Properly mark a deleted typemap entry #27568
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I wasn't able to trigger this with a test, but I added some assertion code that should detect earlier if it happens organically. |
This issue possibly fixes #24951 (or at least the test case by iamed2). We believe the original code here meant to say either: ((jl_typemap_entry_t*)v)->min_world = ((jl_typemap_entry_t*)v)->max_world + 1; or ((jl_typemap_entry_t*)v)->max_world = ((jl_typemap_entry_t*)v)->min_world - 1; i.e. set the range of applicable worlds to be empty. What happened instead was that the given typemap entry that was supposed to be deleted became valid for one particular world and that world only. Thus any code running in that particular world may try to access the deleted typemap entry (or add a backedge to it), causing either incorrect behavior or the assertion failure noted in the issue. One additional complication is that these world ages are being deserialized, i.e. they may be larger than the currently possible max world age. This makes this slightly more likely to happen, since the current process may work its way up to that world age and exectue some code. In any case, there's not much value to keeping around the deserialized max or min world, so just mark them as [1:0], as we do for other deleted entries. Co-authored-by: Jameson Nash <vtjnash@gmail.com>
|
Once this is merged I can try to put together a 0.6.4 release in short order. |
|
@staticfloat Can you check whether this fixes your issue as well? |
ararslan
pushed a commit
that referenced
this pull request
Jun 17, 2018
This issue possibly fixes #24951 (or at least the test case by iamed2). We believe the original code here meant to say either: ((jl_typemap_entry_t*)v)->min_world = ((jl_typemap_entry_t*)v)->max_world + 1; or ((jl_typemap_entry_t*)v)->max_world = ((jl_typemap_entry_t*)v)->min_world - 1; i.e. set the range of applicable worlds to be empty. What happened instead was that the given typemap entry that was supposed to be deleted became valid for one particular world and that world only. Thus any code running in that particular world may try to access the deleted typemap entry (or add a backedge to it), causing either incorrect behavior or the assertion failure noted in the issue. One additional complication is that these world ages are being deserialized, i.e. they may be larger than the currently possible max world age. This makes this slightly more likely to happen, since the current process may work its way up to that world age and exectue some code. In any case, there's not much value to keeping around the deserialized max or min world, so just mark them as [1:0], as we do for other deleted entries. Co-authored-by: Jameson Nash <vtjnash@gmail.com> --- NOTE: This backported commit EXCLUDES additional assertions made by vtjnash. (Cherry-picked from commit d9b10f0)
Keno
added a commit
that referenced
this pull request
Jul 20, 2018
This assertion was added in #27568. However from my understanding the first part of the assertion is wrong, since that PR added logic to mark deleted typemap entries as min_world 0, max_world 1. It seems valid for a typemap entry to be deleted, even if the referenced (while the reverse does not seem valid).
Keno
added a commit
that referenced
this pull request
Jul 20, 2018
This assertion was added in #27568. However from my understanding the first part of the assertion is wrong, since that PR added logic to mark deleted typemap entries as min_world 0, max_world 1. It seems valid for a typemap entry to be deleted, even if the referenced (while the reverse does not seem valid). Fixes #28213
This was referenced Jul 20, 2018
Keno
added a commit
that referenced
this pull request
Jul 21, 2018
This assertion was added in #27568. However from my understanding the first part of the assertion is wrong, since that PR added logic to mark deleted typemap entries as min_world 0, max_world 1. It seems valid for a typemap entry to be deleted, even if the referenced (while the reverse does not seem valid). Fixes #28213
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This issue possibly fixes #24951 (or at least the test case by iamed2).
We believe the original code here meant to say either:
or
i.e. set the range of applicable worlds to be empty. What happened instead
was that the given typemap entry that was supposed to be deleted became valid
for one particular world and that world only. Thus any code running in that
particular world may try to access the deleted typemap entry (or add a backedge
to it), causing either incorrect behavior or the assertion failure noted
in the issue. One additional complication is that these world ages are being
deserialized, i.e. they may be larger than the currently possible max world age.
This makes this slightly more likely to happen, since the current process
may work its way up to that world age and exectue some code.
In any case, there's not much value to keeping around the deserialized max or min
world, so just mark them as 1:0, as we do for other deleted entries.
@vtjnash is gonna try working on a test case for this, but it's very tricky to trigger.