Bug#27675005 NDB::DROPEVENTOPERATION() CAUSED CRASH, - GCC CODE GEN. BUG?

Ole John Aske · Daniel Horecki · commit 9e7da1b94f2a · 2018-03-22T10:56:50.000+01:00
When Ndb::DropEventOperation() decided to clean up any pending event,
it failed to correctly clear the 'tail' pointer to the list of 'Gci_ops'
being deleted and discarded. Thus the 'tail' pointer refers a deleted
Gci_ops object.

Later arriving Gci_ops may then be inserted as 'next' Gci_ops
to this deleted object, causing memory corription and other havoc.

Root cause is that we explicitely called the EventBufData_list d'tor
from NdbEventBuffer::free_list() as a convinient way of releasing any
Gci_op / Gci_ops in the 'list'. This d'tor also updated the head and
tail pointer of the list as each contained element is deleted.

However, with the (new) 'dead storage elimination'-optimization
introduced in gcc 6.0, the updated 'head' and 'tail' in the destructed
'list' is not considered persistent after the destruction, thus
the code is eliminated by the optimizer.

This patch replace the explicit call to the d'tor by calling the
new method ::delete_gci_ops(). This methods essentially does the
same as the d'tor, which now is also changed to call this method.
Not calling the d'tor, disalowes the compiler to do dse-optimization
of the cleared head / tail pointer, which removes the root cause.

Also introduce a Gci_ops d'tor which takes over delete[] of
Gci_op contained within it. This replace part of the
'delete' code from delete_next_gci_ops()

(cherry picked from commit f22bdc5f0be4145f352527c7b4124a6d434a4678)
diff --git a/storage/ndb/src/ndbapi/NdbEventOperationImpl.cpp b/storage/ndb/src/ndbapi/NdbEventOperationImpl.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -3974,7 +3974,7 @@ NdbEventBuffer::free_list(EventBufData_list &list)
     list.m_head = list.m_tail = NULL;
     list.m_count = list.m_sz = 0;
   }
-  list.~EventBufData_list(); // free gci ops
+  list.delete_gci_ops(); // free gci ops
 }
 
 void EventBufData_list::append_list(EventBufData_list *list,
diff --git a/storage/ndb/src/ndbapi/NdbEventOperationImpl.hpp b/storage/ndb/src/ndbapi/NdbEventOperationImpl.hpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -141,6 +141,8 @@ class EventBufData_list
   EventBufData_list();
   ~EventBufData_list();
 
+  // delete all Gci_op[] / Gci_ops[] in this EventBufData_list
+  void delete_gci_ops();
   // remove first and return its size
   void remove_first(Uint32 & full_count, Uint32 & full_sz);
   // for remove+append avoid double call to get_full_size()
@@ -199,7 +201,14 @@ class EventBufData_list
         m_next(NULL),
         m_gci_op_count(0)
       {};
-    ~Gci_ops() {};
+    ~Gci_ops()
+    {
+      if (m_gci_op_list)
+      {
+        DBUG_PRINT_EVENT("info", ("delete m_gci_op_list: %p", m_gci_op_list));
+        delete [] m_gci_op_list;
+      }
+    };
 
     MonotonicEpoch m_gci;
     Uint32 m_error;
@@ -238,7 +247,7 @@ EventBufData_list::EventBufData_list()
     m_count(0),
     m_sz(0),
     m_gci_op_list(NULL),
-    m_gci_ops_list_tail(0),
+    m_gci_ops_list_tail(NULL),
     m_gci_op_alloc(0)
 {
   DBUG_ENTER_EVENT("EventBufData_list::EventBufData_list");
@@ -249,7 +258,13 @@ EventBufData_list::EventBufData_list()
 inline
 EventBufData_list::~EventBufData_list()
 {
-  DBUG_ENTER_EVENT("EventBufData_list::~EventBufData_list");
+  delete_gci_ops();
+}
+
+inline
+void EventBufData_list::delete_gci_ops()
+{
+  DBUG_ENTER_EVENT("EventBufData_list::delete_gci_ops");
   DBUG_PRINT_EVENT("info", ("this: %p  m_is_not_multi_list: %u",
                             this, m_is_not_multi_list));
   if (m_is_not_multi_list)
@@ -342,12 +357,6 @@ EventBufData_list::delete_next_gci_ops()
   assert(!m_is_not_multi_list);
   Gci_ops *first = m_gci_ops_list;
   m_gci_ops_list = first->m_next;
-  if (first->m_gci_op_list)
-  {
-    DBUG_PRINT_EVENT("info", ("this: %p  delete m_gci_op_list: %p",
-                              this, first->m_gci_op_list));
-    delete [] first->m_gci_op_list;
-  }
   delete first;
   if (m_gci_ops_list == 0)
     m_gci_ops_list_tail = 0;

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.`
	`2`	`+ Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.`
`3`	`3`
`4`	`4`	`This program is free software; you can redistribute it and/or modify`
`5`	`5`	`it under the terms of the GNU General Public License as published by`
`@@ -3974,7 +3974,7 @@ NdbEventBuffer::free_list(EventBufData_list &list)`
`3974`	`3974`	`list.m_head = list.m_tail = NULL;`
`3975`	`3975`	`list.m_count = list.m_sz = 0;`
`3976`	`3976`	`}`
`3977`		`- list.~EventBufData_list(); // free gci ops`
	`3977`	`+ list.delete_gci_ops(); // free gci ops`
`3978`	`3978`	`}`
`3979`	`3979`
`3980`	`3980`	`void EventBufData_list::append_list(EventBufData_list *list,`