Fix to double free segfault in connection

2024-09-21 03:08:57 +03:00 · 2009-04-19 16:51:31 +02:00 · 2009-04-19 16:51:31 +02:00 · 5db66038fe
commit 5db66038fe
parent 5dab867db4
3 changed files with 66 additions and 0 deletions
--- a/3
+++ b/3
@ -1,5 +1,8 @@
 2009-04-19  Federico Di Gregorio  <fog@initd.org>

+	* psycopg/connection_type.c: patch from Gangadharan to avoid double
+	free of the connection object when calling close() implicitly.
+
 	* psycopg/connection_type.c: patch from Marko Kreen to implement
 	get_parameter_status().

--- a/psycopg/connection_type.c
+++ b/psycopg/connection_type.c
@ -498,6 +498,8 @@ static void
 connection_dealloc(PyObject* obj)
 {
    connectionObject *self = (connectionObject *)obj;
+    
+    PyObject_GC_UnTrack(self);

    if (self->closed == 0) conn_close(self);
    
--- a/sandbox/trigger_double_dealloc.py
+++ b/sandbox/trigger_double_dealloc.py
@ -0,0 +1,61 @@
+import psycopg2, psycopg2.extensions
+import threading
+import gc
+import time
+import sys
+
+# inherit psycopg2 connection class just so that
+# garbage collector enters the tp_clear code path
+# in delete_garbage()
+
+class my_connection(psycopg2.extensions.connection):
+    pass
+
+class db_user(threading.Thread):
+    def run(self):
+        conn2 = psycopg2.connect(sys.argv[1], connection_factory=my_connection)
+        cursor = conn2.cursor()
+        cursor.execute("UPDATE test_psycopg2_dealloc SET a = 3", async=1)
+
+        # the conn2 desctructor will block indefinitely
+        # on the completion of the query
+        # (and it will not be holding the GIL during that time)
+        print >> sys.stderr, "begin conn2 del"
+        del cursor, conn2
+        print >> sys.stderr, "end conn2 del"
+
+def main():
+    # lock out a db row
+    conn1 = psycopg2.connect(sys.argv[1], connection_factory=my_connection)
+    cursor = conn1.cursor()
+    cursor.execute("DROP TABLE IF EXISTS test_psycopg2_dealloc")
+    cursor.execute("CREATE TABLE test_psycopg2_dealloc (a int)")
+    cursor.execute("INSERT INTO test_psycopg2_dealloc VALUES (1)")
+    conn1.commit()
+    cursor.execute("UPDATE test_psycopg2_dealloc SET a = 2", async=1)
+
+    # concurrent thread trying to access the locked row
+    db_user().start()
+
+    # eventually, a gc.collect run will happen
+    # while the conn2 is inside conn_close()
+    # but this second dealloc won't get blocked
+    # as it will avoid conn_close()
+    for i in range(10):
+        if gc.collect():
+            print >> sys.stderr, "garbage collection done"
+            break
+        time.sleep(1)
+
+    # we now unlock the row by invoking
+    # the desctructor of conn1. This will permit the
+    # concurrent thread destructor of conn2 to
+    # continue and it will end up trying to free
+    # self->dsn a second time.
+    print >> sys.stderr, "begin conn1 del"
+    del cursor, conn1
+    print >> sys.stderr, "end conn1 del"
+
+
+if __name__ == '__main__':
+    main()