Kouhei Sutou
null+****@clear*****
Sat May 23 11:32:58 JST 2015
Kouhei Sutou 2015-05-23 11:32:58 +0900 (Sat, 23 May 2015) New Revision: 23debd42e23ac480d9d92115fb718c4b813bd503 https://github.com/groonga/groonga/commit/23debd42e23ac480d9d92115fb718c4b813bd503 Message: Fix a crash bug It is occurred by the following sequence: 1. thread1: call grn_ii_cursor_open() 2. thread1: find one entry in ii 3. thread2: change ii 4. thread1: detect buffer or chunk change 5. thread1: call grn_ii_cursor_close() and run the next loop 6. thread2: delete entry in ii 7. thread1: find no entry and break loop 8. thread1: return grn_ii_cursor that is already closed by grn_ii_cursor_close() at 5. 9. thread1: call grn_ii_cursor_close() for the grn_ii_cursor that is already closed We can replace "thread" with "process" in the above sequence: Modified files: lib/ii.c Modified: lib/ii.c (+1 -0) =================================================================== --- lib/ii.c 2015-05-22 18:03:12 +0900 (32d1ca3) +++ lib/ii.c 2015-05-23 11:32:58 +0900 (2e0c92c) @@ -4053,6 +4053,7 @@ grn_ii_cursor_open(grn_ctx *ctx, grn_ii *ii, grn_id tid, uint32_t pos, *a; if (!(a = array_at(ctx, ii, tid))) { return NULL; } for (;;) { + c = NULL; if (!(pos = a[0])) { goto exit; } if (!(c = GRN_MALLOC(sizeof(grn_ii_cursor)))) { goto exit; } memset(c, 0, sizeof(grn_ii_cursor)); -------------- next part -------------- HTML����������������������������...Download