8722 – MDB_LAST_DUP/FIRST_DUP return item beyond last item

Issue 8722 - MDB_LAST_DUP/FIRST_DUP return item beyond last item

Summary: MDB_LAST_DUP/FIRST_DUP return item beyond last item

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-05 06:46 UTC by Hallvard Furuseth
Modified:	2018-03-22 19:26 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Hallvard Furuseth 2017-09-05 06:46:13 UTC

Full_Name: Hallvard B Furuseth
Version: LMDB_0.9.21, mdb.master, master2
OS: Linux x86_64
URL: ftp://ftp.openldap.org/incoming/Hallvard-Furuseth-170905.c
Submission from: (NULL) (81.191.45.31)
Submitted by: hallvard


mdb_cursor_get(MDB_LAST_DUP/MDB_FIRST_DUP) can return a deleted item
when mc_ki[] == NUMKEYS(), i.e. an "ack!" cursor in mdb_cursor_chk().

Happens with the test program without arguments.  When run with
arguments so it uses a sub-page, it returns some other garbage.

$ ./a.out
mc {flags 0x4b, ki-numkeys 0}; mx {flags 0x4, ki 0}
cursor_get() = Successful return: 0
node: dsize 0x68686c6c, flags 0x6161, ksize 0x7a7a key "kkkkkkkkk...", data
"<garbage>".
Segmentation fault (core dumped)

It should return MDB_NOTFOUND or last key:data item, not sure which.
It should return the same when run with and without an argument.

Comment 1 Hallvard Furuseth 2017-09-05 07:18:16 UTC

On 05/09/17 08:46, h.b.furuseth@usit.uio.no wrote:
> Happens with the test program without arguments.  When run with
> arguments so it uses a sub-page, it returns some other garbage.
>
Er, happens with the test program, period.  With arguments it
runs some other garbage than the program's "designed" garbage.

Commit 8498c6cba2d78de420e626245a49db4705e5a6f6 "ITS#7913
mdb_cursor_get(*_DUP) cleanup" changed how the test program breaks:
Before that, it said EINVAL when run without args (no sub-page).

Comment 2 Howard Chu 2017-09-06 20:18:11 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 3 Hallvard Furuseth 2017-09-08 20:56:03 UTC

mdb_cursor_del()'s NUMKEYS() check in your fix
(f34b61f9471d1c03fe0517b9d817c50c920e378a) looks like a general
cursor tracking issue, so XCURSOR_REFRESH() should check it too.
Unless we've got some ugliness where mp_lower is temporarily
too small, but I haven't spotted anything like that.

The mdb_cursor_del() is still wrong: The mn_flags check doesn't skip
non-DUPDATA nodes.  Using XCURSOR_REFRESH() fixes it.  And it should
use XCURSOR_INITED() like other XCURSOR_REFRESH() callers.

Suggested fixes - branch "xcursor-its8722" @ symas.

Comment 4 Quanah Gibson-Mount 2018-02-11 21:00:28 UTC

changed notes
changed state Test to Release

Comment 5 OpenLDAP project 2018-03-22 19:26:18 UTC

fixed in mdb.master/master2
fixed in RE0.9 (0.9.22)

Comment 6 Quanah Gibson-Mount 2018-03-22 19:26:18 UTC

changed notes
changed state Release to Closed