CFTree: retain children and the context info#51
Open
DTW-Thalion wants to merge 2 commits into
Open
Conversation
CFTreeRemove() walked tree->_firstChild (the node's own children) instead of the parent's child list, and never assigned previousSibling, so the loop condition "child != previousSibling" simply ran to the end of the list and nothing was ever unlinked. It then called CFTreeFinalize() on the node while the parent still pointed at it. The node was therefore left linked into its parent; once it was released the parent held a dangling pointer (AddressSanitizer: heap-use-after-free in CFTreeGetChildCount/CFTreeFinalize after removing a child and releasing it), and the child count was never updated. Rewrite it to unlink the node from its parent's list of children, fix up the parent's _lastChild pointer when the last child is removed, and clear the node's _parent and _nextSibling. A node with no parent is left untouched. Adds regression tests covering removal of the first, middle, last and only child. The test also releases the tree before its children now: CFTreeAppendChild does not retain the child, so a child freed before the tree that links it would otherwise dangle.
CFTree never took real ownership of anything:
* CFTreeAppendChild()/CFTreeInsertSibling() called the child's *context*
retain callback (passing the tree node, and a no-op for the default
NULL context) instead of retaining the child, and CFTreePrependChild()
retained nothing at all. A parent therefore did not keep its children
alive; releasing a child before its parent left the parent with a
dangling pointer (use-after-free when the tree was later traversed or
finalized).
* The context retain/release callbacks are meant to apply to the info
pointer, but CFTreeCreate() never retained the info and CFTreeFinalize()
passed the tree (not the info) to the release callback.
* CFTreeFinalize()/CFTreeRemoveAllChildren() called CFTreeFinalize()
directly on each child rather than releasing it, bypassing the normal
reference count.
Retain children with CFRetain() when they are added and release them with
CFRelease() in CFTreeRemove(), CFTreeRemoveAllChildren() and
CFTreeFinalize(); retain the info in CFTreeCreate() and release it (the
info, not the node) in CFTreeFinalize(); and fix CFTreePrependChild() to
set _lastChild to the new child and CFTreeGetChildAtIndex() to stop at the
end of the child list. Adds regression tests (verified leak- and
use-after-free-free under AddressSanitizer).
Builds on the CFTreeRemove() unlink fix; supersedes the smaller CFTree
null-dereference and CFTreeRemove changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CFTree never took real ownership of anything:
CFTreeAppendChild()/CFTreeInsertSibling()called the child's context retain callback (passing the tree node, and a no-op for the default NULL context) instead of retaining the child, andCFTreePrependChild()retained nothing at all. A parent therefore did not keep its children alive; releasing a child before its parent left the parent with a dangling pointer (use-after-free when the tree was later traversed or finalized).The context retain/release callbacks are meant to apply to the
infopointer, butCFTreeCreate()never retained the info andCFTreeFinalize()passed the tree (not the info) to the release callback.CFTreeFinalize()/CFTreeRemoveAllChildren()calledCFTreeFinalize()directly on each child rather than releasing it, bypassing the normal reference count.This retains children with
CFRetain()when they are added and releases them withCFRelease()inCFTreeRemove(),CFTreeRemoveAllChildren()andCFTreeFinalize(); retains the info inCFTreeCreate()and releases the info (not the node) inCFTreeFinalize(); and fixesCFTreePrependChild()(set_lastChildto the new child) andCFTreeGetChildAtIndex()(stop at the end of the list). Regression tests added; verified leak-free and use-after-free-free under AddressSanitizer.Note: this is a comprehensive CFTree memory-management fix. It is stacked on the
CFTreeRemove()unlink fix, so the diff currently also includes that commit, and it supersedes the two smaller CFTree PRs (theCFTreePrependChild/CFTreeGetChildAtIndexnull-dereference fixes and theCFTreeRemoveunlink fix) — they can be closed in favour of this one, or this can be merged after them.