|
See QA-10
For #1 right now I think we just touch the beginning of the record not the whole thing in all the cases where touch() gets called, but it is a latent issue. Same may be true for #2.
1) Record::touch can read one byte past the end of a record if data == end, potentially this can cause a seg fault unless we always have some padding in extents which I haven't seen
2) In update.cpp and clientcursor.cpp we use mmmutex to ensure a Record* doesn't get unmapped. However, this does not prevent the memory pointed at by the Record* from being changed. If the memory is changed so that the pointer no longer points to the beginning of a Record, it could interpret an invalid value as lengthWithHeaders and then read an invalid length when calling touch() causing a seg fault.
3) In update.cpp, when we yield for an update by id, the 'nsdt' and 'd' pointers may be invalidated causing a seg fault.
|