freemyipod r818 - Code Review

Jump to: navigation, search
Repository:freemyipod
Revision:r817‎ | r818 | r819 >
Date:00:49, 30 November 2011
Author:theseven
Status:new
Tags:
Comment:
emCORE: Fix a really nasty memory corruption bug that was triggered by deallocating thread handles that didn't have free space in front of them during the deallocation.
Modified paths:
  • /emcore/trunk/malloc.c (modified) (history)
  • /emcore/trunk/malloc.h (modified) (history)
  • /emcore/trunk/thread.c (modified) (history)

Diff [purge]

Index: emcore/trunk/malloc.c
@@ -88,7 +88,7 @@
8989 mutex_lock(&malloc_mutex, TIMEOUT_BLOCK);
9090 size_t size = tlsf_block_size(ptr);
9191 DEBUGF("reownalloc(%08X, %08X) (size: %08X, old owner: %08X, thread: %08X)",
92 - ptr, size, owner, *((struct scheduler_thread**)(ptr + size - 4)), current_thread);
 92+ ptr, owner, size, *((struct scheduler_thread**)(ptr + size - 4)), current_thread);
9393 *((struct scheduler_thread**)(ptr + size - 4)) = owner;
9494 mutex_unlock(&malloc_mutex);
9595 }
@@ -105,8 +105,7 @@
106106
107107 void free_if_thread(void* ptr, size_t size, int used, void* owner)
108108 {
109 - if (*((void**)(ptr + size - 4)) == owner)
110 - tlsf_free(global_mallocpool, ptr);
 109+ if (*((void**)(ptr + size - 4)) == owner) free(ptr);
111110 }
112111
113112 void free_all_of_thread(struct scheduler_thread* owner)
@@ -124,6 +123,16 @@
125124 mutex_unlock(&malloc_mutex);
126125 }
127126
 127+void malloc_lock()
 128+{
 129+ mutex_lock(&malloc_mutex, TIMEOUT_BLOCK);
 130+}
 131+
 132+void malloc_unlock()
 133+{
 134+ mutex_unlock(&malloc_mutex);
 135+}
 136+
128137 void malloc_init()
129138 {
130139 mutex_init(&malloc_mutex);
Index: emcore/trunk/malloc.h
@@ -37,6 +37,8 @@
3838 void free(void* ptr) ICODE_ATTR;
3939 void free_all_of_thread(struct scheduler_thread* owner);
4040 void malloc_walk(void (*walker), void* user);
 41+void malloc_lock();
 42+void malloc_unlock();
4143 void malloc_init() INITCODE_ATTR;
4244
4345
Index: emcore/trunk/thread.c
@@ -520,15 +520,16 @@
521521 #ifdef HAVE_BUTTON
522522 button_unregister_all_of_thread(OWNER_TYPE(OWNER_THREAD, thread));
523523 #endif
524 - free_all_of_thread(OWNER_TYPE(OWNER_THREAD, thread));
525524
 525+ malloc_lock();
526526 mode = enter_critical_section();
527527 for (t = head_thread; t && t->thread_next != thread; t = t->thread_next);
528528 if (t) t->thread_next = thread->thread_next;
 529+ free_all_of_thread(OWNER_TYPE(OWNER_THREAD, thread));
 530+ malloc_unlock();
 531+ if (needsswitch) leave_thread();
529532 leave_critical_section(mode);
530533
531 - if (needsswitch) yield();
532 -
533534 return THREAD_OK;
534535 }
535536