[QUICK] talloc bugs
simo
idra at samba.org
Fri Jun 26 08:17:33 MDT 2009
On Fri, 2009-06-26 at 15:07 +0100, Sam Liddicott wrote:
> Cc: to specific talloc committers and stakeholders
>
> We've discussed this at length before[1], without conclusion, so I'll
> be quick:
>
> The talloc ideal model is broken due to promoting references to parent
> inside talloc_free.
>
> The main problem is that if a reference is promoted to owner, it can
> be removed accidentally by talloc_steal. This results in risks of
> dangling references.
>
> Which particular reference is removed depends on the runtime order of
> references taken/released, but the unpredictability of this is dwarfed
> by possible subsequent memory trampling which can destroy the talloc
> tree. This scenario is quite likely in a program where there are
> loadable modules and hooks, and the outcome could be network timing
> dependant.
>
> There is/has been other talloc problems but I'd rather bring them up
> later or you can read about them in [1]
>
> However, to me, the main evidence of the degree of the problem is VL's
> preference to implement his own reference counting rather than rely on
> talloc. (Apologies to VL for using him to make a point that he himself
> may not actually support).
>
> We should either:
> 1. get rid of talloc_free and talloc_steal
> (replace with talloc_unref(old_ref) and
> talloc_change_ref(old_ref, new_ref)
> This breaks the API so the sooner we consider it the better.
> 2. stop promoting reference to parent after talloc_free
> This doesn't break the API and causes talloc to follow the
> documentation. I've been running choice 2 in Samba4 for some
> time, by means of a submitted patch which introduces the
> concept of "no owner" which is not enough to prevent an object
> being freed when it's references all go away, but which can
> quite safely be stolen from with talloc_steal.
> [1]
> http://lists.samba.org/archive/samba-technical/2009-January/062812.html
Simpler method, DON'T mix talloc_steal and talloc_reference usage.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list