[RFC] Making talloc_reference() safer.
Stefan (metze) Metzmacher
metze at samba.org
Wed Oct 26 11:18:04 MDT 2011
Am 26.10.2011 18:37, schrieb Jeremy Allison:
> On Wed, Oct 26, 2011 at 08:45:23PM +1100, Andrew Bartlett wrote:
>> On Mon, 2011-10-24 at 16:41 +1030, Rusty Russell wrote:
>>> Hi all,
>>>
>>> git://git.samba.org/rusty/samba.git #talloc-reference-check-wip
>>>
>>> I had the fun of re-arguing talloc_reference() safety with
>>> Tridge last Thursday. We agree that talloc_reference fills a real need,
>>> but we can make it safer by expanding the checks which differentiate
>>> normal from refcounted objects.
>>>
>>> Firstly, note that talloc_reference() has several real use cases:
>>> anywhere that reference counts would normally be used. The patterns
>>> I've seen are:
>>>
>>> 1) A "cache" of objects, where the cache may evict objects. The cache
>>> wants to hold a reference, as do the callers, and the object is freed
>>> if it's evicted from the cache *and* noone else has referenced it.
>>>
>>> 2) A "dealer" of single objects, such as the tdb_wrap code which will
>>> keeps track of all tdbs and avoids reopening the same tdb by handing
>>> back a referenced tdb.
>>
>> Which of these do the python bindings fit into?
>>
>> All samba talloc objects can be exposed into python, and in particular
>> NDR objects are used in python a lot. The current talloc modal works
>> well here, as we take a talloc reference each time we expose the object
>> into python, and we take a talloc reference each time we hold an
>> python-originated object into a long-term C structure (such as
>> gensec_start needing credentials). This ensures that the object, which
>> in C may be held by implicit rules of 'you would be mad to free *that*
>> before this finishes' isn't taken away by python's garbage collector.
>>
>> The particular challenge is that any object we have a python binding for
>> needs this behaviour, and we expose a *lot* of objects to python (every
>> IDL struct, and many other interfaces besides).
>>
>> I'm concerned that the discussion so far has not addressed this
>> important use case, yet Samba's python bindings have become an integral
>> part of the project, and cannot be ignored.
>
> Is this the pytalloc_reference() call you mean ? I'm trying to
> understand the usage case here.
>
> Other code exposes C data into python without using internal
> reference counts - in fact doesn't python have just this
> method via the Py_INCREF() function (Warning: I am not a python
> programmer, just someone reading the docs :-).
>
> Look at the 1.10.1. Reference Counting in Python
> section here:
>
> http://docs.python.org/extending/extending.html
>
> As most users of pytalloc_reference are in auto generated
> code, can't this be changed to use the "normal" python
> method here ? (Another Warning: I am not a python programmer,
> just someone reading the docs :-).
I'd also prefer if we use python ref counting in the python bindings
instead of talloc_reference().
That might be needed anyway in order to fix this bug:
https://bugzilla.samba.org/show_bug.cgi?id=7902
We didn't get the ref counting right in all cases.
For things like cli_credentials and gensec_setting I'd you a model
like for tdb_wrap.
We would split a cli_credentials_state from cli_credentials.
struct cli_credentials {
struct cli_credentials_state *state;
}
Where struct cli_credentials would be the variable the callers see.
struct cli_credentials_state is private. struct cli_credentials
would have a reference to struct cli_credentials_state
and we would have a
struct cli_credentials *cli_credentials_reference(TALLOC_CTX *mem_ctx,
struct cli_credentials *creds)
{
struct cli_credentials *c;
c = talloc(mem_ctx, struct cli_credentials);
if (c == NULL) {
return NULL;
}
c->state = talloc_reference(c, creds->state);
if (c->state == NULL) {
talloc_free(c);
return NULL;
}
return c;
}
This way the caller can do what every he wants with the returned pointer,
but has no chance to call talloc_free() explicitly on the ref counted state.
metze
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111026/fa7373c2/attachment.pgp>
More information about the samba-technical
mailing list