talloc -- Eureka*
sam at liddicott.com
Wed Jul 29 00:28:28 MDT 2009
* tridge wrote, On 29/07/09 00:19:
> Hi Sam,
> If you can come up with a neat implementation of a new reference
> counting function for talloc and that implementation doesn't make the
> talloc code a lot more difficult to maintain then please do post a
> patch for this.
Certainly; we'll see how much more difficult it becomes; but I'll guess
nowhere near as difficult as any of the other suggestions.
> > Let there be a new talloc_safe_reference which marks the reference to
> > prevent talloc_free from considering it, and which is NOT counted with
> > tridges new test.
> please, don't call it "safe", and especially don't call it
> talloc_safe_reference(). Compilers don't read English, so the compiler
> won't generate safer code.
I was calling it safe because it will contain safer code, it will
generate references that don't get unpredictably stolen.
> I'm guessing you're calling it "safe" as
> you think it is safer to use. That could well tempt people to replace
> existing uses of talloc_reference() with calls to
> talloc_safe_reference(). As I've shown, this can lead to security
> holes, so it is definately not "safe".
Ah, people /are/ dangerous.
However they /should/ be moving to talloc_safe_reference but a mere
search and replace won't do.
> What you're proposing is a different function with quite different
> semantics, so please give it a different name too.
Perhaps we'll call it talloc_sticky_reference and
#define talloc_slippy_reference _talloc_reference
#define talloc_reference talloc_reference_is_too_dangerous_for_you
We can make quite a feature of talloc_slippy_reference; which can be
used when calling functions that talloc_free before they return.
I'll send the patch shortly.
More information about the samba-technical