Fixed bug #8150 : Process could attach to the deleted instance of shared memory

Patch and additional comments by @AlexPeshkoff

src/common/isc_sync.cpp

@@ -1127,13 +1127,17 @@ void SharedMemoryBase::removeMapFile()
 	if (!sh_mem_header->isDeleted())
 	{
 #ifndef WIN_NT
-		unlinkFile();
+		FileLockHolder initLock(initFile);
+		if (!sh_mem_header->isDeleted())
+		{
+			unlinkFile();
+			sh_mem_header->markAsDeleted();
+		}
 #else
 		fb_assert(!sh_mem_unlink);
 		sh_mem_unlink = true;
-#endif // WIN_NT
-
 		sh_mem_header->markAsDeleted();
+#endif // WIN_NT
 	}
 }
 

src/jrd/tpc.cpp

@@ -385,6 +385,10 @@ TipCache::StatusBlockData::StatusBlockData(thread_db* tdbb, TipCache* tipCache,
 
 	try
 	{
+		// Here SharedMemory constructor is called with skipLock parameter set to true.
+		// Appropriate locking is performed by existenceLock using LM.
+		// This should be in sync with SharedMemoryBase::unlinkFile() call
+		// in TipCache::StatusBlockData::clear().
 		memory = FB_NEW_POOL(*dbb->dbb_permanent) SharedMemory<TransactionStatusBlock>(
 			fileName.c_str(), blockSize,
 			&cache->memBlockInitializer, true);
@@ -462,6 +466,11 @@ void TipCache::StatusBlockData::clear(thread_db* tdbb)
 
 	if (fName.hasData())
 	{
+		// Here file is removed from SharedMemory created with skipLock parameter
+		// set to true. That means internal file lock is turned off.
+		// Appropriate locking is performed by existenceLock using LM.
+		// This should be in sync with SharedMemory constructor called
+		// in TipCache::StatusBlockData constructor.
 		if (LCK_lock(tdbb, &existenceLock, LCK_EX, LCK_NO_WAIT))
 			SharedMemoryBase::unlinkFile(fName.c_str());
 		else