Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #9267, 47a99bb: [Squirrel] Heap use after free #9275

Merged
merged 1 commit into from May 16, 2021

Conversation

rubidium42
Copy link
Contributor

Motivation / Problem

Fixes #9267

Description

Due to 47a99bb the order of elements in the garbage collection chain has changed causing the class to be finalised before the instances of that class. Since the instance's array of member values depends on the size of the values in the class, the class finalisation resetting that size to 0 causes not all finalisations to run, which subsequently causes a heap use after free in the more aggressive final attempts of releasing objects. So, just set the SQObjectPtrs to 'null' during the finalisation of the SQClass so the SQInstance can release all instance variables during its finalisation and the aggressive releaseing attempts are not needed anymore.

Limitations

None

Checklist for review

Some things are not automated, and forgotten often. This list is a reminder for the reviewers.

  • The bug fix is important enough to be backported? (label: 'backport requested')
  • This PR affects the save game format? (label 'savegame upgrade')
  • This PR affects the GS/AI API? (label 'needs review: Script API')
    • ai_changelog.hpp, gs_changelog.hpp need updating.
    • The compatibility wrappers (compat_*.nut) need updating.
  • This PR affects the NewGRF API? (label 'needs review: NewGRF')

Due to 47a99bb the order of elements in the garbage collection chain has
changed causing the class to be finalised before the instances of that class.
Since the instance's array of member values depends on the size of the values
in the class, the class finalisation resetting that size to 0 causes not all
finalisations to run, which subsequently causes a heap use after free. So,
just set the SQObjectPtrs to 'null' during the finalisation of the SQClass
so the SQInstance can release all instance variables during its finalisation.
@rubidium42 rubidium42 added the backport requested This PR should be backport to current release (RC / stable) label May 16, 2021
Copy link
Member

@LordAro LordAro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume you've tested for memory leaks etc suitably :)

@rubidium42
Copy link
Contributor Author

I assume you've tested for memory leaks etc suitably :)

I have run several sessions with AddressSanitizer. The only memory leak is unrelated to Squirrel, and no more heap use after frees.

@rubidium42 rubidium42 merged commit 5c01f9e into OpenTTD:master May 16, 2021
@rubidium42 rubidium42 deleted the issue-9267 branch May 16, 2021 08:07
@TrueBrain TrueBrain removed the backport requested This PR should be backport to current release (RC / stable) label Oct 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Heap use after free in Squirrel delayed memory deallocation when AI deallocated
3 participants