100644 (file)
@@ -168,7 +168,7 @@ void VBucketMap::setPersistenceCheckpointId(id_type id,
     if (id < size) {
         auto vb = getBucket(id);
         if (vb) {
-            getBucket(id)->setPersistenceCheckpointId(checkpointId);
+            vb->setPersistenceCheckpointId(checkpointId);
         }
     }
 }