Fix a prof_tctx_t destruction race.
This commit is contained in:
Jason Evans
parent
155bfa7da1
commit
bf40641c5c
50
src/prof.c
50
src/prof.c
@ -609,7 +609,7 @@ prof_tctx_destroy(tsd_t *tsd, prof_tctx_t *tctx)
|
||||
{
|
||||
prof_tdata_t *tdata = tctx->tdata;
|
||||
prof_gctx_t *gctx = tctx->gctx;
|
||||
bool destroy_tdata, destroy_gctx;
|
||||
bool destroy_tdata, destroy_tctx, destroy_gctx;
|
||||
|
||||
assert(tctx->cnts.curobjs == 0);
|
||||
assert(tctx->cnts.curbytes == 0);
|
||||
@ -622,25 +622,38 @@ prof_tctx_destroy(tsd_t *tsd, prof_tctx_t *tctx)
|
||||
malloc_mutex_unlock(tdata->lock);
|
||||
|
||||
malloc_mutex_lock(gctx->lock);
|
||||
tctx_tree_remove(&gctx->tctxs, tctx);
|
||||
if (prof_gctx_should_destroy(gctx)) {
|
||||
if (tctx->state != prof_tctx_state_dumping) {
|
||||
tctx_tree_remove(&gctx->tctxs, tctx);
|
||||
destroy_tctx = true;
|
||||
if (prof_gctx_should_destroy(gctx)) {
|
||||
/*
|
||||
* Increment gctx->nlimbo in order to keep another
|
||||
* thread from winning the race to destroy gctx while
|
||||
* this one has gctx->lock dropped. Without this, it
|
||||
* would be possible for another thread to:
|
||||
*
|
||||
* 1) Sample an allocation associated with gctx.
|
||||
* 2) Deallocate the sampled object.
|
||||
* 3) Successfully prof_gctx_try_destroy(gctx).
|
||||
*
|
||||
* The result would be that gctx no longer exists by the
|
||||
* time this thread accesses it in
|
||||
* prof_gctx_try_destroy().
|
||||
*/
|
||||
gctx->nlimbo++;
|
||||
destroy_gctx = true;
|
||||
} else
|
||||
destroy_gctx = false;
|
||||
} else {
|
||||
/*
|
||||
* Increment gctx->nlimbo in order to keep another thread from
|
||||
* winning the race to destroy gctx while this one has
|
||||
* gctx->lock dropped. Without this, it would be possible for
|
||||
* another thread to:
|
||||
*
|
||||
* 1) Sample an allocation associated with gctx.
|
||||
* 2) Deallocate the sampled object.
|
||||
* 3) Successfully prof_gctx_try_destroy(gctx).
|
||||
*
|
||||
* The result would be that gctx no longer exists by the time
|
||||
* this thread accesses it in prof_gctx_try_destroy().
|
||||
* A dumping thread needs tctx to remain valid until dumping
|
||||
* has finished. Change state such that the dumping thread will
|
||||
* complete destruction during a late dump iteration phase.
|
||||
*/
|
||||
gctx->nlimbo++;
|
||||
destroy_gctx = true;
|
||||
} else
|
||||
tctx->state = prof_tctx_state_purgatory;
|
||||
destroy_tctx = false;
|
||||
destroy_gctx = false;
|
||||
}
|
||||
malloc_mutex_unlock(gctx->lock);
|
||||
if (destroy_gctx)
|
||||
prof_gctx_try_destroy(tsd, gctx, tdata);
|
||||
@ -648,7 +661,8 @@ prof_tctx_destroy(tsd_t *tsd, prof_tctx_t *tctx)
|
||||
if (destroy_tdata)
|
||||
prof_tdata_destroy(tsd, tdata, false);
|
||||
|
||||
idalloc(tsd, tctx);
|
||||
if (destroy_tctx)
|
||||
idalloc(tsd, tctx);
|
||||
}
|
||||
|
||||
static bool
|
||||
|
||||
Loading…
Reference in New Issue
Block a user