| Title | mps_arena_destroy may crash if some objects aren't destroyed |
| Status | closed |
| Priority | essential |
| Assigned user | Gareth Rees |
| Organization | Ravenbrook |
| Description | If a root is not destroyed first, mps_arena_destroy() can crash (in ArenaFinish -> GlobalsFinish -> GlobalsCheck -> RingCheck). This may also apply to other data structures allocated in the control pool. |
| Analysis | The control pool is finished from ArenaDestroy, and may be unmapped as a result. Then GlobalsFinish calls GlobalsCheck, which calls RingCheck on the rootRing. If there is a root left on the rootRing, this may crash when dereferencing the root structure to test ring->prev->next == ring. This won't always show up, because the arena has some hysteresis in mapping and unmapping memory, so some or all of the control pool memory may not get unmapped, especially in small tests. This was reported by a client [1], who also reports hard crashes if he forgets to destroy an allocation point. There's a similar failure mode for that. We should check that the root ring is empty before destroying the control pool. RHSK 2010-03-02 I think I encountered this too: see changelist 168533 [2], 2009/08/28, mps/branch/2009-03-31/padding/ GDR 2012-10-26: I encountered this too. See point 6 of [3]. GDR 2013-06-04: I fixed most cases in change 182258, but there's still a problem if you don't destroy all pools. The trouble is that ControlFinish is called before ReservoirFinish, which calls PoolCheck, which calls RingCheck, which dereferences a pointer inside the unmapped memory. Can we arrange not to call ControlFinish until inside ArenaFinish? |
| How found | customer |
| Evidence | [1] <http://info.ravenbrook.com/mail/2003/01/09/13-22-45/0/>[2] < https://info.ravenbrook.com/infosys/cgi/perfbrowse.cgi?@describe+168533>[3] < http://info.ravenbrook.com/mail/2012/10/04/17-38-59/0/> |
| Observed in | 1.100.1 |
| Created by | Nick Barnes |
| Created on | 2003-01-09 17:18:03 |
| Last modified by | Gareth Rees |
| Last modified on | 2014-04-14 22:31:34 |
| History | 2003-01-09 NB Created. 2010-03-02 RHSK Encountered again. 2012-10-26 GDR And again! |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 185527 | closed | 2014-04-14 22:31:24 | Gareth Rees | Check the poolRing so that there is an assertion failure (not a crash) if the client fails to destroy a pool. |
| 182633 | open | 2013-06-08 16:16:48 | Gareth Rees | Improve the explanation at the start of GlobalsFinish. Put assertion from vmChunkDestroy into the manual. |
| 182258 | open | 2013-05-27 12:58:05 | Gareth Rees | Assert instead of crashing in mps_arena_destroy when the client has failed to destroy some data structures. Also, don't forget to finish the chainRing. |