[QUICK] talloc bugs

[Sam Liddicott]

Cc: to specific talloc committers and stakeholders

We've discussed this at length before[1], without conclusion, so I'll be
quick:

The talloc ideal model is broken due to promoting references to parent
inside talloc_free.

The main problem is that if a reference is promoted to owner, it can be
removed accidentally by talloc_steal. This results in risks of dangling
references.

Which particular reference is removed depends on the runtime order of
references taken/released, but the unpredictability of this is dwarfed
by possible subsequent memory trampling which can destroy the talloc
tree. This scenario is quite likely in a program where there are
loadable modules and hooks, and the outcome could be network timing
dependant.

There is/has been other talloc problems but I'd rather bring them up
later or you can read about them in [1]

However, to me, the main evidence of the degree of the problem is VL's
preference to implement his own reference counting rather than rely on
talloc. (Apologies to VL for using him to make a point that he himself
may not actually support).

We should either:

   1. get rid of talloc_free and talloc_steal
      (replace with talloc_unref(old_ref) and talloc_change_ref(old_ref,
      new_ref)
      This breaks the API so the sooner we consider it the better.
   2. stop promoting reference to parent after talloc_free
      This doesn't break the API and causes talloc to follow the
      documentation. I've been running choice 2 in Samba4 for some time,
      by means of a submitted patch which introduces the concept of "no
      owner" which is not enough to prevent an object being freed when
      it's references all go away, but which can quite safely be stolen
      from with talloc_steal.

[1] http://lists.samba.org/archive/samba-technical/2009-January/062812.html


Sam