Skip to content

Comments

Always untrack initialized safe iterator#3223

Merged
ranshid merged 1 commit intovalkey-io:unstablefrom
ranshid:fix-always-untrack-safe-iterator
Feb 17, 2026
Merged

Always untrack initialized safe iterator#3223
ranshid merged 1 commit intovalkey-io:unstablefrom
ranshid:fix-always-untrack-safe-iterator

Conversation

@ranshid
Copy link
Member

@ranshid ranshid commented Feb 17, 2026

in #2807 we added safe-iterator invalidation when a hashtable is deleted.
When we create a safeIterator we initialize it to it->table=0 and it-index=-1.
HOWEVER say someone creates a safe iterator never progress it and later on just delete the iterator using hashtableReleaseIterator.
the iterator will NOT be untracked since, hashtableCleanupIterator will skip the untrack:

    if (!(iter->index == -1 && iter->table == 0)) {
        if (isSafe(iter)) {
            hashtableResumeRehashing(iter->hashtable);
            untrackSafeIterator(iter);
        } else {
            assert(iter->fingerprint == hashtableFingerprint(iter->hashtable));
        }
    }

and then when the hashtable is freed the iterator will be referenced leading to a use-after-free.

For example:

    it = hashtableCreateIterator(ht, HASHTABLE_ITER_SAFE);
    hashtableReleaseIterator(it);
    hashtableRelease(ht);

This PR fix it by ALWAYS untrack safe iterators which have a valid hashtable when they are being cleaned up.

Signed-off-by: Ran Shidlansik <ranshid@amazon.com>
@ranshid ranshid requested a review from rainsupreme February 17, 2026 12:41
@ranshid ranshid changed the title Always untrack safe iterator Always untrack initialized safe iterator Feb 17, 2026
Copy link
Contributor

@rainsupreme rainsupreme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ranshid ranshid merged commit b00c936 into valkey-io:unstable Feb 17, 2026
57 of 58 checks passed
@codecov
Copy link

codecov bot commented Feb 17, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (556180d) to head (3500057).
⚠️ Report is 1 commits behind head on unstable.

Additional details and impacted files
@@       Coverage Diff        @@
##   unstable   #3223   +/-   ##
================================
================================
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sarthakaggarwal97
Copy link
Contributor

@ranshid does this need to be backported as well to Valkey 9.0?

@ranshid
Copy link
Member Author

ranshid commented Feb 18, 2026

@ranshid does this need to be backported as well to Valkey 9.0?

@sarthakaggarwal97 no. AFAIK we never backported #2807 which is the source of this specific degradation

harrylin98 pushed a commit to harrylin98/valkey_forked that referenced this pull request Feb 19, 2026
in valkey-io#2807 we added safe-iterator invalidation when a hashtable is
deleted.
When we create a safeIterator we initialize it to it->table=0 and
it-index=-1.
HOWEVER say someone creates a safe iterator never progress it and later
on just delete the iterator using `hashtableReleaseIterator`.
the iterator will NOT be untracked since, `hashtableCleanupIterator`
will skip the untrack:

```c
    if (!(iter->index == -1 && iter->table == 0)) {
        if (isSafe(iter)) {
            hashtableResumeRehashing(iter->hashtable);
            untrackSafeIterator(iter);
        } else {
            assert(iter->fingerprint == hashtableFingerprint(iter->hashtable));
        }
    }
```

and then when the hashtable is freed the iterator will be referenced
leading to a use-after-free.

For example:

```c
    it = hashtableCreateIterator(ht, HASHTABLE_ITER_SAFE);
    hashtableReleaseIterator(it);
    hashtableRelease(ht);
```

This PR fix it by ALWAYS untrack safe iterators which have a valid
hashtable when they are being cleaned up.

Signed-off-by: Ran Shidlansik <ranshid@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants