talloc issues

Michael Adam obnox at samba.org
Tue Jul 28 16:48:05 MDT 2009

Hi Tridge,

tridge at samba.org wrote:
>  > 2. With Tridge's changes, all users of talloc_free() need to
>  >    be reviewed. Those that conciously want to free a reference
>  >    need changing, but those callers that use  talloc_free()
>  >    on simply allocated talloc contexts are potentially broken
>  >    too, because they need to know whether there are references,
>  >    so they need changing, too.
>  > 
>  > 3. With the changes proposed by Sam and Metze, the "naive" users
>  >    of talloc/talloc_free are ok as they are. But the users of
>  >    references that want to free the reference need to be changed.
>  > 
>  > Have I misunderstood anything basic here?
> yes, I think you have. The cases 2 and 3 above are reversed :-)

Sorry for being ignorant, but I don't see why:

* If I understood your change correctly, your patch changed talloc_free()
  to fails when called on a pointer with more than one
  parent, i.e. with references.

  This does mean that it breaks the basic use of
  talloc()/talloc_free() when someone takes references inbetween.
  This means that all callers of talloc_free() need to be reviewed
  and possibly changed to something else. Doesn't it?

* On the other hand side, with the change Metze proposed,
  talloc_free() will succeed if called on the original parent, so
  the basic users can be kept as they are. But the callers of
  talloc_free() that call it with a reference, must be changed to
  use talloc_unreference() instead.

This is what I meant above. What is my misconception here?

> The point of my changes was that the review would happen automatically
> and be absolutely accurate as we are catching all the cases where
> there are problems using the logic in the code. The only places where
> semantics change are all caught by the warning I added. So if no
> warning is produced then we know the code is doing something that is
> OK.

This is of course a brilliant technical realization.
But couldn't the same technique be applied to Sam's/Metze's

> For Sam's proposed changes there are no such guarantees. All code
> needs to be manually reviewed, even the ones that seem naive on first
> glance.

When voting in favour of their approach I was not referring to
the complete implementation including aborts and so on, but
the conceptual change to the behaviour of talloc_free() and

> When I added the warning to my changes it took Andrew and me
> quite a while to even find the cause of the warning in some cases, as
> they were spread across multiple files. Some of them looked "obviously
> correct" but they weren't.
> Manual inspection of massive code bases does not work for anything but
> the simplest cases. This is not a simple case.

I agree 100%.

>  > With Tridge's changes, we need to change even more callers than
>  > with the Sam/Metze approach.
> no. I believe we have already identified all the cases we need to
> change for the patches I've put in. There may be some more lurking,
> but if there are we will find them as soon as they trigger.

But this does not seem to be robust to me:
When a user of talloc_free() is safe now, it may fail in the
future, when an implementation of a function called changes
to add references to the context. But IMHO this should not matter.

The discussion of the basic design continues in other mails,
so I stop here now.

Tridge: Sorry for insisting. I am reviving this discussion
again and again now, because I want to understand, and I think
we need to come to a solution that is satisfactory
from the existing and future users point of view as well as
regarding the design of talloc. And therefore, I think we
need to find a solution on this higher level before loosing
ourselves in techincal details.

Cheers - Michael

> With the changes proposed by Sam we have no idea how many there are,
> and we have no way of measuring whether we've found them.
> Sam's changes reverse the sense of talloc_free on a pointer with
> references, with no warning. My changes ban the use of talloc_free on
> references, with a warning.
>  > But the way in which the code reacts to the error is not implied
>  > by the design that the respective approach implements.
>  > We could well change metze's code to thow the same sort of
>  > error messages instead of aborting. Just like yours.
> If that is the proposal then I'll look at it. As it is, the patches
> reverse existing behaviour with no warning. Sam has been pushing this
> as one of the advantages of his patch as he proposes it fixes things
> with no pain. That is not true.
>  > I still think that the benefit of the sam/metze aproach is that
>  > the basic users need no change. And the users of talloc_reference
>  > need to be audited and changed.
> It is a 'basic user' that does the dereference of freed memory in the
> example I posted. The basic user does not know that someone else has
> taken a reference deep in a library routine.
> Cheers, Tridge
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090729/dc57fee6/attachment.pgp>

More information about the samba-technical mailing list