Full_Name: Robin Rowe Version: --branch OPENLDAP_REL_ENG_2_4 OS: Windows 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (23.242.20.216)
LMDB becomes unstable if we double-commit the same transaction. Caused by freeing me_txn0 again after 2nd commit had previously free it.
To experience this bug, add a second commit to sample-mdb.c about line 43, deliberately cause a double-commit:
sprintf(sval, "%03x %d foo bar", 32, 3141592); rc = mdb_put(txn, dbi, &key, &data, 0); rc = mdb_txn_commit(txn); #ifndef HIDE_DOUBLE_FREE_BUG rc = mdb_txn_commit(txn);// 2nd commit destabilizes LMDB env #endif if (rc) {
What's different after a double-commit... mdb.c:3470 rc = MDB_BAD_TXN; // Detected double-commit mdb.c:3471 goto fail; // Jumps away into unsafe code path...
...Much later, at end of program: mdb_env_close(env); // Heap crash here, double-free! return 0; }
Double-commit eventually crashes us with double-free in mdb_env_close here:
mdb.c:5076 free(env->me_dirty_list); mdb.c:5076 free(env->me_txn0); // 2nd commit already freed // txn pointed to by me_txn0!
Granted it is a user mistake to commit the same transaction twice. However, because the crash won't happen until much later, when env is freed, any LMDB users who make this mistake will be quite perplexed.
Will anyone fix this?
Robin