aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSverker Eriksson <[email protected]>2012-02-20 19:52:13 +0100
committerSverker Eriksson <[email protected]>2012-02-21 12:10:40 +0100
commit75b831aa879234db6d8821a32f4c411ef6cfc6ff (patch)
tree96018e44b4915f152484a6f6a770f0c064c07fc4
parent520ddbc83ec87bcec262680bd915184182e3998e (diff)
downloadotp-75b831aa879234db6d8821a32f4c411ef6cfc6ff.tar.gz
otp-75b831aa879234db6d8821a32f4c411ef6cfc6ff.tar.bz2
otp-75b831aa879234db6d8821a32f4c411ef6cfc6ff.zip
erts: Fix bignum-bug in ETS with compressed option
A large 64-bit immediate number will be stored as SMALL_BIG_EXT by ETS compressed format. When uncompressing, the SMALL_BIG_EXT was first decoded as as bignum (by bytes_to_big) and then turned into a small (by big_norm). This works for normal "binary_to_term" as decoded_size() over-estimates the needed heap size. But for ETS no over-estimation is done as the real term size is known and stored in DbTerm. Fixed by preventing bytes_to_big() from writing bignum digit when the number is seen to fit in an immediate.
-rw-r--r--erts/emulator/beam/big.c16
-rw-r--r--lib/stdlib/test/ets_SUITE.erl18
2 files changed, 31 insertions, 3 deletions
diff --git a/erts/emulator/beam/big.c b/erts/emulator/beam/big.c
index 976f05c990..25ac790d81 100644
--- a/erts/emulator/beam/big.c
+++ b/erts/emulator/beam/big.c
@@ -1844,6 +1844,7 @@ dsize_t big_bytes(Eterm x)
/*
** Load a bignum from bytes
** xsz is the number of bytes in xp
+** *r is untouched if number fits in small
*/
Eterm bytes_to_big(byte *xp, dsize_t xsz, int xsgn, Eterm *r)
{
@@ -1852,7 +1853,7 @@ Eterm bytes_to_big(byte *xp, dsize_t xsz, int xsgn, Eterm *r)
ErtsDigit d;
int i;
- while(xsz >= sizeof(ErtsDigit)) {
+ while(xsz > sizeof(ErtsDigit)) {
d = 0;
for(i = sizeof(ErtsDigit); --i >= 0;)
d = (d << 8) | xp[i];
@@ -1867,11 +1868,20 @@ Eterm bytes_to_big(byte *xp, dsize_t xsz, int xsgn, Eterm *r)
d = 0;
for(i = xsz; --i >= 0;)
d = (d << 8) | xp[i];
+ if (++rsz == 1 && IS_USMALL(xsgn,d)) {
+ if (xsgn) d = -d;
+ return make_small(d);
+ }
*rwp = d;
rwp++;
- rsz++;
}
- return big_norm(r, rsz, (short) xsgn);
+ if (xsgn) {
+ *r = make_neg_bignum_header(rsz);
+ }
+ else {
+ *r = make_pos_bignum_header(rsz);
+ }
+ return make_big(r);
}
/*
diff --git a/lib/stdlib/test/ets_SUITE.erl b/lib/stdlib/test/ets_SUITE.erl
index 101828fdef..59532b65a0 100644
--- a/lib/stdlib/test/ets_SUITE.erl
+++ b/lib/stdlib/test/ets_SUITE.erl
@@ -72,6 +72,7 @@
exit_many_many_tables_owner/1]).
-export([write_concurrency/1, heir/1, give_away/1, setopts/1]).
-export([bad_table/1, types/1]).
+-export([otp_9932/1]).
-export([otp_9423/1]).
-export([init_per_testcase/2, end_per_testcase/2]).
@@ -145,6 +146,7 @@ all() ->
exit_many_large_table_owner, exit_many_tables_owner,
exit_many_many_tables_owner, write_concurrency, heir,
give_away, setopts, bad_table, types,
+ otp_9932,
otp_9423].
groups() ->
@@ -5434,6 +5436,22 @@ types_do(Opts) ->
?line verify_etsmem(EtsMem).
+%% OTP-9932: Memory overwrite when inserting large integers in compressed bag.
+%% Will crash with segv on 64-bit opt if not fixed.
+otp_9932(Config) when is_list(Config) ->
+ T = ets:new(xxx, [bag, compressed]),
+ Fun = fun(N) ->
+ Key = {1316110174588445 bsl N,1316110174588583 bsl N},
+ S = {Key, Key},
+ true = ets:insert(T, S),
+ [S] = ets:lookup(T, Key),
+ true = ets:insert(T, S),
+ [S] = ets:lookup(T, Key)
+ end,
+ lists:foreach(Fun, lists:seq(0, 16)),
+ ets:delete(T).
+
+
otp_9423(doc) -> ["vm-deadlock caused by race between ets:delete and others on write_concurrency table"];
otp_9423(Config) when is_list(Config) ->
InitF = fun(_) -> {0,0} end,