From ce8279d6a48d41f9de577825844f499bb3084b96 Mon Sep 17 00:00:00 2001
From: Sverker Eriksson <sverker@erlang.org>
Date: Thu, 3 Dec 2015 15:34:14 +0100
Subject: erts: Fix bug for remote control message containing fat maps

that could cause the static factory to overflow

Fix: Introduce a new factory mode FACTORY_TMP
---
 erts/emulator/beam/dist.c        | 10 +++-------
 erts/emulator/beam/erl_message.c | 29 +++++++++++++++++++++++++++--
 erts/emulator/beam/erl_message.h |  4 +++-
 3 files changed, 33 insertions(+), 10 deletions(-)

(limited to 'erts')

diff --git a/erts/emulator/beam/dist.c b/erts/emulator/beam/dist.c
index 4846133aa6..170690ca89 100644
--- a/erts/emulator/beam/dist.c
+++ b/erts/emulator/beam/dist.c
@@ -1153,7 +1153,6 @@ int erts_net_message(Port *prt,
     Process* rp;
     DeclareTmpHeapNoproc(ctl_default,DIST_CTL_DEFAULT_SIZE);
     Eterm* ctl = ctl_default;
-    ErlOffHeap off_heap;
     ErtsHeapFactory factory;
     Eterm* hp;
     Sint type;
@@ -1168,9 +1167,6 @@ int erts_net_message(Port *prt,
 #endif
 
     UseTmpHeapNoproc(DIST_CTL_DEFAULT_SIZE);
-    /* Thanks to Luke Gorrie */
-    off_heap.first = NULL;
-    off_heap.overhead = 0;
 
     ERTS_SMP_CHK_NO_PROC_LOCKS;
 
@@ -1231,7 +1227,7 @@ int erts_net_message(Port *prt,
     }
     hp = ctl;
 
-    erts_factory_static_init(&factory, ctl, ctl_len, &off_heap);
+    erts_factory_tmp_init(&factory, ctl, ctl_len, ERTS_ALC_T_DCTRL_BUF);
     arg = erts_decode_dist_ext(&factory, &ede);
     if (is_non_value(arg)) {
 #ifdef ERTS_DIST_MSG_DBG
@@ -1719,7 +1715,7 @@ int erts_net_message(Port *prt,
 	goto invalid_message;
     }
 
-    erts_cleanup_offheap(&off_heap);
+    erts_factory_close(&factory);
     if (ctl != ctl_default) {
 	erts_free(ERTS_ALC_T_DCTRL_BUF, (void *) ctl);
     }
@@ -1734,7 +1730,7 @@ int erts_net_message(Port *prt,
     }
  data_error:
     PURIFY_MSG("data error");
-    erts_cleanup_offheap(&off_heap);
+    erts_factory_close(&factory);
     if (ctl != ctl_default) {
 	erts_free(ERTS_ALC_T_DCTRL_BUF, (void *) ctl);
     }
diff --git a/erts/emulator/beam/erl_message.c b/erts/emulator/beam/erl_message.c
index 2a703fb102..fa6b2fc613 100644
--- a/erts/emulator/beam/erl_message.c
+++ b/erts/emulator/beam/erl_message.c
@@ -1174,6 +1174,9 @@ void erts_factory_message_init(ErtsHeapFactory* factory,
     ASSERT(factory->hp >= factory->hp_start && factory->hp <= factory->hp_end);
 }
 
+/* One static sized heap that must suffice.
+   No extra heap fragments will be allocated.
+*/
 void erts_factory_static_init(ErtsHeapFactory* factory,
 			     Eterm* hp,
 			     Uint size,
@@ -1188,6 +1191,23 @@ void erts_factory_static_init(ErtsHeapFactory* factory,
     factory->off_heap_saved.overhead = factory->off_heap->overhead;
 }
 
+/* A temporary heap with default buffer allocated/freed by client.
+ * factory_close is same as factory_undo
+ */
+void erts_factory_tmp_init(ErtsHeapFactory* factory, Eterm* hp, Uint size,
+			   Uint32 atype)
+{
+    factory->mode     = FACTORY_TMP;
+    factory->hp_start = hp;
+    factory->hp       = hp;
+    factory->hp_end   = hp + size;
+    factory->heap_frags = NULL;
+    factory->off_heap_saved.first    = NULL;
+    factory->off_heap_saved.overhead = 0;
+    factory->off_heap = &factory->off_heap_saved;
+    factory->alloc_type = atype;
+}
+
 /* When we know the term is an immediate and need no heap.
 */
 void erts_factory_dummy_init(ErtsHeapFactory* factory)
@@ -1231,6 +1251,7 @@ static void reserve_heap(ErtsHeapFactory* factory, Uint need, Uint xtra)
 	return;
 
     case FACTORY_HEAP_FRAGS:
+    case FACTORY_TMP:
 	bp = factory->heap_frags;
 
         if (bp) {
@@ -1280,6 +1301,9 @@ void erts_factory_close(ErtsHeapFactory* factory)
 	    bp->used_size = factory->hp - bp->mem;
         }
 	break;
+    case FACTORY_TMP:
+	erts_factory_undo(factory);
+	break;
     case FACTORY_STATIC: break;
     case FACTORY_CLOSED: break;
     default:
@@ -1371,19 +1395,20 @@ void erts_factory_undo(ErtsHeapFactory* factory)
         }
         break;
 
+    case FACTORY_TMP:
     case FACTORY_HEAP_FRAGS:
 	erts_cleanup_offheap(factory->off_heap);
 	factory->off_heap->first = NULL;
 
         bp = factory->heap_frags;
-        do {
+        while (bp != NULL) {
             ErlHeapFragment* next_bp = bp->next;
 
             ASSERT(bp->off_heap.first == NULL);
             ERTS_HEAP_FREE(factory->alloc_type, (void *) bp,
                            ERTS_HEAP_FRAG_SIZE(bp->alloc_size));
             bp = next_bp;
-        }while (bp != NULL);
+        }
 	break;
 
     case FACTORY_CLOSED: break;
diff --git a/erts/emulator/beam/erl_message.h b/erts/emulator/beam/erl_message.h
index fbdf3fb0e2..92ba3e571c 100644
--- a/erts/emulator/beam/erl_message.h
+++ b/erts/emulator/beam/erl_message.h
@@ -58,7 +58,8 @@ typedef struct {
         FACTORY_CLOSED = 0,
         FACTORY_HALLOC,
         FACTORY_HEAP_FRAGS,
-        FACTORY_STATIC
+        FACTORY_STATIC,
+        FACTORY_TMP
     } mode;
     Process* p;
     Eterm* hp_start;
@@ -75,6 +76,7 @@ void erts_factory_proc_init(ErtsHeapFactory*, Process*);
 void erts_factory_proc_prealloc_init(ErtsHeapFactory*, Process*, Sint size);
 void erts_factory_message_init(ErtsHeapFactory*, Process*, Eterm* hp, struct erl_heap_fragment*);
 void erts_factory_static_init(ErtsHeapFactory*, Eterm* hp, Uint size, ErlOffHeap*);
+void erts_factory_tmp_init(ErtsHeapFactory*, Eterm* hp, Uint size, Uint32 atype);
 void erts_factory_dummy_init(ErtsHeapFactory*);
 
 Eterm* erts_produce_heap(ErtsHeapFactory*, Uint need, Uint xtra);
-- 
cgit v1.2.3