8000 Get rid of use-after-free in async registry by jvolmer · Pull Request #21779 · arangodb/arangodb · GitHub
[go: up one dir, main page]
Skip to content

Get rid of use-after-free in async registry #21779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 20, 2025
Merged

Get rid of use-after-free in async registry #21779

merged 1 commit into from
May 20, 2025

Conversation

jvolmer
Copy link
Contributor
@jvolmer jvolmer commented May 19, 2025

Use-after-free happened in nightly alubsan run.

The mark for deletion of a node after all its references are gone was actually much too complicated: I wanted to make sure that if there is a hierarchy of parents where each parent has only one child and the lowest child is marked for deletion like this:

parent
  child
    child of child
      child of child of child (marked for deletion)

all parents in the hierarchy are directly marked for deletion as well and we don't have to run the garbage collection several times to do that (A node has a shared pointer to its parent: when the shared pointer to the parent is destroyed - normally happening in the garbage collection - the node is marked for deletion). In the old behaviour, we cascaded through the full hierarchy and marked parents for deletion as well. Then at some point the shared pointer to the parent is also destroyed, leading to another try to access the parent node. If a garbage collection ran in between, the node was already deleted, leading to a use-after-free.
This easy solution: Get rid of the parent reference when marking the node for deletion. Then the shared pointer to the parent is potentially destroyed earlier, leading to a mark for deletion of the parent automatically. Don't know why I did not thought about this earlier...

@jvolmer jvolmer self-assigned this May 19, 2025
@cla-bot cla-bot bot added the cla-signed label May 19, 2025
@KVS85 KVS85 added this to the devel milestone May 20, 2025
@goedderz goedderz merged commit 3258958 into devel May 20, 2025
9 checks passed
@goedderz goedderz deleted the bug-fix/get-rid-of-use-after-free-in-async-registry branch May 20, 2025 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goedderz goedderz goedderz approved these changes

Assignees

@jvolmer jvolmer

Labels
cla-signed
Projects
None yet
Milestone
devel
Development

Successfully merging this pull request may close these issues.
3 participants
@jvolmer @goedderz @KVS85
0