Fix data race in string fixup during inlining.

Switches to using the fixed size allocator, so we can free the array of strings at a safepoint, thus preventing reads of freed memory.
MoarVM · Jan 11, 2017 · ef4d6a7 · ef4d6a7
1 parent 5389d60
commit ef4d6a7
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 5 deletions.
diff --git a/src/6model/reprs/MVMCompUnit.c b/src/6model/reprs/MVMCompUnit.c
@@ -94,7 +94,10 @@ static void gc_free(MVMThreadContext *tc, MVMObject *obj) {
         MVM_fixed_size_free(tc, tc->instance->fsa,
             body->num_extops * sizeof(MVMExtOpRecord),
             body->extops);
-    MVM_free(body->strings);
+    if (body->strings)
+        MVM_fixed_size_free(tc, tc->instance->fsa,
+            body->num_strings * sizeof(MVMString *),
+            body->strings);
     MVM_free(body->scs);
     MVM_free(body->scs_to_resolve);
     MVM_free(body->sc_handle_idxs);

diff --git a/src/core/bytecode.c b/src/core/bytecode.c
@@ -854,7 +854,8 @@ void MVM_bytecode_unpack(MVMThreadContext *tc, MVMCompUnit *cu) {
     rs = dissect_bytecode(tc, cu);
 
     /* Allocate space for the strings heap; we deserialize it lazily. */
-    cu_body->strings = MVM_calloc(rs->expected_strings, sizeof(MVMString *));
+    cu_body->strings = MVM_fixed_size_alloc_zeroed(tc, tc->instance->fsa,
+        rs->expected_strings * sizeof(MVMString *));
     cu_body->num_strings = rs->expected_strings;
     cu_body->orig_strings = rs->expected_strings;
     cu_body->string_heap_fast_table = MVM_calloc(

diff --git a/src/core/compunit.c b/src/core/compunit.c
@@ -145,10 +145,16 @@ MVMuint32 MVM_cu_string_add(MVMThreadContext *tc, MVMCompUnit *cu, MVMString *st
         }
     if (!found) {
         /* Not known; let's add it. */
+        size_t orig_size = cu->body.num_strings * sizeof(MVMString *);
+        size_t new_size = (cu->body.num_strings + 1) * sizeof(MVMString *);
+        MVMString **new_strings = MVM_fixed_size_alloc(tc, tc->instance->fsa, new_size);
+        memcpy(new_strings, cu->body.strings, orig_size);
         idx = cu->body.num_strings;
-        cu->body.strings = MVM_realloc(cu->body.strings,
-            (idx + 1) * sizeof(MVMString *));
-        cu->body.strings[idx] = str;
+        new_strings[idx] = str;
+        if (cu->body.strings)
+            MVM_fixed_size_free_at_safepoint(tc, tc->instance->fsa, orig_size,
+                cu->body.strings);
+        cu->body.strings = new_strings;
         cu->body.num_strings++;
     }