Full_Name: Hallvard B Furuseth Version: mdb.master, 355f64ad07537a4f21dc6fe4cef66324316aa84b OS: Linux x86_64 URL: ftp://ftp.openldap.org/incoming/Hallvard-Furuseth-151118-2.c Submission from: (NULL) (129.240.203.186) Submitted by: hallvard
The test program can crash dereferencing mp==NULL at mdb_cursor_del0() line 8244 "nkeys = NUMKEYS(mp);"
Apparently because mdb_rebalance() pushes cursor 'dummy' to mt_cursors[] without initializing mc_flags. The test also uses pagesize 0x8000.
This prevents the crash. Don't know if it's the right fix:
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c index 6bd025d..8bbc54c 100644 --- a/libraries/liblmdb/mdb.c +++ b/libraries/liblmdb/mdb.c @@ -8174,2 +8174,3 @@ mdb_rebalance(MDB_cursor *mc) MDB_cursor dummy; + dummy.mc_flags = C_INITIALIZED; oldki += NUMKEYS(mn.mc_pg[mn.mc_top]);
OTOH setting dummy.mc_flags = 0 keeps crashing.
To reproduce: gcc -O3 -pthread -I. Hallvard-Furuseth-151118-2.c mkdir testdb rm -f testdb/*; ./a.out -d -i100 -p32768 -r617974163 May need to repeat last line a few times. Add option -v to see the Put/Del commands.