From: "Ludovic Courtès" <ludo@gnu.org>
To: Mathieu Othacehe <othacehe@gnu.org>
Cc: 58732@debbugs.gnu.org
Subject: bug#58732: installer: finalizers & device destroy segfault
Date: Mon, 07 Nov 2022 14:29:45 +0100 [thread overview]
Message-ID: <87iljquc3a.fsf@gnu.org> (raw)
In-Reply-To: <87sfiwm297.fsf@gnu.org> (Mathieu Othacehe's message of "Sun, 06 Nov 2022 18:17:08 +0100")
Hi Mathieu,
Mathieu Othacehe <othacehe@gnu.org> skribis:
> I made some progress on that one. I think, this is what's going on:
>
> 1. Two new PedDevice A and B are malloc'ed by the libparted when opening
> the installer partitioning page.
>
> 2. They are added to the %devices weak hash table by pointer->device!
> and their respective finalizers are registered.
>
> 3. The partitioning ends and A goes out of scope. It is eventually
> removed from %devices but it does not mean its finalizer will be run
> immediately.
>
> 4. The partitioning is restarted using the installer menu. B is still in
> the %devices hash table. However, A is now gone and is added again to
> the %devices hash table by the pointer->device! procedure. Another
> finalizer is registered for A.
>
> That's because set-pointer-finalizer! does not *set* a finalizer it
> *adds* one.
Oh, I think I see what you mean. You’re right about
‘set-pointer-finalizer!’ adding a finalizer, but I don’t think that’s
what’s happening here.
Finalizers are set on pointer objects, so they’re invoked when the
pointer object goes out of scope. But:
(eq? (make-pointer 123) (make-pointer 123))
=> #f
So a possible mistake is to add one finalizer on each pointer object and
have several pointer objects aliasing the same C object; that’s how you
can get the same “free” function called several times on the same C
object.
> 5. The partitioning ends and both A and B goes out of scope. They are
> removed from %devices and their finalizers are called. The A finalizer
> is called twice resulting in a double free.
>
> This race condition is created by the fact that there is a time window
> where the device is removed from the %devices hash table but its
> finalizer is not immediately called.
What if we create an extra hashv table that maps pointer values
(integers) to pointer objects?
(define %pointers (make-hash-table))
(define (canonical-pointer ptr)
(or (hashv-ref %pointers (pointer-address ptr))
(begin
(hashv-set! %pointers (pointer-address ptr) ptr)
ptr)))
This is kinda terrible but it would allow us to test the above
hypothesis.
Thanks,
Ludo’.
next prev parent reply other threads:[~2022-11-07 13:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-23 9:07 bug#58732: installer: finalizers & device destroy segfault Mathieu Othacehe
2022-11-02 10:55 ` Ludovic Courtès
2022-11-03 11:09 ` Mathieu Othacehe
2022-11-03 11:25 ` Ludovic Courtès
2022-11-06 17:17 ` Mathieu Othacehe
2022-11-07 13:29 ` Ludovic Courtès [this message]
2022-11-07 16:37 ` Mathieu Othacehe
2022-11-09 15:25 ` Mathieu Othacehe
2022-11-10 11:42 ` Ludovic Courtès
2022-11-10 12:29 ` Mathieu Othacehe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87iljquc3a.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=58732@debbugs.gnu.org \
--cc=othacehe@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).