Bug #39796 Falcon: Reference count decrement not atomic
Submitted: 2 Oct 2008 1:26 Modified: 8 Jan 11:50
Reporter: Christopher Powers
Status: Closed
Category:Server: Falcon Severity:S1 (Critical)
Version: OS:Any
Assigned to: Christopher Powers Target Version:6.0.8
Tags: F_INDEX
Triage: Triaged: D1 (Critical)

[2 Oct 2008 1:26] Christopher Powers 
Description:
Transaction::release() and DeferredIndex::release() are not atomic, and may result in an
incorrect reference count, memory leak or crash.

How to repeat:
Discovered via debugging. Not explicitly reproducible.

Suggested fix:
The problem is that useCount is checked after the interlocked decrement, allowing the
opportunity for another thread to alter useCount before it is evaluated for 0.

int Transaction::release()
{
    int count = INTERLOCKED_DECREMENT(useCount);

    >>> GAP <<<<

    if (count == 0)
        delete this;

    return count;
}

void DeferredIndex::releaseRef()
{
    ASSERT(useCount > 0);

    INTERLOCKED_DECREMENT(useCount);

    >>> GAP <<<<

    if (useCount == 0)
        delete this;
}

The correct code does not allow for an intermediate context switch, and is consistent
with the other implementations of ::release() within Falcon:

void Transaction::release()
{
    if (INTERLOCKED_DECREMENT(useCount) == 0)
        delete this;
}

void DeferredIndex::releaseRef()
{
    if (INTERLOCKED_DECREMENT(useCount) == 0)
        delete this;
}
[2 Oct 2008 1:27] Christopher Powers 
Verified via debugging other problems.
[2 Oct 2008 2:12] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/54992

2845 Christopher Powers	2008-10-01
      Bug#39711 "Running falcon_bug_34351_C shows increasing memory usage"
      Bug#39795 "Falcon: Online add index does not support index with non-null columns"
      Bug#39796 "Falcon: Reference count decrement not atomic"
[2 Oct 2008 2:13] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/54993

2845 Christopher Powers	2008-10-01
      Bug#39711 "Running falcon_bug_34351_C shows increasing memory usage"
      Bug#39795 "Falcon: Online add index does not support index with non-null columns"
      Bug#39796 "Falcon: Reference count decrement not atomic"
[2 Oct 2008 2:16] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/54994

2845 Christopher Powers	2008-10-01
      Bug#39711 "Running falcon_bug_34351_C shows increasing memory usage"
      Bug#39795 "Falcon: Online add index does not support index with non-null columns"
      Bug#39796 "Falcon: Reference count decrement not atomic"
[3 Oct 2008 1:26] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/55158

2848 Christopher Powers	2008-10-02
      Bug#39796, "Falcon: Reference count decrement not atomic"
      
      The release() method in Transaction and DeferredIndex check useCount after the
interlocked decrement, allowing other threads to alter useCount before it is evaluated
for 0.
[8 Jan 11:50] MC Brown 
Internal only. No documentation needed.