Out of bound read in on_replace when inserting into _index with 0 parts.

[gmoshkin]

If an index definition is inserted directly into box.space._index which has an empty parts list, there's an out of bounds read in key_def_contains_sequential_parts.

This line contains a bug

tarantool/src/box/tuple_extract_key.cc

Line 26 in 1315923

for (uint32_t i = 0; i < def->part_count - 1; ++i) {

Because def->part_count is 0 and ((uint32_t)0) - 1 == UINT32_MAX.

This doesn't always result in a segfault, but you can verify in the debugger that in this loop out bounds memory is being read.

[Gumix]

@gmoshkin, could you please provide a reproducer?

tarantool> _ = box.schema.create_space('test')
---
...

tarantool> box.space._index:insert{512,0,'i','tree',{unique=true}}
---
- error: Tuple field 6 (parts) required by space format is missing
...

tarantool> box.space._index:insert{512,0,'i','tree',{unique=true},{}}
---
- error: 'Can''t create or modify index ''i'' in space ''test'': part count must be positive'
...

tarantool> box.space._index:insert{512,0,'i','tree',{unique=true},{{}}}
---
- error: 'Wrong index part 1: expected a non-empty array'
...

[gmoshkin]

@gmoshkin, could you please provide a reproducer?

tarantool> _ = box.schema.create_space('test')
---
...

tarantool> box.space._index:insert{512,0,'i','tree',{unique=true}}
---
- error: Tuple field 6 (parts) required by space format is missing
...

tarantool> box.space._index:insert{512,0,'i','tree',{unique=true},{}}
---
- error: 'Can''t create or modify index ''i'' in space ''test'': part count must be positive'
...

tarantool> box.space._index:insert{512,0,'i','tree',{unique=true},{{}}}
---
- error: 'Wrong index part 1: expected a non-empty array'
...

There you go, you have a reproducer.

As originally stated, it doesn't always segfault, because the memory is often in the readable pages.

Do you want me to explain how you start tarantool with gdb and put a breakpoint on the line I mentioned originally and verify that the loop body is executed multiple times?