Fix race condition in GC

yawzhang · yawzhang · commit e7df539ede42 · 2026-03-24T11:23:07.000+08:00
When GC resets move_to_chunk via purge_reserved_chunk(), stale repl_reqs may still exist and be cleaned up by background gc_repl_reqs().
This causes two race conditions:
 1. Stale rreq frees blk on NEW allocator after reset (wrong allocator)
 2. Stale rreq frees blk on OLD allocator during reset, accessing destroyed superblock and causing crash
diff --git a/conanfile.py b/conanfile.py
@@ -10,7 +10,7 @@
 
 class HomeObjectConan(ConanFile):
     name = "homeobject"
-    version = "4.1.4"
+    version = "4.1.5"
 
     homepage = "https://github.com/eBay/HomeObject"
     description = "Blob Store built on HomeStore"
diff --git a/src/lib/homestore_backend/gc_manager.cpp b/src/lib/homestore_backend/gc_manager.cpp
@@ -1064,6 +1064,16 @@ bool GCManager::pdev_gc_actor::purge_reserved_chunk(chunk_id_t chunk, const uint
                    "chunk_id={} is a reserved chunk, expected to have a GC state, but actuall state is {} ", chunk,
                    vchunk->m_state);
 
+    // Clear all rreqs on move_to_chunk BEFORE purge_reserved_chunk() resets the allocator.
+    // This prevents race conditions where:
+    // 1. Stale rreq frees blk on NEW allocator after reset (wrong allocator)
+    // 2. Stale rreq frees blk on OLD allocator during reset (accessing destroyed superblock)
+    // NOTE: This introduces potential double-free risk with gc_repl_reqs() background thread.
+    // See https://github.com/eBay/HomeObject/issues/401.
+    GCLOGD(task_id, pg_id, NO_SHARD_ID, "clear all rreqs on chunk={} before resetting it", vchunk->get_chunk_id());
+    auto hs_pg = m_hs_home_object->get_hs_pg(pg_id);
+    hs_pg->repl_dev_->clear_chunk_req(vchunk->get_chunk_id());
+
     GCLOGD(task_id, pg_id, NO_SHARD_ID, "reset chunk={} before using it for gc", vchunk->get_chunk_id());
     vchunk->reset(); // reset the chunk to make sure it is empty
 
diff --git a/src/lib/homestore_backend/heap_chunk_selector.cpp b/src/lib/homestore_backend/heap_chunk_selector.cpp
@@ -130,7 +130,7 @@ csharedChunk HeapChunkSelector::select_specific_chunk(const pg_id_t pg_id, const
 
             if (chunk->m_state == ChunkState::GC) {
                 LOGDEBUGMOD(homeobject, "v_chunk_id={} for pg={} is pchunk_id={}, in GC state, wait and retry!",
-                            chunk->get_chunk_id(), v_chunk_id, pg_id);
+                            v_chunk_id, pg_id, chunk->get_chunk_id());
             } else {
                 if (chunk->m_state == ChunkState::AVAILABLE) {
                     chunk->m_state = ChunkState::INUSE;
