Finaliser on weak pointers allows to acces invalid address #5233
Comments
|
Comment author: @damiendoligez In fact, you get into trouble as soon as you finalise a weak array. |
|
Comment author: @damiendoligez As far as I can tell, the "Value not garbage collected" message is consistent with the semantics of weak pointers. I have added a better test case in testsuite/tests/regression/pr5233 Fixed in 4.00 (commit 12625) and trunk (commit 12627). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Original bug ID: 5233
Reporter: bobot
Assigned to: @damiendoligez
Status: closed (set by @damiendoligez on 2012-06-21T14:31:52Z)
Resolution: fixed
Priority: normal
Severity: crash
Version: 3.13.0+dev
Target version: 4.01.0+dev
Fixed in version: 4.00.0+dev
Category: ~DO NOT USE (was: OCaml general)
Monitored by: mehdi @ygrek "Julien Signoles"
Bug description
In bytecode, if a weak pointer and the value it points are garbage collected at the same time, a finaliser which dereferences the weak pointer can access invalid memory.
For example the following code produces a segmentation fault :
===================
open Printf
let target = ref [2;3]
let t = ref (Weak.create 1)
let () = Weak.set !t 0 (Some !target);
Gc.finalise (fun w -> match Weak.get w 0 with
| None -> printf "Consistent\n"
| Some [] -> printf "How its possible?\n"
| Some (i::_) -> printf "Value not garbage collected : %i\n" i) !t
(** Force to grow the heap *)
let b = ref (Array.create 10000000 1)
let () =
(** release the target and the weak array )
target := [2];
t := (Weak.create 1);
(* Allow the heap to be reduced in order to point outside the heap )
b := Array.create 1 1;
(* Start a whole Gc phase *)
Gc.compact ()
Additional information
Reproducible with bytecode in 3.11.2
In native code the segmentation code doesn't appear but the target seems not to
be garbage collected. The example produces "Value not garbage collected : 2"
The text was updated successfully, but these errors were encountered: