Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005233OCamlOCaml generalpublic2011-03-01 22:512012-06-21 16:31
Reporterbobot 
Assigned Todoligez 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.13.0+dev 
Target Version4.01.0+devFixed in Version4.00.0+dev 
Summary0005233: Finaliser on weak pointers allows to acces invalid address
DescriptionIn bytecode, if a weak pointer and the value it points are garbage collected at the same time, a finaliser which dereferences the weak pointer can access invalid memory.

For example the following code produces a segmentation fault :

===================
open Printf

let target = ref [2;3]

let t = ref (Weak.create 1)

let () = Weak.set !t 0 (Some !target);
  Gc.finalise (fun w -> match Weak.get w 0 with
    | None -> printf "Consistent\n"
    | Some [] -> printf "How its possible?\n"
    | Some (i::_) -> printf "Value not garbage collected : %i\n" i) !t

(** Force to grow the heap *)
let b = ref (Array.create 10000000 1)

let () =
  (** release the target and the weak array *)
  target := [2];
  t := (Weak.create 1);
  (** Allow the heap to be reduced in order to point outside the heap *)
  b := Array.create 1 1;
  (** Start a whole Gc phase *)
  Gc.compact ()
==============
Additional InformationReproducible with bytecode in 3.11.2

In native code the segmentation code doesn't appear but the target seems not to
be garbage collected. The example produces "Value not garbage collected : 2"
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0005899)
doligez (administrator)
2011-05-17 15:41

In fact, you get into trouble as soon as you finalise a weak array.
This is a bit troublesome to fix, so it will not be fixed for 3.12.1.
(0007596)
doligez (administrator)
2012-06-21 16:31

As far as I can tell, the "Value not garbage collected" message is consistent with the semantics of weak pointers.

I have added a better test case in testsuite/tests/regression/pr5233

Fixed in 4.00 (commit 12625) and trunk (commit 12627).

- Issue History
Date Modified Username Field Change
2011-03-01 22:51 bobot New Issue
2011-05-17 15:41 doligez Note Added: 0005899
2011-05-17 15:41 doligez Assigned To => doligez
2011-05-17 15:41 doligez Status new => assigned
2011-05-17 15:41 doligez Target Version => 3.13.0+dev
2012-05-30 11:03 doligez Target Version 3.13.0+dev => 4.01.0+dev
2012-06-21 16:31 doligez Note Added: 0007596
2012-06-21 16:31 doligez Status assigned => closed
2012-06-21 16:31 doligez Resolution open => fixed
2012-06-21 16:31 doligez Fixed in Version => 4.00.0+dev


Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker