Fix a prof_tctx_t destruction race.
This commit is contained in:
Jason Evans
parent
155bfa7da1
commit
bf40641c5c
50
src/prof.c
50
src/prof.c
@ -609,7 +609,7 @@ prof_tctx_destroy(tsd_t *tsd, prof_tctx_t *tctx)
|
|||||||
{
|
{
|
||||||
prof_tdata_t *tdata = tctx->tdata;
|
prof_tdata_t *tdata = tctx->tdata;
|
||||||
prof_gctx_t *gctx = tctx->gctx;
|
prof_gctx_t *gctx = tctx->gctx;
|
||||||
bool destroy_tdata, destroy_gctx;
|
bool destroy_tdata, destroy_tctx, destroy_gctx;
|
||||||
|
|
||||||
assert(tctx->cnts.curobjs == 0);
|
assert(tctx->cnts.curobjs == 0);
|
||||||
assert(tctx->cnts.curbytes == 0);
|
assert(tctx->cnts.curbytes == 0);
|
||||||
@ -622,25 +622,38 @@ prof_tctx_destroy(tsd_t *tsd, prof_tctx_t *tctx)
|
|||||||
malloc_mutex_unlock(tdata->lock);
|
malloc_mutex_unlock(tdata->lock);
|
||||||
|
|
||||||
malloc_mutex_lock(gctx->lock);
|
malloc_mutex_lock(gctx->lock);
|
||||||
tctx_tree_remove(&gctx->tctxs, tctx);
|
if (tctx->state != prof_tctx_state_dumping) {
|
||||||
if (prof_gctx_should_destroy(gctx)) {
|
tctx_tree_remove(&gctx->tctxs, tctx);
|
||||||
|
destroy_tctx = true;
|
||||||
|
if (prof_gctx_should_destroy(gctx)) {
|
||||||
|
/*
|
||||||
|
* Increment gctx->nlimbo in order to keep another
|
||||||
|
* thread from winning the race to destroy gctx while
|
||||||
|
* this one has gctx->lock dropped. Without this, it
|
||||||
|
* would be possible for another thread to:
|
||||||
|
*
|
||||||
|
* 1) Sample an allocation associated with gctx.
|
||||||
|
* 2) Deallocate the sampled object.
|
||||||
|
* 3) Successfully prof_gctx_try_destroy(gctx).
|
||||||
|
*
|
||||||
|
* The result would be that gctx no longer exists by the
|
||||||
|
* time this thread accesses it in
|
||||||
|
* prof_gctx_try_destroy().
|
||||||
|
*/
|
||||||
|
gctx->nlimbo++;
|
||||||
|
destroy_gctx = true;
|
||||||
|
} else
|
||||||
|
destroy_gctx = false;
|
||||||
|
} else {
|
||||||
/*
|
/*
|
||||||
* Increment gctx->nlimbo in order to keep another thread from
|
* A dumping thread needs tctx to remain valid until dumping
|
||||||
* winning the race to destroy gctx while this one has
|
* has finished. Change state such that the dumping thread will
|
||||||
* gctx->lock dropped. Without this, it would be possible for
|
* complete destruction during a late dump iteration phase.
|
||||||
* another thread to:
|
|
||||||
*
|
|
||||||
* 1) Sample an allocation associated with gctx.
|
|
||||||
* 2) Deallocate the sampled object.
|
|
||||||
* 3) Successfully prof_gctx_try_destroy(gctx).
|
|
||||||
*
|
|
||||||
* The result would be that gctx no longer exists by the time
|
|
||||||
* this thread accesses it in prof_gctx_try_destroy().
|
|
||||||
*/
|
*/
|
||||||
gctx->nlimbo++;
|
tctx->state = prof_tctx_state_purgatory;
|
||||||
destroy_gctx = true;
|
destroy_tctx = false;
|
||||||
} else
|
|
||||||
destroy_gctx = false;
|
destroy_gctx = false;
|
||||||
|
}
|
||||||
malloc_mutex_unlock(gctx->lock);
|
malloc_mutex_unlock(gctx->lock);
|
||||||
if (destroy_gctx)
|
if (destroy_gctx)
|
||||||
prof_gctx_try_destroy(tsd, gctx, tdata);
|
prof_gctx_try_destroy(tsd, gctx, tdata);
|
||||||
@ -648,7 +661,8 @@ prof_tctx_destroy(tsd_t *tsd, prof_tctx_t *tctx)
|
|||||||
if (destroy_tdata)
|
if (destroy_tdata)
|
||||||
prof_tdata_destroy(tsd, tdata, false);
|
prof_tdata_destroy(tsd, tdata, false);
|
||||||
|
|
||||||
idalloc(tsd, tctx);
|
if (destroy_tctx)
|
||||||
|
idalloc(tsd, tctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user