Patch to fix Reference/natReference.

David Daney ddaney@avtrex.com
Thu Aug 21 17:32:00 GMT 2003


Finally found it!  The attached test program exercises a bug in libgcj's
lava.lang.ref.Reference handling code (from gcc 3.3.1).  It crashes on 
both my i686-pc-linux-gnu and mipsel-linux platforms

If Reference.clear() is called and then the Reference is finalized
before its referent, a dangling pointer is created in the object_list
structure in natReference.cc.  This happens because the 'copy' field
of the Reference is cleared and that is what is used to find the slot
in the object_list table.

When more objects are allocated, this dangling pointer now can point
to an object of some other type.

Now when the original referent is finalized, all of the References to
it are enqueued, but since some of the pointers to these References
are invalid, the called to enqueue() (via a now invalid vtable) sends
us off into some place bad.

There seem to be two ways to fix the problem.

1) Never clear the 'copy' field in the Reference and add a boolean
     field to Reference that is set to detect the cleared condition.
     Doing this we will always be able to find the Reference in the
     object_list.

2) If 'copy' is null, then scan the entire object_list tree looking
    for the entry that points to the Reference and remove it.


I have attached a patch that does #1.

Question: Does adding a field to Reference cause binary compatibility
problems between different versions of shared libgcj?

I don't think so because all fields are package private.

Option 2 preserves the size and layout of Reference, but would be
slower and require bigger changes to natReference.cc

My patch includes changes from Tom Tromey's patch of yesterday.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Reftest.java
URL: <http://gcc.gnu.org/pipermail/java/attachments/20030821/0f0c5655/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: reffix.diff
URL: <http://gcc.gnu.org/pipermail/java/attachments/20030821/0f0c5655/attachment-0001.ksh>


More information about the Java mailing list