fix: throw on OOM shutdown instead of returning nullptr (#14)

rophy · rophy · commit 4505579c10cf · 2026-03-17T03:06:56.000+08:00
getMemoryChunk() returned nullptr during hardShutdown but most callers
never checked, causing null pointer dereferences under tight memory +
heavy LOB redo. Now throws RuntimeException(10018) consistently.

Validated on RAC VM: OLR shuts down gracefully instead of crashing.
diff --git a/UPSTREAM-CHANGES.md b/UPSTREAM-CHANGES.md
@@ -37,6 +37,7 @@ Multi-thread redo log processing for Oracle RAC.
 | 1a2d316b | LOB INSERT preserved from phantom undo in streaming | Transaction.cpp | [#10](https://github.com/rophy/olr/issues/10) |
 | ddf6bc04 | skip truncated URP null bitmap instead of abort | OpCode0504.cpp | — |
 | 7cbd0580 | decode ROWID column type (type# 69) | Builder.cpp, SysCol.h, BuilderJson.* | [#15](https://github.com/rophy/olr/issues/15) |
+| — | OOM null-deref crash: throw instead of returning nullptr | Ctx.cpp, MemoryManager.cpp | [#14](https://github.com/rophy/olr/issues/14) |
 
 **Upstream PR candidates:** All — these are correctness fixes
 
diff --git a/src/common/Ctx.cpp b/src/common/Ctx.cpp
@@ -459,7 +459,7 @@ namespace OpenLogReplicator {
                     outOfMemoryParser = true;
 
                 if (hardShutdown)
-                    return nullptr;
+                    throw RuntimeException(10018, "shutdown during memory allocation for: " + memoryModules[static_cast<uint>(module)]);
 
                 info(0, "OOM: waiting for memory module=" + memoryModules[static_cast<uint>(module)] +
                      " free=" + std::to_string(memoryChunksFree) + " alloc=" + std::to_string(memoryChunksAllocated) +
diff --git a/src/common/MemoryManager.cpp b/src/common/MemoryManager.cpp
@@ -239,8 +239,6 @@ namespace OpenLogReplicator {
 
     bool MemoryManager::unswap(Xid xid, int64_t index) {
         uint8_t* tc = ctx->getMemoryChunk(this, Ctx::MEMORY::TRANSACTIONS, true);
-        if (tc == nullptr)
-            return false;
 
         const std::string fileName = swapPath + "/" + xid.toString() + ".swap";
         struct stat fileStat{};
diff --git a/tests/KNOWN-LIMITATIONS.md b/tests/KNOWN-LIMITATIONS.md
@@ -230,26 +230,25 @@ no output for the scenario.
 
 ---
 
-## L10. OLR Crash on RAC LOB + Log Switch
+## L10. ~~OLR Crash on RAC LOB + Log Switch~~ (FIXED)
 
-OLR crashes with a null pointer dereference in `Reader.cpp:111` when
-processing heavy LOB operations spanning multiple log switches on RAC.
+**Root cause:** `Ctx::getMemoryChunk()` returned `nullptr` during
+`hardShutdown` (OOM condition), but 7 of 9 callers never checked for null.
+Under tight memory + heavy LOB redo, the parser consumed all available chunks,
+the reader's allocation failed silently, and the subsequent dereference
+crashed.
 
-**Evidence — test output (2026-03-16):**
+**Fix:** Changed `getMemoryChunk()` to throw `RuntimeException(10018)` instead
+of returning `nullptr` on hard shutdown. This is consistent with the existing
+throw at line 489-490 (post-allocation shutdown check). Removed the one
+now-unreachable null check in `MemoryManager::unswap()`.
 
-```
-Reader.cpp:111:21: runtime error: load of null pointer of type 'uint8_t'
-```
-
-Occurs when advancing to a new archive log sequence on thread 2 during
-`rac-lob-log-switch` scenario (40 LOB inserts + 10 updates + 10 deletes
-across both nodes).
+**Validated:** Reproduced 10/10 on RAC VM with 32-64MB memory + LOB DML from
+both nodes. After fix, OLR shuts down gracefully with error 10018 instead of
+crashing.
 
 **Tracked:** [rophy/olr#14](https://github.com/rophy/olr/issues/14)
 
-**Test handling:** `rac-lob-log-switch` scenario cannot be used until bug is
-fixed.
-
 ---
 
 ## L11. OLR Does Not Support Invisible Columns
@@ -305,6 +304,6 @@ applies at DB creation, not pre-built).
 |----|------------|-------|---------------|
 | L8 | ROWID column (type# 69) not decoded | [#15](https://github.com/rophy/olr/issues/15) | `rowid-column` |
 | L9 | IOT not discovered in metadata | [#16](https://github.com/rophy/olr/issues/16) | `iot-table` |
-| L10 | RAC LOB + log switch null pointer crash | [#14](https://github.com/rophy/olr/issues/14) | `rac-lob-log-switch` |
+| ~~L10~~ | ~~RAC LOB + log switch null pointer crash~~ (FIXED) | [#14](https://github.com/rophy/olr/issues/14) | — |
 | L11 | Invisible columns not tracked | — | — |
 | L12 | US7ASCII charset corruption | [#2](https://github.com/rophy/olr/issues/2) | `multibyte-passthrough` (@TAG) |
diff --git a/tests/sql/TEST-COVERAGE.md b/tests/sql/TEST-COVERAGE.md
@@ -91,7 +91,7 @@ All limitations reference entries in [`KNOWN-LIMITATIONS.md`](KNOWN-LIMITATIONS.
 | US7ASCII charset | OLR charset bug ([#2](https://github.com/rophy/olr/issues/2)) | L12 |
 | Invisible columns | No property flag in SysCol | L11 |
 | IOT | OLR doesn't discover IOTs in metadata | L9 |
-| RAC LOB + log switch | OLR crash ([#14](https://github.com/rophy/olr/issues/14)) | L10 |
+| ~~RAC LOB + log switch~~ | ~~OLR crash~~ (FIXED — [#14](https://github.com/rophy/olr/issues/14)) | ~~L10~~ |
 
 > **Note:** DDL scenarios (`@DDL` marker) are validated in redo-log regression tests (LogMiner comparison)
 > but **not** in Debezium twin-test. The Debezium OLR adapter does not support mid-stream
