diff options
| author | Carlos Garnacho <carlosg@gnome.org> | 2022-10-24 15:22:18 +0200 |
|---|---|---|
| committer | Carlos Garnacho <carlosg@gnome.org> | 2022-10-24 15:30:14 +0200 |
| commit | 7c66946a6dd4cfaff2dfe7952417f34ed91b3854 (patch) | |
| tree | ab76522565703f3ab81950dda3aeda1158a16ce1 /src | |
| parent | 1e9f1b5c8ca46a9ea04632eab93a931877237759 (diff) | |
| download | tracker-7c66946a6dd4cfaff2dfe7952417f34ed91b3854.tar.gz | |
libtracker-sparql/core: Unlink TrackerDBStatement before removing from HT
The hashtable destroy functions may result in the TrackerDBStatement being
freed, so trying to access the MRU head after that will result in invalid
memory access, seen in valgrind as:
==477545== Invalid write of size 8
==477545== at 0x4C71DF9: tracker_db_statement_mru_insert (tracker-db-interface-sqlite.c:2656)
==477545== by 0x4C6AFF8: tracker_data_ensure_update_statement (tracker-data-update.c:1219)
==477545== by 0x4C6AFF8: tracker_data_flush_log (tracker-data-update.c:1242)
==477545== by 0x4C6AFF8: tracker_data_update_buffer_flush (tracker-data-update.c:1550)
==477545== by 0x4C6BA79: tracker_data_update_buffer_might_flush (tracker-data-update.c:1605)
==477545== by 0x4C6BADF: resource_buffer_switch (tracker-data-update.c:2534)
==477545== by 0x4C6BF2C: tracker_data_insert_statement_with_uri (tracker-data-update.c:2857)
==477545== by 0x4C6C497: tracker_data_insert_statement (tracker-data-update.c:2824)
==477545== by 0x4C6D897: update_resource_property (tracker-data-update.c:3489)
==477545== by 0x4C6D4C4: update_resource_single (tracker-data-update.c:3554)
==477545== by 0x4C6D847: update_resource_property (tracker-data-update.c:3442)
==477545== by 0x4C6D673: update_resource_single (tracker-data-update.c:3593)
==477545== by 0x4C6D847: update_resource_property (tracker-data-update.c:3442)
==477545== by 0x4C6D673: update_resource_single (tracker-data-update.c:3593)
==477545== by 0x4C6DA3D: tracker_data_update_resource (tracker-data-update.c:3626)
==477545== by 0x4CA0498: tracker_direct_batch_update (tracker-direct-batch.c:221)
==477545== by 0x4C9F8B4: update_thread_func (tracker-direct.c:286)
==477545== by 0x492F8A1: g_thread_pool_thread_proxy.lto_priv.0 (gthreadpool.c:352)
==477545== by 0x492A771: g_thread_proxy (gthread.c:831)
==477545== by 0x4D975B4: start_thread (pthread_create.c:442)
==477545== by 0x4E17F03: clone (clone.S:100)
==477545== Address 0xb2ccbe0 is 64 bytes inside a block of size 72 free'd
==477545== at 0x48440E4: free (vg_replace_malloc.c:872)
==477545== by 0x490584C: g_free (gmem.c:229)
==477545== by 0x491FE93: g_slice_free1 (gslice.c:1185)
==477545== by 0x4BFF63B: g_type_free_instance (gtype.c:2010)
==477545== by 0x48EC3C6: UnknownInlinedFun (ghash.c:1774)
==477545== by 0x48EC3C6: g_hash_table_remove (ghash.c:1802)
==477545== by 0x4C71DF5: tracker_db_statement_mru_insert (tracker-db-interface-sqlite.c:2655)
==477545== by 0x4C6AFF8: tracker_data_ensure_update_statement (tracker-data-update.c:1219)
==477545== by 0x4C6AFF8: tracker_data_flush_log (tracker-data-update.c:1242)
==477545== by 0x4C6AFF8: tracker_data_update_buffer_flush (tracker-data-update.c:1550)
==477545== by 0x4C6BA79: tracker_data_update_buffer_might_flush (tracker-data-update.c:1605)
==477545== by 0x4C6BADF: resource_buffer_switch (tracker-data-update.c:2534)
==477545== by 0x4C6BF2C: tracker_data_insert_statement_with_uri (tracker-data-update.c:2857)
==477545== by 0x4C6C497: tracker_data_insert_statement (tracker-data-update.c:2824)
==477545== by 0x4C6D897: update_resource_property (tracker-data-update.c:3489)
==477545== by 0x4C6D4C4: update_resource_single (tracker-data-update.c:3554)
==477545== by 0x4C6D847: update_resource_property (tracker-data-update.c:3442)
==477545== by 0x4C6D673: update_resource_single (tracker-data-update.c:3593)
==477545== by 0x4C6D847: update_resource_property (tracker-data-update.c:3442)
==477545== by 0x4C6D673: update_resource_single (tracker-data-update.c:3593)
==477545== by 0x4C6DA3D: tracker_data_update_resource (tracker-data-update.c:3626)
==477545== by 0x4CA0498: tracker_direct_batch_update (tracker-direct-batch.c:221)
==477545== by 0x4C9F8B4: update_thread_func (tracker-direct.c:286)
==477545== by 0x492F8A1: g_thread_pool_thread_proxy.lto_priv.0 (gthreadpool.c:352)
==477545== by 0x492A771: g_thread_proxy (gthread.c:831)
==477545== by 0x4D975B4: start_thread (pthread_create.c:442)
==477545== by 0x4E17F03: clone (clone.S:100)
==477545== Block was alloc'd at
==477545== at 0x484186F: malloc (vg_replace_malloc.c:381)
==477545== by 0x4909008: g_malloc (gmem.c:130)
==477545== by 0x4920865: g_slice_alloc (gslice.c:1074)
==477545== by 0x4920E9C: g_slice_alloc0 (gslice.c:1100)
==477545== by 0x4C0500B: g_type_create_instance (gtype.c:1913)
==477545== by 0x4BEAC4E: g_object_new_internal (gobject.c:2226)
==477545== by 0x4BEC247: g_object_new_with_properties (gobject.c:2387)
==477545== by 0x4BECFF0: g_object_new (gobject.c:2035)
==477545== by 0x4C71F4F: tracker_db_statement_sqlite_new (tracker-db-interface-sqlite.c:2985)
==477545== by 0x4C71F4F: tracker_db_interface_create_statement (tracker-db-interface-sqlite.c:2751)
==477545== by 0x4C72155: tracker_db_interface_create_vstatement (tracker-db-interface-sqlite.c:2784)
==477545== by 0x4C6B232: tracker_data_ensure_update_statement (tracker-data-update.c:1177)
==477545== by 0x4C6B232: tracker_data_flush_log (tracker-data-update.c:1242)
==477545== by 0x4C6B232: tracker_data_update_buffer_flush (tracker-data-update.c:1550)
==477545== by 0x4C6C6A0: tracker_data_update_statement (tracker-data-update.c:2994)
==477545== by 0x4C60363: tracker_data_ontology_process_statement (tracker-data-manager.c:2346)
==477545== by 0x4C60363: import_ontology_file (tracker-data-manager.c:2389)
==477545== by 0x4C6421D: tracker_data_manager_initable_init (tracker-data-manager.c:4398)
==477545== by 0x4C9E724: tracker_direct_connection_initable_init (tracker-direct.c:493)
==477545== by 0x4A656B7: g_initable_new_valist (ginitable.c:250)
==477545== by 0x4A657AC: g_initable_new (ginitable.c:164)
==477545== by 0x4C9F5AB: tracker_direct_connection_new (tracker-direct.c:1562)
==477545== by 0x4C47D20: tracker_sparql_connection_new (tracker-connection.c:1025)
==477545== by 0x40AF7B: setup_connection_and_endpoint (tracker-main.c:823)
==477545== by 0x40AF7B: main (tracker-main.c:1062)
Diffstat (limited to 'src')
| -rw-r--r-- | src/libtracker-sparql/core/tracker-db-interface-sqlite.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/libtracker-sparql/core/tracker-db-interface-sqlite.c b/src/libtracker-sparql/core/tracker-db-interface-sqlite.c index dd3455221..ca1ebb985 100644 --- a/src/libtracker-sparql/core/tracker-db-interface-sqlite.c +++ b/src/libtracker-sparql/core/tracker-db-interface-sqlite.c @@ -2652,9 +2652,10 @@ tracker_db_statement_mru_insert (TrackerDBStatementMru *stmt_mru, * Then we assign head->next as new head. */ new_head = stmt_mru->head->next; - g_hash_table_remove (stmt_mru->stmts, (gpointer) stmt_mru->head->mru_key); - stmt_mru->head->mru_key = NULL; + stmt_mru->head->prev->next = new_head; + new_head->prev = stmt_mru->head->prev; stmt_mru->head->next = stmt_mru->head->prev = NULL; + g_hash_table_remove (stmt_mru->stmts, (gpointer) stmt_mru->head->mru_key); stmt_mru->size--; stmt_mru->head = new_head; } |