[Mono-bugs] [Bug 391125] New: invalid reads in jit-info-table code
bugzilla_noreply at novell.com
bugzilla_noreply at novell.com
Thu May 15 21:12:45 EDT 2008
https://bugzilla.novell.com/show_bug.cgi?id=391125
Summary: invalid reads in jit-info-table code
Product: Mono: Runtime
Version: SVN
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: misc
AssignedTo: mprobst at novell.com
ReportedBy: vargaz at gmail.com
QAContact: mono-bugs at lists.ximian.com
Found By: ---
To reproduce:
- apply the following patch to driver.c:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Index: driver.c
===================================================================
--- driver.c (revision 103148)
+++ driver.c (working copy)
@@ -475,6 +475,8 @@
return total;
}
+#define MONO_JIT_INFO_TABLE_TEST
+
#ifdef MONO_JIT_INFO_TABLE_TEST
typedef struct _JitInfoData
{
@@ -621,7 +623,7 @@
while (free->next != NULL) {
JitInfoData *next = free->next->next;
- g_free (free->next->ji);
+ //g_free (free->next->ji);
g_free (free->next);
free->next = next;
@@ -707,6 +709,9 @@
(*data)->ji->cas_inited = 0; /* marks a free
jit info */
+ g_free ((*data)->ji);
+
free = *data;
*data = (*data)->next;
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- Run mono --test-jit-info-table foo.exe
-> random crash.
I think the problem here is that when the table is replaced in
mono_jit_info_table_add (), the old table is saved somewhere by the hazard
pointer code, then traversed later by jit_info_table_free (). By that time
however, some entries in the table might point to already freed MonoJitInfo
structures, and the code might mistake them for tombstones, freeing them
again. A solution could be adding a separate 'freed' bitmap to each chunk.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the mono-bugs
mailing list