Closed Bug 519283 Opened 15 years ago Closed 15 years ago

FixedMalloc should not return NULL when the requested object is too large

Categories

(Tamarin Graveyard :: Garbage Collection (mmGC), defect)

Product:
Tamarin Graveyard
Component:
Garbage Collection (mmGC)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
flash10.1

People

(Reporter: lhansen, Assigned: lhansen)

References

Details

Attachments

(1 file, 1 obsolete file)

Revised patch
2.98 KB, patch
Details | Diff | Splinter Review 
... unless kCanFail is specified, that is.

Instead, FixedMalloc should call GCHeap::SignalObjectSizeOverflow, which is being introduced as part of the fix in bug #517856.

Must also check the code in GC::Alloc, GCLargeAlloc::Alloc, and maybe others.
So far, excluding the above mentioned bug:

FixedMalloc::Alloc
FixedMalloc::Calloc
GC::Alloc
GC::Calloc
More generally, a number of MMgc APIs return NULL when they should not, when various error conditions occur:

GC::Alloc returns NULL in DEBUG mode if MMGC_GCENTER has not been called.

GC::FindBeginningGuarded returns NULL if the address is not managed.

FixedAlloc::Alloc returns NULL if CreateChunk failed to fill the free list and did not abort.

GCHeap::Alloc returns NULL if AllocBlock failed to expand the heap and did not abort.
Attached patch Patch for all the issues (obsolete) — Splinter Review 

        Attachment #403740 -
        Flags: review?(edwsmith)

    
  

        Attachment #403740 -
        Flags: review?(stejohns)

    
    

    
  
Comment on attachment 403740 [details] [diff] [review]
Patch for all the issues

The patch is straightforward and includes the SignalObjectTooLarge patch from bug #517856.

The main issue is that I've introduced two methods that unceremoniously call VMPI_exit when they are called (after asserting and printing some debug info).  This is an improvement on the old return-NULL behavior, and as an abstraction it's probably OK; the question is whether these methods should be doing something more sophisticated, like calling the GC's Abort() method as that will result in a clean shutdown of the host code (which can be a plugin).  IMO we can land this patch (with your approval...) before settling that issue, but we need to settle it.

    
  

        Attachment #403740 -
        Flags: review?(stejohns) → review+

    
    

    
  
Looping in Rishit for a discussion of what the best thing to do is when we hit an implementation limit.

    
    

    
  
One case I missed before:

GCObject::operator new

    
  

        Attachment #403740 -
        Attachment is obsolete: true

        Attachment #403740 -
        Flags: review?(edwsmith)

    
    

    
  
Comment on attachment 403740 [details] [diff] [review]
Patch for all the issues

Another patch is going to be arriving first and will make this one largely obsolete; will resubmit if necessary.

    
  
Depends on: 519980
No longer depends on: 517856

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Revised patchSplinter Review
      

    


  
This patch is a proper subset of the previous patch; it will land after bug #519980 has closed.

    
    

    
  
redux changeset:   2664:90b3d1f29e29

I made SignalObjectTooLarge and SignalHeapStateInconsistent call GCHeap::Abort instead of VMPI_exit, as that seems most reasonable.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
  
Status: RESOLVED → VERIFIED

    
    

    
  
QE: We can add a couple of simple checks for this into the extensions/ST_mmgc_basic.st
Flags: in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: