From: "Shawn O. Pearce" <spearce@spearce.org>
To: Junio C Hamano <gitster@pobox.com>,
Daniel Barkalow <barkalow@iabervon.org>
Cc: Johan Herland <johan@herland.net>,
Nanako Shiraishi <nanako3@lavabit.com>,
git@vger.kernel.org
Subject: Re: [RFC PATCH v3 00/17] Return of smart HTTP
Date: Thu, 15 Oct 2009 13:45:43 -0700 [thread overview]
Message-ID: <20091015204543.GP10505@spearce.org> (raw)
In-Reply-To: <7vfx9k4d33.fsf@alter.siamese.dyndns.org>
Junio C Hamano <gitster@pobox.com> wrote:
> "Shawn O. Pearce" <spearce@spearce.org> writes:
>
> > It does. It is caused by the disconnect_helper call inside of
> > fetch_with_import. You can't disconnect inside of the fetch method
> > of a transport, the caller is going to disconnect you a second time.
> > ...
> > This bug isn't due to the merge, its a bug in Johan's series that
> > needs to be fixed before it could merge down to next/master.
...
> I am a bit confused about your diagnosis, though. As far as I recall,
> Johan's topic itself nor 'pu' with Johan's topic but without v2 of
> sp/smart-http did not have the issue.
Sadly, sometimes double frees do not result in segfaults, other
times they do. The reason you are not seeing a problem with these
other variants is because of luck, not code correctness.
Actually, after some further research, the bug is not Johan's but is
actually Daniel's. Johan, I apologize for claiming it was your bug.
In:
commit 23a3380ee9c2d5164712c40f8821cb0fba24e80c
Author: Daniel Barkalow <barkalow@iabervon.org>
Date: Thu Sep 3 22:14:01 2009 -0400
Add support for "import" helper command
Daniel introduces the fetch_with_import() function to
transport-helper.c. This method calls disconnect_helper():
+static int fetch_with_import(struct transport *transport,
+ int nr_heads, struct ref **to_fetch)
+{
...
+ disconnect_helper(transport);
+ finish_command(&fastimport);
Unfortunately this is in the middle of the transport_fetch() call
stack; transport_fetch() called the static fetch() function in
transport-helper.c, which in turn called fetch_with_import().
Callers (e.g. builtin-fetch.c) invoke transport_close() when
they are done with the handle (see line 704). That in turn calls
disconnect_helper() a second time.
The disconnect_helper function is not prepared to be called twice:
static int disconnect_helper(struct transport *transport)
{
struct helper_data *data = transport->data;
if (data->helper) {
...
}
free(data);
return 0;
}
Because of that unexpected invocation inside of fetch_with_import
we have already free'd the memory block used by transport->data,
and the second invocation attempts to free it again. Worse, if the
block was reused by a subsequent malloc, data->helper might not be
NULL, and we'd enter into the if block and do its work again.
Long story short, transport_close() is what is supposed to perform
the work that disconnect_helper does, as its the final thing right
before we free the struct transport block. Free'ing the data block
inside of the fetch or push functions is wrong.
Its fine to close the helper and restart it within the single
lifespan of a struct transport, but dammit, don't free the
struct helper_data until transport_close().
--
Shawn.
next prev parent reply other threads:[~2009-10-15 20:46 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-15 3:36 [RFC PATCH v3 00/17] Return of smart HTTP Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 01/17] pkt-line: Add strbuf based functions Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 02/17] pkt-line: Make packet_read_line easier to debug Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 03/17] fetch-pack: Use a strbuf to compose the want list Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 04/17] Move "get_ack()" back to fetch-pack Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 05/17] Add multi_ack_detailed capability to fetch-pack/upload-pack Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 06/17] remote-curl: Refactor walker initialization Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 07/17] fetch: Allow transport -v -v -v to set verbosity to 3 Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 08/17] remote-helpers: Fetch more than one ref in a batch Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 09/17] remote-helpers: Support custom transport options Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 10/17] Move WebDAV HTTP push under remote-curl Shawn O. Pearce
2009-10-19 2:59 ` Tay Ray Chuan
2009-10-28 1:08 ` Shawn O. Pearce
2009-10-28 11:01 ` Tay Ray Chuan
2009-10-25 15:19 ` [PATCH 2/7] http-push: allow stderr messages to appear alongside helper_status ones Tay Ray Chuan
2009-10-15 3:36 ` [RFC PATCH v3 11/17] Git-aware CGI to provide dumb HTTP transport Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 12/17] Add stateless RPC options to upload-pack, receive-pack Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 13/17] Smart fetch and push over HTTP: server side Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 14/17] Discover refs via smart HTTP server when available Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 15/17] Smart push over HTTP: client side Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 16/17] Smart fetch " Shawn O. Pearce
2009-10-15 3:36 ` [RFC PATCH v3 17/17] Smart HTTP fetch: gzip requests Shawn O. Pearce
2009-10-15 7:39 ` [RFC PATCH v3 00/17] Return of smart HTTP Junio C Hamano
2009-10-15 9:52 ` Nanako Shiraishi
2009-10-15 14:33 ` Shawn O. Pearce
2009-10-15 15:21 ` Johan Herland
2009-10-15 15:41 ` Shawn O. Pearce
2009-10-15 20:27 ` Junio C Hamano
2009-10-15 20:45 ` Shawn O. Pearce [this message]
2009-10-22 10:21 ` Nanako Shiraishi
2009-10-22 14:46 ` Daniel Barkalow
2009-10-27 4:55 ` [PATCH] Fix memory leak in transport-helper Daniel Barkalow
2009-10-27 14:11 ` Johannes Schindelin
2009-10-27 17:37 ` Daniel Barkalow
2009-10-27 18:31 ` Jeff King
2009-10-27 18:54 ` Johannes Schindelin
2009-10-27 19:05 ` Daniel Barkalow
2009-10-28 7:18 ` Junio C Hamano
2009-10-16 4:20 ` [RFC PATCH v3 00/17] Return of smart HTTP Mark Lodato
2009-10-16 14:31 ` Shawn O. Pearce
2009-10-16 23:04 ` Mark Lodato
2009-10-16 23:16 ` Shawn O. Pearce
2009-10-22 19:48 ` Marcus Camen
2009-10-25 15:16 ` [PATCH 0/6] http: push and test fixes Tay Ray Chuan
2009-10-25 15:18 ` [PATCH 1/7] http-push: fix check condition on http.c::finish_http_pack_request() Tay Ray Chuan
2009-10-25 15:20 ` [PATCH 3/7] http-push: add more 'error <dst> <why>' status reports Tay Ray Chuan
2009-10-25 15:21 ` [PATCH 4/7] t5540-http-push: expect success when pushing without arguments Tay Ray Chuan
2009-10-25 16:16 ` Clemens Buchacher
2009-10-25 15:22 ` [PATCH 5/7] t5540-http-push: check existence of fetched files Tay Ray Chuan
2009-10-25 16:49 ` Clemens Buchacher
2009-10-25 15:23 ` [PATCH 6/7] t5540-http-push: when deleting remote refs, don't need to branch -d -r Tay Ray Chuan
2009-10-25 15:24 ` [PATCH 7/7] t5540-http-push: remove redundant fetches Tay Ray Chuan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091015204543.GP10505@spearce.org \
--to=spearce@spearce.org \
--cc=barkalow@iabervon.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johan@herland.net \
--cc=nanako3@lavabit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).