talloc -- Eureka*

[Sam Liddicott]

* tridge wrote, On 29/07/09 00:19:
> Hi Sam,
> 
> If you can come up with a neat implementation of a new reference
> counting function for talloc and that implementation doesn't make the
> talloc code a lot more difficult to maintain then please do post a
> patch for this. 

Certainly; we'll see how much more difficult it becomes; but I'll guess
nowhere near as difficult as any of the other suggestions.

>  > Let there be a new talloc_safe_reference which marks the reference to 
>  > prevent talloc_free from considering it, and which is NOT counted with 
>  > tridges new test.
> 
> please, don't call it "safe", and especially don't call it
> talloc_safe_reference(). Compilers don't read English, so the compiler
> won't generate safer code. 

I was calling it safe because it will contain safer code, it will
generate references that don't get unpredictably stolen.

> I'm guessing you're calling it "safe" as
> you think it is safer to use. That could well tempt people to replace
> existing uses of talloc_reference() with calls to
> talloc_safe_reference(). As I've shown, this can lead to security
> holes, so it is definately not "safe".

Ah, people /are/ dangerous.
However they /should/ be moving to talloc_safe_reference but a mere
search and replace won't do.

> What you're proposing is a different function with quite different
> semantics, so please give it a different name too.

Perhaps we'll call it talloc_sticky_reference and
#define talloc_slippy_reference _talloc_reference
#define talloc_reference talloc_reference_is_too_dangerous_for_you

We can make quite a feature of talloc_slippy_reference; which can be
used when calling functions that talloc_free before they return.

I'll send the patch shortly.

Sam