Re: Self help (3) ...

From: Michael Meeks <michael ximian com>
To: Antonio Beamud Montero <antonio beamud agoratechnologies com>
Cc: <gnome-devel-list gnome org>
Subject: Re: Self help (3) ...
Date: Thu, 23 Aug 2001 18:34:06 -0400 (EDT)

Hi Antonio,

On 23 Aug 2001, Antonio Beamud Montero wrote:
> >       for (l = priv->list; l; l = l->next)
> >               bonobo_object_release_unref (l->data, NULL);
> >       g_slist_free (priv->list);
>
> Why the list can be empty? Can you put an example...

	Let's pretend this list unreffing action is happening in a method
called 'foo' lets construct a stack frame ( and it might seem backwards -
it is in the order gdb would show it to you )

1 foo ()
2 foo_skel ()
3 ... ORBit ...
4 Bonobo_Unknown_unref ()
5 bonobo_object_release_unref ()
6 foo ()
7 foo_skel ()
8 ... ORBit ...

	So frame 1 will quit having freed the list, frame 2 returns to the
ORB, which could continue processing any number of other CORBA requests
until it determines it's time to return to frame 4, then to 5 and we hit
6. ie. Frame 1 re-entered Frame 6's method - with the same priv pointer.

	Frame 6 is still holding pointers into the list that have been
already freed in ( what was frame 1 ), it will continue to iterate over
the list causing untold memory corruption.

	Of course in order for this to happen, a remote process would have
to dispatche a double 'foo' method, which you may think is safe, since
you've guarded the function - once it has completed against re-entering
perhaps thus:

	if (a->priv) {
      		for (l = priv->list; l; l = l->next)
              		bonobo_object_release_unref (l->data, NULL);
       		g_slist_free (priv->list);

		g_free (a->priv);
	} /* else re-entered */

	a->priv = NULL;

	The issue is that it can re-enter before a->priv is set to NULL
and try freeing the list that is already being freed. One solution to this
is:

	MyPriv *priv = a->priv;
	a->priv = NULL;

	if (priv) {
      		for (l = priv->list; l; l = l->next)
              		bonobo_object_release_unref (l->data, NULL);
       		g_slist_free (priv->list);
	}

	This solves the immediate problem - _but_ if other CORBA methods
will be operating on the list at the same time - either traversing or
removing elements - you can get similar but more benign re-enterancy
issues.

	I hope that makes it somewhat clearer.

> Thanks for your lessons.

	My pleasure,

		Michael.

-- 
 mmeeks gnu org  <><, Pseudo Engineer, itinerant idiot

References:
- Re: Self help (3) ...
  - From: Antonio Beamud Montero

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]