Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Finaliser on weak pointers allows to acces invalid address #5233

Closed
vicuna opened this issue Mar 1, 2011 · 2 comments

Comments

Projects
None yet
2 participants
@vicuna
Copy link

commented Mar 1, 2011

Original bug ID: 5233
Reporter: bobot
Assigned to: @damiendoligez
Status: closed (set by @damiendoligez on 2012-06-21T14:31:52Z)
Resolution: fixed
Priority: normal
Severity: crash
Version: 3.13.0+dev
Target version: 4.01.0+dev
Fixed in version: 4.00.0+dev
Category: ~DO NOT USE (was: OCaml general)
Monitored by: mehdi @ygrek "Julien Signoles"

Bug description

In bytecode, if a weak pointer and the value it points are garbage collected at the same time, a finaliser which dereferences the weak pointer can access invalid memory.

For example the following code produces a segmentation fault :

===================
open Printf

let target = ref [2;3]

let t = ref (Weak.create 1)

let () = Weak.set !t 0 (Some !target);
Gc.finalise (fun w -> match Weak.get w 0 with
| None -> printf "Consistent\n"
| Some [] -> printf "How its possible?\n"
| Some (i::_) -> printf "Value not garbage collected : %i\n" i) !t

(** Force to grow the heap *)
let b = ref (Array.create 10000000 1)

let () =
(** release the target and the weak array )
target := [2];
t := (Weak.create 1);
(
* Allow the heap to be reduced in order to point outside the heap )
b := Array.create 1 1;
(
* Start a whole Gc phase *)
Gc.compact ()

Additional information

Reproducible with bytecode in 3.11.2

In native code the segmentation code doesn't appear but the target seems not to
be garbage collected. The example produces "Value not garbage collected : 2"

@vicuna

This comment has been minimized.

Copy link
Author

commented May 17, 2011

Comment author: @damiendoligez

In fact, you get into trouble as soon as you finalise a weak array.
This is a bit troublesome to fix, so it will not be fixed for 3.12.1.

@vicuna

This comment has been minimized.

Copy link
Author

commented Jun 21, 2012

Comment author: @damiendoligez

As far as I can tell, the "Value not garbage collected" message is consistent with the semantics of weak pointers.

I have added a better test case in testsuite/tests/regression/pr5233

Fixed in 4.00 (commit 12625) and trunk (commit 12627).

@vicuna vicuna closed this Jun 21, 2012

@vicuna vicuna added this to the 4.01.0 milestone Mar 14, 2019

@vicuna vicuna added the bug label Mar 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.