From: agiersch <agiersch@48e7efb5-ca39-0410-a469-dd3cf9ba447f>
Date: Mon, 15 Nov 2010 17:11:05 +0000 (+0000)
Subject: Fix use after free when using SIMIX_network_wait().
X-Git-Tag: v3_5~273
X-Git-Url: http://info.iut-bm.univ-fcomte.fr/pub/gitweb/simgrid.git/commitdiff_plain/cc37ec913eb0e9d729dd3107e3f39e4a1050c921

Fix use after free when using SIMIX_network_wait().

git-svn-id: svn+ssh://scm.gforge.inria.fr/svn/simgrid/simgrid/trunk@8554 48e7efb5-ca39-0410-a469-dd3cf9ba447f
---

diff --git a/src/gras/Msg/sg_msg.c b/src/gras/Msg/sg_msg.c
index f82f99afc9..fc1b66d695 100644
--- a/src/gras/Msg/sg_msg.c
+++ b/src/gras/Msg/sg_msg.c
@@ -97,6 +97,7 @@ gras_msg_t gras_msg_recv_any(void)
   xbt_dynar_get_cpy(comms, got, &(comm));
   msg = SIMIX_communication_get_data(comm);
   VERB1("Got something. Communication %p's over", comm);
+  SIMIX_communication_destroy(comm);
 
   /* Reinstall a waiting communication on that rdv */
   /* Get the sock again
diff --git a/src/msg/gos.c b/src/msg/gos.c
index 24e98d7f7d..1055d810e7 100644
--- a/src/msg/gos.c
+++ b/src/msg/gos.c
@@ -550,6 +550,7 @@ MSG_error_t MSG_comm_wait(msg_comm_t comm, double timeout)
       task = (m_task_t) SIMIX_communication_get_src_buf(comm);
       task->simdata->refcount--;
     }
+    SIMIX_communication_destroy(comm);
 
     /* FIXME: these functions are not tracable */
   }
diff --git a/src/msg/msg_mailbox.c b/src/msg/msg_mailbox.c
index f88edeb91e..1f984107d9 100644
--- a/src/msg/msg_mailbox.c
+++ b/src/msg/msg_mailbox.c
@@ -135,8 +135,6 @@ MSG_mailbox_get_task_ext(msg_mailbox_t mailbox, m_task_t * task,
   start_time = MSG_get_clock();
 #endif
 
-  memset(&comm, 0, sizeof(comm));
-
   /* Kept for compatibility with older implementation */
   xbt_assert1(!MSG_mailbox_get_cond(mailbox),
               "A process is already blocked on this channel %s",
@@ -187,6 +185,7 @@ MSG_mailbox_put_with_timeout(msg_mailbox_t mailbox, m_task_t task,
 {
   xbt_ex_t e;
   MSG_error_t ret = MSG_OK;
+  smx_comm_t comm;
   simdata_task_t t_simdata = NULL;
   m_process_t process = MSG_process_self();
 #ifdef HAVE_TRACING
@@ -220,7 +219,7 @@ MSG_mailbox_put_with_timeout(msg_mailbox_t mailbox, m_task_t task,
 
     SIMIX_network_send(mailbox->rdv, t_simdata->message_size,
                        t_simdata->rate, timeout, task, sizeof(void *),
-                       &t_simdata->comm, task);
+                       &comm, task);
   }
 
   CATCH(e) {
diff --git a/src/simix/smx_network.c b/src/simix/smx_network.c
index 29e1bcf118..d4c2bdbf3a 100644
--- a/src/simix/smx_network.c
+++ b/src/simix/smx_network.c
@@ -554,10 +554,19 @@ XBT_INLINE void SIMIX_network_send(smx_rdv_t rdv, double task_size,
                                    void *src_buff, size_t src_buff_size,
                                    smx_comm_t * comm_ref, void *data)
 {
+  xbt_ex_t e;
   *comm_ref =
       SIMIX_network_isend(rdv, task_size, rate, src_buff, src_buff_size,
                           data);
-  SIMIX_network_wait(*comm_ref, timeout);
+  TRY {
+    SIMIX_network_wait(*comm_ref, timeout);
+  }
+  TRY_CLEANUP {
+    SIMIX_communication_destroy(*comm_ref);
+  }
+  CATCH(e) {
+    RETHROW;
+  }
 }
 
 /**
@@ -577,9 +586,18 @@ XBT_INLINE void SIMIX_network_recv(smx_rdv_t rdv, double timeout,
                                    void *dst_buff, size_t * dst_buff_size,
                                    smx_comm_t * comm_ref)
 {
+  xbt_ex_t e;
   *comm_ref =
       (smx_comm_t) SIMIX_network_irecv(rdv, dst_buff, dst_buff_size);
-  SIMIX_network_wait(*comm_ref, timeout);
+  TRY {
+    SIMIX_network_wait(*comm_ref, timeout);
+  }
+  TRY_CLEANUP {
+    SIMIX_communication_destroy(*comm_ref);
+  }
+  CATCH(e) {
+    RETHROW;
+  }
 }
 
 /******************************************************************************/
@@ -654,6 +672,7 @@ XBT_INLINE void SIMIX_network_wait(smx_comm_t comm, double timeout)
   if (_surf_do_model_check)
     MC_trans_intercept_wait(comm);
 #endif
+  SIMIX_communication_use(comm);
   /* Wait for communication completion */
   SIMIX_communication_wait_for_completion(comm, timeout);
 }
@@ -708,6 +727,7 @@ unsigned int SIMIX_network_waitany(xbt_dynar_t comms)
   /* let the regular code deal with the communication end (errors checking and cleanup).
    * A bit of useless work will be done, but that's good for source factorization */
   SIMIX_sem_release_forever(comm_finished->sem);
+  SIMIX_communication_use(comm_finished);
   SIMIX_communication_wait_for_completion(comm_finished, -1);
   return found_comm;
 }
diff --git a/src/smpi/smpi_base.c b/src/smpi/smpi_base.c
index b032ec7d4c..acf0aac0df 100644
--- a/src/smpi/smpi_base.c
+++ b/src/smpi/smpi_base.c
@@ -215,6 +215,7 @@ static void finish_wait(MPI_Request * request, MPI_Status * status)
     status->MPI_ERROR = MPI_SUCCESS;
     status->count = SIMIX_communication_get_dst_buf_size((*request)->pair);
   }
+  SIMIX_communication_destroy((*request)->pair);
   print_request("finishing wait", *request);
   if ((*request)->complete == 1) {
     SIMIX_rdv_destroy((*request)->rdv);