cassandra-rs icon indicating copy to clipboard operation
cassandra-rs copied to clipboard

Published 20 hours ago verified publisher icon Metaswitch

UB on ResultIterator drop

Open rukai opened this issue 2 years ago • 1 comments

If a ResultIterator is dropped while a Row it returned is still alive then we hit undefined behavior. I have seen this exposed as garbage data and segfaults. Specifically cass_iterator_free is the underlying API call, its documentation does not say not to call it while children are alive, so not sure if its our bug or an upstream bug.

Specifically the driver version that exposed this issue to us was 0.16.2, the problem did not occur in 0.16.1. Its likely caused by one of these performance PRs:

  • https://github.com/datastax/cpp-driver/pull/505
  • https://github.com/datastax/cpp-driver/pull/510

rukai avatar Nov 07 '22 03:11 rukai

That's annoying. I suspect #101 would have fixed this if it was ever completed, but it doesn't look like that's happening. Thank you very much for diagnosing! From the comments, it looks like CassResult is supposed to last at least as long as ResultIterator, and also at least as long as Row. We didn't expect the iterator being freed to do anything to the row, as long as the CassResult was still held. Some tweaking of phantom fields is probably required.

kw217 avatar Nov 07 '22 11:11 kw217