Branch: Tag:

2016-08-09

2016-08-09 10:20:08 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Threads.Condition: Potential fix for double free.

In some circumstances there can appear mutex keys that lock
mutexes that have already been freed. One potential case
creating such mutexkeys is when the mutex has been destructed
while being used in a cond wait.

Throw an error instead of locking the freed mutex in the above case.

2217: Inside #if defined(PICKY_MUTEX)
  #ifdef PICKY_MUTEX    if (!Pike_fp->current_object->prog) {    free_object (o); -  if (!m->num_waiting) +  if (!m->num_waiting) {    co_destroy (&m->condition); -  +  }    Pike_error ("Mutex was destructed while waiting for lock.\n");    }   #endif
2382:    co_broadcast (&m->condition);    }    } -  else +  else {    co_destroy(& m->condition); -  +  }   #endif   }   
2470:    THIS_KEY->mutex_obj = NULL;    if (mut->num_waiting)    co_signal(&mut->condition); -  else if (mutex_obj && !mutex_obj->prog) +  else if (mutex_obj && !mutex_obj->prog) {    co_destroy (&mut->condition); -  +  }    if (mutex_obj)    free_object(mutex_obj);    }
2599:    c->wait_count--;    SWAP_IN_CURRENT_THREAD();    +  if (!mutex_obj->prog) { +  Pike_error("Mutex was destructed while waiting for cond.\n"); +  } +     /* Lock mutex */    mut->num_waiting++;    while(mut->key) {
2612:    OB2KEY(key)->mutex_obj = mutex_obj;    mut->num_waiting--;    - #ifdef PICKY_MUTEX -  if (!mutex_obj->prog) { -  if (!mut->num_waiting) -  co_destroy (&mut->condition); -  Pike_error ("Mutex was destructed while waiting for lock.\n"); -  } - #endif -  +     pop_stack();    return;   }