serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: svn commit: r1712718 - /serf/trunk/buckets/allocator.c
Date Thu, 05 Nov 2015 13:31:00 GMT
Seems this should be tried straight into the allocator debugging, rather
than separately configurable. Use-after-free is quite bad, so I think it
should always die right away.

Your work on reporting unfreed items is a bit different, as some
applications *may* choose to leave some allocations until the process exits.

On Thu, Nov 5, 2015 at 1:40 AM, <ivan@apache.org> wrote:

> Author: ivan
> Date: Thu Nov  5 07:40:58 2015
> New Revision: 1712718
>
> URL: http://svn.apache.org/viewvc?rev=1712718&view=rev
> Log:
> Add another diagnostic macro SERF__DEBUG_USE_AFTER_FREE to detect usage of
> bucket allocator after it destroyed by pool cleanup.
>
> * buckets/allocator.c
>   (SERF__DEBUG_USE_AFTER_FREE): New. Commented by default.
>   (allocator_cleanup): Set ALLOCATOR->POOL to NULL if
>    SERF__DEBUG_USE_AFTER_FREE is defined.
>   (serf_bucket_mem_alloc, serf_bucket_mem_free): Abort if ALLOCATOR->POOL
>    is NULL and SERF__DEBUG_USE_AFTER_FREE is defined.
>
> Modified:
>     serf/trunk/buckets/allocator.c
>
> Modified: serf/trunk/buckets/allocator.c
> URL:
> http://svn.apache.org/viewvc/serf/trunk/buckets/allocator.c?rev=1712718&r1=1712717&r2=1712718&view=diff
>
> ==============================================================================
> --- serf/trunk/buckets/allocator.c (original)
> +++ serf/trunk/buckets/allocator.c Thu Nov  5 07:40:58 2015
> @@ -35,6 +35,11 @@
>   * unfreed blocks on pool cleanup. */
>  /* #define SERF__DEBUG_UNFREED_MEMORY */
>
> +/* Define SERF__DEBUG_USE_AFTER_FREE if you're interested to prevent
> + * access bucket allocator after free.
> + * TODO: Should we do this by default? */
> +/* #define SERF__DEBUG_USE_AFTER_FREE */
> +
>  typedef struct node_header_t {
>      apr_size_t size;
>      union {
> @@ -151,6 +156,10 @@ static apr_status_t allocator_cleanup(vo
>          apr_allocator_destroy(allocator->allocator);
>      }
>
> +#ifdef SERF__DEBUG_USE_AFTER_FREE
> +    /* Set POOL to NULL to detect allocator usage after destroy. */
> +    allocator->pool = NULL;
> +#endif
>      return APR_SUCCESS;
>  }
>
> @@ -214,6 +223,14 @@ void *serf_bucket_mem_alloc(
>      node_header_t *node;
>      void *block;
>
> +#ifdef SERF__DEBUG_USE_AFTER_FREE
> +    if (allocator->pool == NULL) {
> +        /* Attempt to use bucket allocator after it destroyed by
> +         * pool cleanup. */
> +        abort();
> +    }
> +#endif
> +
>      ++allocator->num_alloc;
>
>      size += SIZEOF_NODE_HEADER_T;
> @@ -297,6 +314,13 @@ void serf_bucket_mem_free(
>  {
>      node_header_t *node;
>
> +#ifdef SERF__DEBUG_USE_AFTER_FREE
> +    if (allocator->pool == NULL) {
> +        /* Attempt to use bucket allocator after it destroyed by
> +         * pool cleanup. */
> +        abort();
> +    }
> +#endif
>      --allocator->num_alloc;
>
>      node = (node_header_t *)((char *)block - SIZEOF_NODE_HEADER_T);
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message