[SERVER-3208] unsafe usage of namespace details transient on yield in update.cpp Created: 06/Jun/11  Updated: 25/Jan/18  Resolved: 01/Aug/11

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 1.8.1
Fix Version/s: 1.9.2

Type: Bug Priority: Major - P3
Reporter: Aaron Staple Assignee: Aaron Staple
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-32905 deprecate jstests/core/updatef.js Closed
Operating System: ALL
Participants:

 Description   

/* idea with these here it to make them loop invariant for multi updates, and thus be a bit faster for that case */
/* NOTE: when yield() is added herein, these must be refreshed after each call to yield! */
NamespaceDetails *d = nsdetails(ns); // can be null if an upsert...
NamespaceDetailsTransient *nsdt = &NamespaceDetailsTransient::get_w(ns);
/* end note */

If we yield and if, for example, somebody calls NamespaceDetailsTransient::clearForPrefix() on a collection with a name that is a prefix of our collection's name, I think nsdt can point to freed memory even though we recover successfully from the yield.



 Comments   
Comment by auto [ 31/Jul/11 ]

Author:

{u'login': u'astaple', u'name': u'Aaron', u'email': u'aaron@10gen.com'}

Message: SERVER-3208 refresh cached namespace pointers on update yield
Branch: master
https://github.com/mongodb/mongo/commit/789bd622ae3e5199a5a9f8dde7bd1c2882d3b8e9

Comment by auto [ 31/Jul/11 ]

Author:

{u'login': u'astaple', u'name': u'Aaron', u'email': u'aaron@10gen.com'}

Message: SERVER-3208 test
Branch: master
https://github.com/mongodb/mongo/commit/a30a6a05fa0b94a89acc994cf2895c227e76f645

Generated at Thu Feb 08 03:02:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.