Crash consistency bug in clht_gc_free

[iangneal]

Bug

Exposed by crashing after freeing the hash table in clht_gc_free.

RECIPE/P-CLHT/src/clht_gc.c

Lines 239 to 242 in fc508dd

	PMEMoid table_oid = {pool_uuid, hashtable->table_off};
	pmemobj_free(&table_oid);
	PMEMoid ht_oid = pmemobj_oid((void *)hashtable);
	pmemobj_free(&ht_oid);

• pmemobj_free sets the PMEMoid object to NULL when freeing objects.
• With the current design of storing the offset in hashtable->table_off, the offset is never set to null, and so a crash can cause a double-free to occur.

Steps to reproduce

gdb --args ./example 20 20
> break clht_gc.c:241
> run
> quit
# Then, re-run
./example 20 0

Will output something like:

Simple Example of P-CLHT
operation,n,ops/s
Throughput: load, inf ,ops/us
Throughput: run, inf ,ops/us
<libpmemobj>: <1> [palloc.c:295 palloc_heap_action_exec] assertion failure: 0

[SeKwonLee]

Hi @Dahca ,

Thanks for the report. Let me get back to you after checking and fixing it. However, if you already have a solution, I would appreciate it if you make a pull request for it.

[iangneal]

Hey @SeKwonLee,

I'd be happy to submit a PR for this in the near future, but I will be slightly delayed by an upcoming deadline. I'll ping this issue once I have a solution or if I have any issues in coming up with one.