SharedFreeList - Fix nodes count desync and use after free on deallocateAll

WalterWaldron · WalterWaldron · commit 776202b4e464 · 2016-12-23T12:55:32.000-05:00
diff --git a/std/experimental/allocator/building_blocks/free_list.d b/std/experimental/allocator/building_blocks/free_list.d
@@ -855,6 +855,10 @@ struct SharedFreeList(ParentAllocator,
             assert(nodes);
             atomicOp!("-=")(nodes, 1);
         }
+        private void resetNodes() shared
+        {
+            nodes = 0;
+        }
         private bool nodesFull() shared
         {
             return nodes >= approxMaxLength;
@@ -864,6 +868,7 @@ struct SharedFreeList(ParentAllocator,
     {
         private static void incNodes() { }
         private static void decNodes() { }
+        private static void resetNodes() { }
         private enum bool nodesFull = false;
     }
 
@@ -1017,13 +1022,16 @@ struct SharedFreeList(ParentAllocator,
         else static if (hasMember!(ParentAllocator, "deallocate"))
         {
             result = true;
-            for (auto n = _root; n; n = n.next)
+            for (auto n = _root; n;)
             {
+                auto tmp = n.next;
                 if (!parent.deallocate((cast(ubyte*)n)[0 .. max]))
                     result = false;
+                n = tmp;
             }
         }
         _root = null;
+        resetNodes();
         return result;
     }
 }
@@ -1064,6 +1072,18 @@ unittest
     }
 }
 
+unittest
+{
+    import std.experimental.allocator.mallocator : Mallocator;
+    static shared SharedFreeList!(Mallocator, 64, 128, 10) a;
+    auto b = a.allocate(100);
+    a.deallocate(b);
+    assert(a.nodes == 1);
+    b = [];
+    a.deallocateAll();
+    assert(a.nodes == 0);
+}
+
 unittest
 {
     import std.experimental.allocator.mallocator : Mallocator;

Original file line number	Diff line number	Diff line change
`@@ -855,6 +855,10 @@ struct SharedFreeList(ParentAllocator,`
`855`	`855`	`assert(nodes);`
`856`	`856`	`atomicOp!("-=")(nodes, 1);`
`857`	`857`	`}`
	`858`	`+ private void resetNodes() shared`
	`859`	`+ {`
	`860`	`+ nodes = 0;`
	`861`	`+ }`
`858`	`862`	`private bool nodesFull() shared`
`859`	`863`	`{`
`860`	`864`	`return nodes >= approxMaxLength;`
`@@ -864,6 +868,7 @@ struct SharedFreeList(ParentAllocator,`
`864`	`868`	`{`
`865`	`869`	`private static void incNodes() { }`
`866`	`870`	`private static void decNodes() { }`
	`871`	`+ private static void resetNodes() { }`
`867`	`872`	`private enum bool nodesFull = false;`
`868`	`873`	`}`
`869`	`874`
`@@ -1017,13 +1022,16 @@ struct SharedFreeList(ParentAllocator,`
`1017`	`1022`	`else static if (hasMember!(ParentAllocator, "deallocate"))`
`1018`	`1023`	`{`
`1019`	`1024`	`result = true;`
`1020`		`- for (auto n = _root; n; n = n.next)`
	`1025`	`+ for (auto n = _root; n;)`
`1021`	`1026`	`{`
	`1027`	`+ auto tmp = n.next;`
`1022`	`1028`	`if (!parent.deallocate((cast(ubyte*)n)[0 .. max]))`
`1023`	`1029`	`result = false;`
	`1030`	`+ n = tmp;`
`1024`	`1031`	`}`
`1025`	`1032`	`}`
`1026`	`1033`	`_root = null;`
	`1034`	`+ resetNodes();`
`1027`	`1035`	`return result;`
`1028`	`1036`	`}`
`1029`	`1037`	`}`
`@@ -1064,6 +1072,18 @@ unittest`
`1064`	`1072`	`}`
`1065`	`1073`	`}`
`1066`	`1074`
	`1075`	`+unittest`
	`1076`	`+{`
	`1077`	`+ import std.experimental.allocator.mallocator : Mallocator;`
	`1078`	`+ static shared SharedFreeList!(Mallocator, 64, 128, 10) a;`
	`1079`	`+ auto b = a.allocate(100);`
	`1080`	`+ a.deallocate(b);`
	`1081`	`+ assert(a.nodes == 1);`
	`1082`	`+ b = [];`
	`1083`	`+ a.deallocateAll();`
	`1084`	`+ assert(a.nodes == 0);`
	`1085`	`+}`
	`1086`	`+`
`1067`	`1087`	`unittest`
`1068`	`1088`	`{`
`1069`	`1089`	`import std.experimental.allocator.mallocator : Mallocator;`