Fix crash due to delete entry from compress quicklistNode and wrongly split quicklistNode#11242
Merged
oranagra merged 7 commits intoredis:unstablefrom Sep 19, 2022
Merged
Conversation
sundb
changed the title
sundb
force-pushed
the
fix-quicklist-uncompress
branch
from
43c34cc to
bdf7696
Compare
oranagra
reviewed
Sep 7, 2022
Comment on lines
+912
to
+913
| /* Need positive offset for calculating extent below. */ | ||
| if (offset < 0) offset = node->count + offset; |
Member
There was a problem hiding this comment.
can we specify in the top comment in which conditions this bug will trigger?
i.e. so that users can know if they're affected and must upgrade.
will it always result in a crash or also sometimes in messing up the data?
Collaborator
Author
There was a problem hiding this comment.
Updated the top comment, please see again.
Member
There was a problem hiding this comment.
i meant something that's more useful to end users.
like when a certain argument for a certain command is negative.
some way that users can use to figure out if they're using it this way and if they're at risk.
Member
There was a problem hiding this comment.
ohh, i see you did mention it as the end.
so only LSET with negative index and a big (> 1gb) object?
Collaborator
Author
There was a problem hiding this comment.
Yes, LSET with a bit object is the only way that will trigger this crash.
sundb
force-pushed
the
fix-quicklist-uncompress
branch
2 times, most recently
from
fbb9947 to
bf72d4b
Compare
sundb
force-pushed
the
fix-quicklist-uncompress
branch
from
bf72d4b to
faca95a
Compare
oranagra
approved these changes
Sep 19, 2022
oranagra
added
the
release-notes
Merged
oranagra
pushed a commit
that referenced
this pull request
Sep 21, 2022
… split quicklistNode (#11242) This PR mainly deals with 2 crashes introduced in #9357, and fix the QUICKLIST-PACKED-THRESHOLD mess in external test mode. 1. Fix crash due to deleting an entry from a compress quicklistNode When inserting a large element, we need to create a new quicklistNode first, and then delete its previous element, if the node where the deleted element is located is compressed, it will cause a crash. Now add `dont_compress` to quicklistNode, if we want to use a quicklistNode after some operation, we can use this flag like following: ```c node->dont_compress = 1; /* Prevent to be compressed */ some_operation(node); /* This operation might try to compress this node */ some_other_operation(node); /* We can use this node without decompress it */ node->dont_compress = 0; /* Re-able compression */ quicklistCompressNode(node); ``` Perhaps in the future, we could just disable the current entry from being compressed during the iterator loop, but that would require more work. 2. Fix crash due to wrongly split quicklist before #9357, the offset param of _quicklistSplitNode() will not negative. For now, when offset is negative, the split extent will be wrong. following example: ```c int orig_start = after ? offset + 1 : 0; int orig_extent = after ? -1 : offset; int new_start = after ? 0 : offset; int new_extent = after ? offset + 1 : -1; # offset: -2, after: 1, node->count: 2 # current wrong range: [-1,-1] [0,-1] # correct range: [1,-1] [0, 1] ``` Because only `_quicklistInsert()` splits the quicklistNode and only `quicklistInsertAfter()`, `quicklistInsertBefore()` call _quicklistInsert(), so `quicklistReplaceEntry()` and `listTypeInsert()` might occur this crash. But the iterator of `listTypeInsert()` is alway from head to tail(iter->offset is always positive), so it is not affected. The final conclusion is this crash only occur when we insert a large element with negative index into a list, that affects `LSET` command and `RM_ListSet` module api. 3. In external test mode, we need to restore quicklist packed threshold after when the end of test. 4. Show `node->count` in quicklistRepr(). 5. Add new tcl proc `config_get_set` to support restoring config in tests. (cherry picked from commit 13d25dd)
madolson
pushed a commit
to madolson/redis
that referenced
this pull request
Apr 19, 2023
… split quicklistNode (redis#11242) This PR mainly deals with 2 crashes introduced in redis#9357, and fix the QUICKLIST-PACKED-THRESHOLD mess in external test mode. 1. Fix crash due to deleting an entry from a compress quicklistNode When inserting a large element, we need to create a new quicklistNode first, and then delete its previous element, if the node where the deleted element is located is compressed, it will cause a crash. Now add `dont_compress` to quicklistNode, if we want to use a quicklistNode after some operation, we can use this flag like following: ```c node->dont_compress = 1; /* Prevent to be compressed */ some_operation(node); /* This operation might try to compress this node */ some_other_operation(node); /* We can use this node without decompress it */ node->dont_compress = 0; /* Re-able compression */ quicklistCompressNode(node); ``` Perhaps in the future, we could just disable the current entry from being compressed during the iterator loop, but that would require more work. 2. Fix crash due to wrongly split quicklist before redis#9357, the offset param of _quicklistSplitNode() will not negative. For now, when offset is negative, the split extent will be wrong. following example: ```c int orig_start = after ? offset + 1 : 0; int orig_extent = after ? -1 : offset; int new_start = after ? 0 : offset; int new_extent = after ? offset + 1 : -1; # offset: -2, after: 1, node->count: 2 # current wrong range: [-1,-1] [0,-1] # correct range: [1,-1] [0, 1] ``` Because only `_quicklistInsert()` splits the quicklistNode and only `quicklistInsertAfter()`, `quicklistInsertBefore()` call _quicklistInsert(), so `quicklistReplaceEntry()` and `listTypeInsert()` might occur this crash. But the iterator of `listTypeInsert()` is alway from head to tail(iter->offset is always positive), so it is not affected. The final conclusion is this crash only occur when we insert a large element with negative index into a list, that affects `LSET` command and `RM_ListSet` module api. 3. In external test mode, we need to restore quicklist packed threshold after when the end of test. 4. Show `node->count` in quicklistRepr(). 5. Add new tcl proc `config_get_set` to support restoring config in tests.
patpatbear
added a commit
to ctripcorp/Redis-On-Rocks
that referenced
this pull request
Jun 7, 2023
patpatbear
added a commit
to ctripcorp/Redis-On-Rocks
that referenced
this pull request
Jun 7, 2023
enjoy-binbin
pushed a commit
to enjoy-binbin/redis
that referenced
this pull request
Jul 31, 2023
… split quicklistNode (redis#11242) This PR mainly deals with 2 crashes introduced in redis#9357, and fix the QUICKLIST-PACKED-THRESHOLD mess in external test mode. 1. Fix crash due to deleting an entry from a compress quicklistNode When inserting a large element, we need to create a new quicklistNode first, and then delete its previous element, if the node where the deleted element is located is compressed, it will cause a crash. Now add `dont_compress` to quicklistNode, if we want to use a quicklistNode after some operation, we can use this flag like following: ```c node->dont_compress = 1; /* Prevent to be compressed */ some_operation(node); /* This operation might try to compress this node */ some_other_operation(node); /* We can use this node without decompress it */ node->dont_compress = 0; /* Re-able compression */ quicklistCompressNode(node); ``` Perhaps in the future, we could just disable the current entry from being compressed during the iterator loop, but that would require more work. 2. Fix crash due to wrongly split quicklist before redis#9357, the offset param of _quicklistSplitNode() will not negative. For now, when offset is negative, the split extent will be wrong. following example: ```c int orig_start = after ? offset + 1 : 0; int orig_extent = after ? -1 : offset; int new_start = after ? 0 : offset; int new_extent = after ? offset + 1 : -1; # offset: -2, after: 1, node->count: 2 # current wrong range: [-1,-1] [0,-1] # correct range: [1,-1] [0, 1] ``` Because only `_quicklistInsert()` splits the quicklistNode and only `quicklistInsertAfter()`, `quicklistInsertBefore()` call _quicklistInsert(), so `quicklistReplaceEntry()` and `listTypeInsert()` might occur this crash. But the iterator of `listTypeInsert()` is alway from head to tail(iter->offset is always positive), so it is not affected. The final conclusion is this crash only occur when we insert a large element with negative index into a list, that affects `LSET` command and `RM_ListSet` module api. 3. In external test mode, we need to restore quicklist packed threshold after when the end of test. 4. Show `node->count` in quicklistRepr(). 5. Add new tcl proc `config_get_set` to support restoring config in tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR mainly deals with 2 crashes introduced in #9357, and fix the QUICKLIST-PACKED-THRESHOLD mess in extern
test mode.
Fix crash due to deleting an entry from a compress quicklistNode
When inserting a large element, we need to create a new quicklistNode first, and then delete its previous element, if the node where the deleted element is located is compressed, it will cause a crash.
Now add
dont_compressto quicklistNode, if we want to use a quicklistNode after some operation, we can use this flag like following:Perhaps in the future, we could just disable the current entry from being compressed during the iterator loop, but that would require more work.
Fix crash due to wrongly split quicklist
before Add support for list type to store elements larger than 4GB #9357, the offset param of _quicklistSplitNode() will not negative.
For now, when offset is negative, the split extent will be wrong.
following example:
Because only
_quicklistInsert()splits the quicklistNode and onlyquicklistInsertAfter(),quicklistInsertBefore()call _quicklistInsert(),so
quicklistReplaceEntry()andlistTypeInsert()might occur this crash.But the iterator of
listTypeInsert()is alway from head to tail(iter->offset is always positive), so it is not affected.The final conclusion is this crash only occur when we insert a large element with negative index into a list, that affects
LSETcommand andRM_ListSetmodule api.In extern test mode, we need to restore quicklist packed threshold after when the end of test.
Show
node->countin quicklistRepr().Add new tcl proc
config_get_setto support restoring config in tests.