Fix use after free when using SIMIX_network_wait().

author agiersch <agiersch@48e7efb5-ca39-0410-a469-dd3cf9ba447f>

Mon, 15 Nov 2010 17:11:05 +0000 (17:11 +0000)

committer agiersch <agiersch@48e7efb5-ca39-0410-a469-dd3cf9ba447f>

Mon, 15 Nov 2010 17:11:05 +0000 (17:11 +0000)
author agiersch <agiersch@48e7efb5-ca39-0410-a469-dd3cf9ba447f>
Mon, 15 Nov 2010 17:11:05 +0000 (17:11 +0000)
committer agiersch <agiersch@48e7efb5-ca39-0410-a469-dd3cf9ba447f>
Mon, 15 Nov 2010 17:11:05 +0000 (17:11 +0000)
diff --git a/src/gras/Msg/sg_msg.c b/src/gras/Msg/sg_msg.c

index f82f99a..fc1b66d 100644 (file)
--- a/src/gras/Msg/sg_msg.c
+++ b/src/gras/Msg/sg_msg.c
@@ -97,6 +97,7 @@ gras_msg_t gras_msg_recv_any(void)
    xbt_dynar_get_cpy(comms, got, &(comm));
    msg = SIMIX_communication_get_data(comm);
    VERB1("Got something. Communication %p's over", comm);
    xbt_dynar_get_cpy(comms, got, &(comm));
    msg = SIMIX_communication_get_data(comm);
    VERB1("Got something. Communication %p's over", comm);
+  SIMIX_communication_destroy(comm);
  
    /* Reinstall a waiting communication on that rdv */
    /* Get the sock again
  
    /* Reinstall a waiting communication on that rdv */
    /* Get the sock again
diff --git a/src/msg/gos.c b/src/msg/gos.c

index 24e98d7..1055d81 100644 (file)
--- a/src/msg/gos.c
+++ b/src/msg/gos.c
@@ -550,6 +550,7 @@ MSG_error_t MSG_comm_wait(msg_comm_t comm, double timeout)
        task = (m_task_t) SIMIX_communication_get_src_buf(comm);
        task->simdata->refcount--;
      }
        task = (m_task_t) SIMIX_communication_get_src_buf(comm);
        task->simdata->refcount--;
      }
+    SIMIX_communication_destroy(comm);
  
      /* FIXME: these functions are not tracable */
    }
  
      /* FIXME: these functions are not tracable */
    }
diff --git a/src/msg/msg_mailbox.c b/src/msg/msg_mailbox.c

index f88edeb..1f98410 100644 (file)
--- a/src/msg/msg_mailbox.c
+++ b/src/msg/msg_mailbox.c
@@ -135,8 +135,6 @@ MSG_mailbox_get_task_ext(msg_mailbox_t mailbox, m_task_t * task,
    start_time = MSG_get_clock();
  #endif
  
    start_time = MSG_get_clock();
  #endif
  
-  memset(&comm, 0, sizeof(comm));
-
    /* Kept for compatibility with older implementation */
    xbt_assert1(!MSG_mailbox_get_cond(mailbox),
                "A process is already blocked on this channel %s",
    /* Kept for compatibility with older implementation */
    xbt_assert1(!MSG_mailbox_get_cond(mailbox),
                "A process is already blocked on this channel %s",
@@ -187,6 +185,7 @@ MSG_mailbox_put_with_timeout(msg_mailbox_t mailbox, m_task_t task,
  {
    xbt_ex_t e;
    MSG_error_t ret = MSG_OK;
  {
    xbt_ex_t e;
    MSG_error_t ret = MSG_OK;
+  smx_comm_t comm;
    simdata_task_t t_simdata = NULL;
    m_process_t process = MSG_process_self();
  #ifdef HAVE_TRACING
    simdata_task_t t_simdata = NULL;
    m_process_t process = MSG_process_self();
  #ifdef HAVE_TRACING
@@ -220,7 +219,7 @@ MSG_mailbox_put_with_timeout(msg_mailbox_t mailbox, m_task_t task,
  
      SIMIX_network_send(mailbox->rdv, t_simdata->message_size,
                         t_simdata->rate, timeout, task, sizeof(void *),
  
      SIMIX_network_send(mailbox->rdv, t_simdata->message_size,
                         t_simdata->rate, timeout, task, sizeof(void *),
-                       &t_simdata->comm, task);
+                       &comm, task);
    }
  
    CATCH(e) {
    }
  
    CATCH(e) {
diff --git a/src/simix/smx_network.c b/src/simix/smx_network.c

index 29e1bcf..d4c2bdb 100644 (file)
--- a/src/simix/smx_network.c
+++ b/src/simix/smx_network.c
@@ -554,10 +554,19 @@ XBT_INLINE void SIMIX_network_send(smx_rdv_t rdv, double task_size,
                                     void *src_buff, size_t src_buff_size,
                                     smx_comm_t * comm_ref, void *data)
  {
                                     void *src_buff, size_t src_buff_size,
                                     smx_comm_t * comm_ref, void *data)
  {
+  xbt_ex_t e;
    *comm_ref =
        SIMIX_network_isend(rdv, task_size, rate, src_buff, src_buff_size,
                            data);
    *comm_ref =
        SIMIX_network_isend(rdv, task_size, rate, src_buff, src_buff_size,
                            data);
-  SIMIX_network_wait(*comm_ref, timeout);
+  TRY {
+    SIMIX_network_wait(*comm_ref, timeout);
+  }
+  TRY_CLEANUP {
+    SIMIX_communication_destroy(*comm_ref);
+  }
+  CATCH(e) {
+    RETHROW;
+  }
  }
  
  /**
  }
  
  /**
@@ -577,9 +586,18 @@ XBT_INLINE void SIMIX_network_recv(smx_rdv_t rdv, double timeout,
                                     void *dst_buff, size_t * dst_buff_size,
                                     smx_comm_t * comm_ref)
  {
                                     void *dst_buff, size_t * dst_buff_size,
                                     smx_comm_t * comm_ref)
  {
+  xbt_ex_t e;
    *comm_ref =
        (smx_comm_t) SIMIX_network_irecv(rdv, dst_buff, dst_buff_size);
    *comm_ref =
        (smx_comm_t) SIMIX_network_irecv(rdv, dst_buff, dst_buff_size);
-  SIMIX_network_wait(*comm_ref, timeout);
+  TRY {
+    SIMIX_network_wait(*comm_ref, timeout);
+  }
+  TRY_CLEANUP {
+    SIMIX_communication_destroy(*comm_ref);
+  }
+  CATCH(e) {
+    RETHROW;
+  }
  }
  
  /******************************************************************************/
  }
  
  /******************************************************************************/
@@ -654,6 +672,7 @@ XBT_INLINE void SIMIX_network_wait(smx_comm_t comm, double timeout)
    if (_surf_do_model_check)
      MC_trans_intercept_wait(comm);
  #endif
    if (_surf_do_model_check)
      MC_trans_intercept_wait(comm);
  #endif
+  SIMIX_communication_use(comm);
    /* Wait for communication completion */
    SIMIX_communication_wait_for_completion(comm, timeout);
  }
    /* Wait for communication completion */
    SIMIX_communication_wait_for_completion(comm, timeout);
  }
@@ -708,6 +727,7 @@ unsigned int SIMIX_network_waitany(xbt_dynar_t comms)
    /* let the regular code deal with the communication end (errors checking and cleanup).
     * A bit of useless work will be done, but that's good for source factorization */
    SIMIX_sem_release_forever(comm_finished->sem);
    /* let the regular code deal with the communication end (errors checking and cleanup).
     * A bit of useless work will be done, but that's good for source factorization */
    SIMIX_sem_release_forever(comm_finished->sem);
+  SIMIX_communication_use(comm_finished);
    SIMIX_communication_wait_for_completion(comm_finished, -1);
    return found_comm;
  }
    SIMIX_communication_wait_for_completion(comm_finished, -1);
    return found_comm;
  }
diff --git a/src/smpi/smpi_base.c b/src/smpi/smpi_base.c

index b032ec7..acf0aac 100644 (file)
--- a/src/smpi/smpi_base.c
+++ b/src/smpi/smpi_base.c
@@ -215,6 +215,7 @@ static void finish_wait(MPI_Request * request, MPI_Status * status)
      status->MPI_ERROR = MPI_SUCCESS;
      status->count = SIMIX_communication_get_dst_buf_size((*request)->pair);
    }
      status->MPI_ERROR = MPI_SUCCESS;
      status->count = SIMIX_communication_get_dst_buf_size((*request)->pair);
    }
+  SIMIX_communication_destroy((*request)->pair);
    print_request("finishing wait", *request);
    if ((*request)->complete == 1) {
      SIMIX_rdv_destroy((*request)->rdv);
    print_request("finishing wait", *request);
    if ((*request)->complete == 1) {
      SIMIX_rdv_destroy((*request)->rdv);
author	agiersch <agiersch@48e7efb5-ca39-0410-a469-dd3cf9ba447f>
	Mon, 15 Nov 2010 17:11:05 +0000 (17:11 +0000)
committer	agiersch <agiersch@48e7efb5-ca39-0410-a469-dd3cf9ba447f>
	Mon, 15 Nov 2010 17:11:05 +0000 (17:11 +0000)
src/gras/Msg/sg_msg.c		patch \| blob \| history
src/msg/gos.c		patch \| blob \| history
src/msg/msg_mailbox.c		patch \| blob \| history
src/simix/smx_network.c		patch \| blob \| history
src/smpi/smpi_base.c		patch \| blob \| history