tal: don't defer-after-free if a destructor deletes itself.

==10868== at 0x109A96: notify (tal.c:220) ==10868== by 0x109F7E: del_tree (tal.c:397) ==10868== by 0x10A31A: tal_free (tal.c:481) ==10868== by 0x10BE73: main (run-destructor.c:75) ==10868== Address 0x4a60bd8 is 8 bytes inside a block of size 32 free'd ==10868== at 0x483BA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==10868== by 0x109D4F: del_notifier_property (tal.c:340) ==10868== by 0x10A610: tal_del_notifier_ (tal.c:564) ==10868== by 0x10A687: tal_del_destructor_ (tal.c:576) ==10868== by 0x10B653: remove_own_destructor (run-destructor.c:35) ==10868== by 0x109A67: notify (tal.c:235) ==10868== by 0x109F7E: del_tree (tal.c:397) ==10868== by 0x10A31A: tal_free (tal.c:481) ==10868== by 0x10BE73: main (run-destructor.c:75) ==10868== Block was alloc'd at ==10868== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==10868== by 0x109AD5: allocate (tal.c:245) ==10868== by 0x109C3E: add_notifier_property (tal.c:300) ==10868== by 0x10A467: tal_add_destructor_ (tal.c:516) ==10868== by 0x10BDFE: main (run-destructor.c:74) Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

tal: don't defer-after-free if a destructor deletes itself.
==10868== at 0x109A96: notify (tal.c:220) ==10868== by 0x109F7E: del_tree (tal.c:397) ==10868== by 0x10A31A: tal_free (tal.c:481) ==10868== by 0x10BE73: main (run-destructor.c:75) ==10868== Address 0x4a60bd8 is 8 bytes inside a block of size 32 free'd ==10868== at 0x483BA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==10868== by 0x109D4F: del_notifier_property (tal.c:340) ==10868== by 0x10A610: tal_del_notifier_ (tal.c:564) ==10868== by 0x10A687: tal_del_destructor_ (tal.c:576) ==10868== by 0x10B653: remove_own_destructor (run-destructor.c:35) ==10868== by 0x109A67: notify (tal.c:235) ==10868== by 0x109F7E: del_tree (tal.c:397) ==10868== by 0x10A31A: tal_free (tal.c:481) ==10868== by 0x10BE73: main (run-destructor.c:75) ==10868== Block was alloc'd at ==10868== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==10868== by 0x109AD5: allocate (tal.c:245) ==10868== by 0x109C3E: add_notifier_property (tal.c:300) ==10868== by 0x10A467: tal_add_destructor_ (tal.c:516) ==10868== by 0x10BDFE: main (run-destructor.c:74) Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
c910bdce · Rusty Russell · 4f20b75c · c910bdce · c910bdce · c910bdce
Commit c910bdce authored Feb 17, 2020 by Rusty Russell
Showing with 27 additions and 8 deletions

ccan/tal/tal.c ccan/tal/tal.c +9 -4

ccan/tal/tal.h ccan/tal/tal.h +4 -2

ccan/tal/test/run-destructor.c ccan/tal/test/run-destructor.c +13 -1

ccan/timer/timer.c ccan/timer/timer.c +1 -1

No files found.
--- a/ccan/tal/tal.c
+++ b/ccan/tal/tal.c
@@ -53,7 +53,7 @@ struct name {
 struct notifier {
 	struct prop_hdr hdr; /* NOTIFIER */
 	enum tal_notify_type types;
-	union {
+	union notifier_cb {
 		void (*notifyfn)(tal_t *, enum tal_notify_type, void *);
 		void (*destroy)(tal_t *); /* If NOTIFY_IS_DESTRUCTOR set */
 		void (*destroy2)(tal_t *, void *); /* If NOTIFY_EXTRA_ARG */
@@ -228,11 +228,16 @@ static void notify(const struct tal_hdr *ctx,
 		if (n->types & type) {
 			errno = saved_errno;
 			if (n->types & NOTIFY_IS_DESTRUCTOR) {
+				/* Blatt this notifier in case it tries to
+				 * tal_del_destructor() from inside */
+				union notifier_cb cb = n->u;
+				/* It's a union, so this NULLs destroy2 too! */
+				n->u.destroy = NULL;
 				if (n->types & NOTIFY_EXTRA_ARG)
-					n->u.destroy2(from_tal_hdr(ctx),
+					cb.destroy2(from_tal_hdr(ctx),
-						      EXTRA_ARG(n));
+						    EXTRA_ARG(n));
 				else
-					n->u.destroy(from_tal_hdr(ctx));
+					cb.destroy(from_tal_hdr(ctx));
 			} else
 				n->u.notifyfn(from_tal_hdr_or_null(ctx), type,
 					      (void *)info);

--- a/ccan/tal/tal.h
+++ b/ccan/tal/tal.h
@@ -164,7 +164,8 @@ void *tal_free(const tal_t *p);
 * @function: the function to call before it's freed.
 *
 * If @function has not been successfully added as a destructor, this returns
- * false.
+ * false.  Note that if we're inside the destructor call itself, this will
+ * return false.
 */
 #define tal_del_destructor(ptr, function)				      \
 	tal_del_destructor_((ptr), typesafe_cb(void, void *, (function), (ptr)))
@@ -195,7 +196,8 @@ void *tal_free(const tal_t *p);
 * @function: the function to call before it's freed.
 *
 * If @function has not been successfully added as a destructor, this returns
- * false.
+ * false.  Note that if we're inside the destructor call itself, this will
+ * return false.
 */
 #define tal_del_destructor(ptr, function)				      \
 	tal_del_destructor_((ptr), typesafe_cb(void, void *, (function), (ptr)))

--- a/ccan/tal/test/run-destructor.c
+++ b/ccan/tal/test/run-destructor.c
@@ -29,11 +29,17 @@ static void destroy_inc(char *p UNNEEDED)
 	destroy_count++;
 }
+static void remove_own_destructor(char *p)
+{
+	destroy_count++;
+	ok1(!tal_del_destructor(p, remove_own_destructor));
+}
 int main(void)
 {
 	char *child2;
-	plan_tests(18);
+	plan_tests(21);
 	destroy_count = 0;
 	parent = tal(NULL, char);
@@ -63,6 +69,12 @@ int main(void)
 	tal_free(parent);
 	ok1(destroy_count == 4);
+	destroy_count = 0;
+	parent = tal(NULL, char);
+	ok1(tal_add_destructor(parent, remove_own_destructor));
+	tal_free(parent);
+	ok1(destroy_count == 1);
 	tal_cleanup();
 	return exit_status();
 }
--- a/ccan/timer/timer.c
+++ b/ccan/timer/timer.c
@@ -97,7 +97,7 @@ void timer_init(struct timer *t)
 	list_node_init(&t->list);
 }
-static bool list_node_initted(const struct list_node *n)
+static inline bool list_node_initted(const struct list_node *n)
 {
 	return n->prev == n;
 }