fix: Resolve use-after-free crash in DocumentStore::RemoveDocument

Fix segmentation fault during concurrent delete operations caused by
using a dangling reference to the primary key string after erasing
the map entry.

Root cause: The function stored a const reference to pk_it->second,
then erased the entry from doc_id_to_pk_ (invalidating the reference),
and finally used the dangling reference in StructuredLog. This bug
existed since the initial commit but was exposed by Linux CI's memory
allocator during concurrent tests.

Changes:
- Copy primary key string before erasing map entry
- Add stress tests (DocumentStoreStressTest) with SLOW label
- Update release notes and changelog for v1.3.7

Author: libraz

CHANGELOG.md

@@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **Critical: Use-After-Free in RemoveDocument** - Copy primary key string before erasing map entry; add stress tests with SLOW label for regression detection
 - **Critical: SIGSEGV on SET/SHOW VARIABLES** - Transfer VariableHandler ownership to TcpServer to prevent use-after-free crash
 - **Medium: auto-dump/manual dump conflict** - Add mutual exclusion between SnapshotScheduler and manual DUMP SAVE operations
 - **Low: DUMP LOAD GTID restoration** - Restore GTID even when replication was not running, enabling manual REPLICATION START after load

docs/releases/v1.3.7.md

@@ -104,7 +104,31 @@ Thread-safe progress tracking structure for dump operations.
 
 ## Bug Fixes
 
-### 1. Critical: SIGSEGV on SET/SHOW VARIABLES
+### 1. Critical: Use-After-Free in RemoveDocument
+
+**Type:** Critical
+**Severity:** Critical
+
+Fix use-after-free crash in `DocumentStore::RemoveDocument` during concurrent delete operations.
+
+**Root Cause:** The function stored a reference to the primary key string from the map, then erased the map entry (invalidating the reference), and finally used the dangling reference in the log statement. This bug existed since the initial commit but was exposed by Linux CI's memory allocator behavior during concurrent tests.
+
+**Symptom:** Segmentation fault in `DocumentStoreTest.ConcurrentDeletes` test on Linux CI.
+
+**Solution:**
+
+- Copy the primary key string before erasing the map entry
+- Add stress tests (`DocumentStoreStressTest`) with SLOW label for regression detection
+
+**Files Changed:**
+
+- `src/storage/document_store.cpp` - Copy string before erase
+- `tests/storage/document_store_stress_test.cpp` - New stress test file
+- `tests/storage/CMakeLists.txt` - Add stress test with SLOW label
+
+---
+
+### 2. Critical: SIGSEGV on SET/SHOW VARIABLES
 
 **Type:** Critical
 **Severity:** Critical
@@ -126,7 +150,7 @@ Fix segmentation fault when executing SET or SHOW VARIABLES commands.
 
 ---
 
-### 2. Medium: Auto-dump/Manual DUMP SAVE Mutual Exclusion
+### 3. Medium: Auto-dump/Manual DUMP SAVE Mutual Exclusion
 
 **Type:** Bug Fix
 **Severity:** Medium
@@ -157,7 +181,7 @@ Implement proper synchronization between SnapshotScheduler (auto-dump) and manua
 
 ---
 
-### 3. Low: DUMP LOAD GTID Restoration
+### 4. Low: DUMP LOAD GTID Restoration
 
 **Type:** Bug Fix
 **Severity:** Low
@@ -170,7 +194,7 @@ GTID is now restored even when replication was not running before DUMP LOAD, ena
 
 ---
 
-### 4. Low: BinlogReader::IsRunning() Flag Check
+### 5. Low: BinlogReader::IsRunning() Flag Check
 
 **Type:** Bug Fix
 **Severity:** Low
@@ -275,10 +299,12 @@ Added complete documentation for the new command:
 - 5 new DUMP STATUS tests (idle, save in progress, load in progress, replication paused, GTID preservation)
 - GTID restoration test with MockBinlogReader
 - Variable handler ownership test
+- 2 new stress tests for RemoveDocument use-after-free regression (`DocumentStoreStressTest`)
 
 ### Test Infrastructure
 
 - Add `DumpHandlerGtidTest` fixture with MockBinlogReader
+- Add `document_store_stress_test.cpp` with SLOW label for CI exclusion
 - Update 10+ test files with new flag names
 
 ---
@@ -288,13 +314,13 @@ Added complete documentation for the new command:
 | Category | Files |
 |----------|-------|
 | Core Features | dump_handler.cpp/h, server_types.h, query_parser.cpp |
-| Bug Fixes | tcp_server.cpp/h, snapshot_scheduler.cpp/h, binlog_reader.cpp |
+| Bug Fixes | document_store.cpp, tcp_server.cpp/h, snapshot_scheduler.cpp/h, binlog_reader.cpp |
 | Refactoring | 25+ files (StructuredLog migration) |
 | Interface | binlog_reader_interface.h |
 | Documentation | docs/en/protocol.md, docs/ja/protocol.md |
-| Tests | dump_handler_test.cpp, variable_handler_test.cpp, 10+ updated |
+| Tests | document_store_stress_test.cpp, dump_handler_test.cpp, variable_handler_test.cpp, 10+ updated |
 
-**Total: 65 files changed, +2894/-634 lines**
+**Total: 68 files changed**
 
 ---
 

src/storage/document_store.cpp

@@ -231,7 +231,8 @@ bool DocumentStore::RemoveDocument(DocId doc_id) {
     return false;
   }
 
-  const std::string& primary_key = pk_it->second;
+  // Copy the primary key before erasing (avoid use-after-free)
+  std::string primary_key = pk_it->second;
 
   // Remove mappings
   pk_to_doc_id_.erase(primary_key);

tests/storage/CMakeLists.txt

@@ -33,6 +33,27 @@ gtest_discover_tests(document_store_concurrent_test
   PROPERTIES RESOURCE_LOCK storage_io
 )
 
+# DocumentStore stress tests (marked as SLOW for CI)
+add_executable(document_store_stress_test
+  document_store_stress_test.cpp
+)
+
+target_link_libraries(document_store_stress_test
+  mygramdb_storage
+  GTest::gtest_main
+)
+
+# Note: Stress tests are designed to detect concurrency bugs like use-after-free
+# through high memory pressure. They are excluded from regular CI runs.
+gtest_discover_tests(document_store_stress_test
+  DISCOVERY_MODE POST_BUILD
+  DISCOVERY_TIMEOUT 30
+  PROPERTIES
+    LABELS "SLOW"
+    RESOURCE_LOCK storage_io
+    TIMEOUT 60
+)
+
 # DocumentStore serialization tests
 add_executable(document_store_serialization_test
   document_store_serialization_test.cpp

tests/storage/document_store_stress_test.cpp

@@ -0,0 +1,176 @@
+/**
+ * @file document_store_stress_test.cpp
+ * @brief Stress tests for DocumentStore (marked as SLOW for CI)
+ *
+ * These tests are designed to detect concurrency bugs like use-after-free
+ * through high memory pressure and concurrent operations. They are excluded
+ * from regular CI runs due to their longer execution time.
+ */
+
+#include <gtest/gtest.h>
+
+#include <atomic>
+#include <thread>
+#include <vector>
+
+#include "storage/document_store.h"
+
+using namespace mygramdb::storage;
+
+/**
+ * @brief Stress test for RemoveDocument to detect use-after-free bugs
+ *
+ * This test targets the RemoveDocument function with high concurrency and memory
+ * pressure. It was added to prevent regression of the use-after-free bug where
+ * RemoveDocument held a reference to the primary key string after erasing the
+ * map entry (the reference became dangling).
+ *
+ * The bug manifested as:
+ * - const std::string& primary_key = pk_it->second;  // Reference to string
+ * - doc_id_to_pk_.erase(doc_id);                     // Invalidates reference
+ * - StructuredLog()...Field("primary_key", primary_key)  // Use after free!
+ *
+ * The fix was to copy the string before erasing:
+ * - std::string primary_key = pk_it->second;  // Copy the string
+ */
+TEST(DocumentStoreStressTest, RemoveDocumentUseAfterFreeRegression) {
+  constexpr int kIterations = 10;
+  constexpr int kDocsPerIteration = 500;
+  constexpr int kNumThreads = 8;
+
+  for (int iter = 0; iter < kIterations; ++iter) {
+    DocumentStore store;
+
+    // Add documents with long primary keys to increase memory churn
+    std::vector<DocId> doc_ids;
+    doc_ids.reserve(kDocsPerIteration);
+
+    for (int i = 0; i < kDocsPerIteration; ++i) {
+      // Use longer primary keys to increase memory allocation/deallocation
+      std::string pk = "primary_key_with_longer_content_for_memory_pressure_" + std::to_string(iter) + "_" +
+                       std::to_string(i) + "_padding";
+
+      std::unordered_map<std::string, FilterValue> filters;
+      filters["iteration"] = static_cast<int64_t>(iter);
+      filters["index"] = static_cast<int64_t>(i);
+
+      auto result = store.AddDocument(pk, filters);
+      ASSERT_TRUE(result.has_value()) << "Failed to add document " << i;
+      doc_ids.push_back(*result);
+    }
+
+    ASSERT_EQ(store.Size(), kDocsPerIteration);
+
+    // Concurrent deletion from multiple threads
+    std::vector<std::thread> threads;
+    std::atomic<int> delete_count{0};
+    std::atomic<int> docs_per_thread = kDocsPerIteration / kNumThreads;
+
+    for (int t = 0; t < kNumThreads; ++t) {
+      threads.emplace_back([&store, &doc_ids, &delete_count, &docs_per_thread, t]() {
+        int start = t * docs_per_thread;
+        int end = (t == kNumThreads - 1) ? static_cast<int>(doc_ids.size()) : start + docs_per_thread;
+
+        for (int i = start; i < end; ++i) {
+          // RemoveDocument should not crash even with concurrent access
+          // The bug was that primary_key reference became invalid after erase
+          bool removed = store.RemoveDocument(doc_ids[i]);
+          if (removed) {
+            delete_count++;
+          }
+        }
+      });
+    }
+
+    for (auto& thread : threads) {
+      thread.join();
+    }
+
+    // All documents should be deleted
+    EXPECT_EQ(delete_count.load(), kDocsPerIteration) << "Iteration " << iter << " failed";
+    EXPECT_EQ(store.Size(), 0) << "Store not empty after iteration " << iter;
+
+    // Verify all documents are gone
+    for (const auto& doc_id : doc_ids) {
+      auto doc = store.GetDocument(doc_id);
+      EXPECT_FALSE(doc.has_value()) << "Document " << doc_id << " still exists";
+    }
+  }
+}
+
+/**
+ * @brief Test concurrent add and remove operations with memory stress
+ *
+ * This test creates memory pressure by doing rapid add/remove cycles
+ * across multiple threads, which increases the likelihood of detecting
+ * use-after-free bugs due to memory reuse.
+ */
+TEST(DocumentStoreStressTest, ConcurrentAddRemoveMemoryStress) {
+  DocumentStore store;
+
+  constexpr int kNumThreads = 6;
+  constexpr int kOperationsPerThread = 200;
+
+  std::atomic<bool> stop{false};
+  std::atomic<int> add_success{0};
+  std::atomic<int> remove_success{0};
+  std::vector<std::thread> threads;
+
+  // Producer threads - add documents
+  for (int t = 0; t < kNumThreads / 2; ++t) {
+    threads.emplace_back([&store, &stop, &add_success, t]() {
+      int counter = 0;
+      while (!stop && counter < kOperationsPerThread) {
+        std::string pk = "stress_add_thread_" + std::to_string(t) + "_doc_" + std::to_string(counter) +
+                         "_with_extra_padding_for_memory_allocation";
+
+        std::unordered_map<std::string, FilterValue> filters;
+        filters["thread"] = static_cast<int64_t>(t);
+        filters["counter"] = static_cast<int64_t>(counter);
+        filters["description"] = std::string("Document created by thread ") + std::to_string(t);
+
+        auto result = store.AddDocument(pk, filters);
+        if (result.has_value()) {
+          add_success++;
+        }
+        counter++;
+      }
+    });
+  }
+
+  // Consumer threads - remove documents (will remove whatever exists)
+  for (int t = 0; t < kNumThreads / 2; ++t) {
+    threads.emplace_back([&store, &stop, &remove_success]() {
+      while (!stop) {
+        // Get all doc IDs and try to remove some
+        auto all_ids = store.GetAllDocIds();
+        for (const auto& doc_id : all_ids) {
+          if (stop)
+            break;
+          if (store.RemoveDocument(doc_id)) {
+            remove_success++;
+          }
+        }
+        // Small yield to allow other operations
+        std::this_thread::yield();
+      }
+    });
+  }
+
+  // Let it run for a bit
+  std::this_thread::sleep_for(std::chrono::milliseconds(300));
+  stop = true;
+
+  for (auto& thread : threads) {
+    thread.join();
+  }
+
+  // Verify operations completed without crashes
+  EXPECT_GT(add_success.load(), 0) << "No documents were added";
+  // Note: remove_success may be 0 if all adds happened after removes finished
+  // The main verification is that no crashes occurred
+
+  // Final state verification
+  size_t final_size = store.Size();
+  EXPECT_GE(final_size, 0);
+}