Crash consistency bug in clht_gc_free

iangneal commented 3 years ago

Bug

Exposed by crashing after freeing the hash table in clht_gc_free.

https://github.com/utsaslab/RECIPE/blob/fc508ddfae1ca0d77cf3d3f1b73849e65c223f26/P-CLHT/src/clht_gc.c#L239-L242

pmemobj_free sets the PMEMoid object to NULL when freeing objects.
With the current design of storing the offset in hashtable->table_off, the offset is never set to null, and so a crash can cause a double-free to occur.

Steps to reproduce

gdb --args ./example 20 20
> break clht_gc.c:241
> run
> quit
# Then, re-run
./example 20 0

Will output something like:

Simple Example of P-CLHT
operation,n,ops/s
Throughput: load, inf ,ops/us
Throughput: run, inf ,ops/us
<libpmemobj>: <1> [palloc.c:295 palloc_heap_action_exec] assertion failure: 0

SeKwonLee commented 3 years ago

Hi @Dahca ,

Thanks for the report. Let me get back to you after checking and fixing it. However, if you already have a solution, I would appreciate it if you make a pull request for it.

iangneal commented 3 years ago

Hey @SeKwonLee,

I'd be happy to submit a PR for this in the near future, but I will be slightly delayed by an upcoming deadline. I'll ping this issue once I have a solution or if I have any issues in coming up with one.

utsaslab / RECIPE

Crash consistency bug in clht_gc_free #18

Bug

Steps to reproduce