there was small window in which was entry left in rb tree with reference
count 0 which lead to rb tree coruption when another thread picked this up
before it was released.
Add 2 new members to the prop_object_t which are used for locking/unlocking
rb tree guard mutex.
Ok by joerg@, core@, thorpej@
return a 3-value enum from a function declared to return bool. This broke
the recurse case for prop_object_equals(). Instead, declare the object type
equals routine to return a _prop_object_equals_rv_t.
Give the same treatment to the object type free routines: declare them to
return a _prop_object_free_rv_t, and consistently check those return values
againt the enum type.
Tidy up some whitespace while we're here.
and their associated changes, in particular, the following versions.
prop_array.c 1.13-1.16
prop_dictionary.c 1.25-1.28
prop_object_impl.h 1.21-1.25
ok'ed by core@.
acquiring the rwlock recursively in some paths.
Introduce _prop_rwlock_tryrdlock() and use it in these functions, so
that the rwlock is *always* acquired once, while here add some
_PROP_RWLOCK_OWNED asserts to verify.
This definitely fixes the "locking against myself" panics.
when prop_{array,dictionary}_copyout_ioctl() is called.
Introduce _PROP_RWLOCK_OWNED() which is a KASSERT(rw_lock_held(lock))
and use it in those two functions, also acquire the rwlock in other
places where it is required now.
This fixes a LOCKDEBUG panic "locking against myself", as reported by
Geoff C. Wing in current-users@.
by using a dynamic stack as well. Reorder arguments for the internalizer
as the iteration is always present and should go before possibly
NULL arguments.
Reviewed by mjf@ and adrianp@
userland, deeply nested arrays and dictionaries can easily overflow
the kernel stack and thereby force a panic.
Fix the internalizer and prop_object_release to use a separate call
stack and alter the dictionary and array handling to not recurse on
the C stack. The default stack has an inline depth of 16 elements,
which should keep the overhead reasonable.
This issue was found by Pavel Cahyna and Jachym Holecek.
Additionally add a limit for prop_object_copyin_ioctl to prevent user
programs from temporary allocating unbound amount of kernel memory.
Allow malloc to fail so that tight loops of userland processes can't
force panics by exhausting the kernel map.
Tested with the sample exploit of Jachym, his test suite and reviewed
by himself (initial patch), Christos Zoulas and Jason Thorpe.
keys and returns them in an array. This effectively allows a caller
to mutate a dictionary while iterating over it (really, you iterate
over the array of keys instead of the dictionary itself).
- Add a slew of utility functions that make it more convenient (in some
circumstances, anyway) to get/set values in a dictionary.
the data structure is internally consistent in the face of multiple threads
accessing it concurrently. This is not designed to provide application-
level semantic consistency; applications are responsible for that locking
protocol should it be necessary.
- Rename _PROP_MUTEX_DECL() to _PROP_MUTEX_DECL_STATIC().
has a significant code size savings over <sys/tree.h>.
Also change prop_number_t to store all number objects in an r-b tree,
only ever allocating one object for any given number (we can do this
because numbers are immutable). This results in significant run-time
memory savings.
so that apps can use this construct safely:
obj = prop_dictionary_get(dict, "value");
if (! prop_number_equals_integer(obj, 5)) {
...
}
Suggested by Iain Hibbert.
- Arrays can now be externalized and internalized in the same way
dictionaries can.
- Add new "externalize to file" and "internalize from file" functions
to make reading a property list from a file and writing a property
list to a file more convenient.
- Many assertions in the object implementations are gone. Instead,
calling an accessor for one object type with a different object type
as an argument will return a suitable "invalid" value.
- prop_object_type() now returns a new PROP_TYPE_UNKNOWN value if called
with a NULL object.
- Externalized property lists now contain a reference to the Apple XML
plist DTD.
- Add a new prop_ingest(3) facility, which provides a convenient way to
translate a dictionary into an arbitrary binary representation.
prop_dictionary_keysym_equals(), and prop_object_equals() functions.
- Use realloc() where it makes sense. There will be more changes in this
area.
- Add a _prop_object_type structure that is used internally to keep
information about the object types. Decreases the footprint of the
objects slightly by replacing several pointers with just one.
instead of leaving random garbage in there.
Should we just use "memset(pd, 0, sizeof(*pd));" instead?
Fixes boot problems on evbppc/WALNUT with new proplib.
