Fix inconsistent supervisor heap.

cwalther · cwalther · commit c1b8de42e7b9 · 2020-09-28T23:41:51.000+02:00
When allocations were freed in a different order from the reverse of how they were allocated (leaving holes), the heap would get into an inconsistent state, eventually resulting in crashes.

free_memory() relies on having allocations in order, but allocate_memory() did not guarantee that: It reused the first allocation with a NULL ptr without ensuring that it was between low_address and high_address. When it belongs to a hole in the allocated memory, such an allocation is not really free for reuse, because free_memory() still needs its length.

Instead, explicitly mark allocations available for reuse with a special (invalid) value in the length field. Only allocations that lie between low_address and high_address are marked that way.
diff --git a/supervisor/shared/memory.c b/supervisor/shared/memory.c
@@ -33,6 +33,10 @@
 
 #define CIRCUITPY_SUPERVISOR_ALLOC_COUNT (12)
 
+// Using a zero length to mark an unused allocation makes the code a bit shorter (but makes it
+// impossible to support zero-length allocations).
+#define FREE 0
+
 static supervisor_allocation allocations[CIRCUITPY_SUPERVISOR_ALLOC_COUNT];
 // We use uint32_t* to ensure word (4 byte) alignment.
 uint32_t* low_address;
@@ -61,19 +65,23 @@ void free_memory(supervisor_allocation* allocation) {
     }
     if (allocation->ptr == high_address) {
         high_address += allocation->length / 4;
+        allocation->length = FREE;
         for (index++; index < CIRCUITPY_SUPERVISOR_ALLOC_COUNT; index++) {
             if (allocations[index].ptr != NULL) {
                 break;
             }
             high_address += allocations[index].length / 4;
+            allocations[index].length = FREE;
         }
     } else if (allocation->ptr + allocation->length / 4 == low_address) {
         low_address = allocation->ptr;
+        allocation->length = FREE;
         for (index--; index >= 0; index--) {
             if (allocations[index].ptr != NULL) {
                 break;
             }
             low_address -= allocations[index].length / 4;
+            allocations[index].length = FREE;
         }
     } else {
         // Freed memory isn't in the middle so skip updating bounds. The memory will be added to the
@@ -99,7 +107,7 @@ supervisor_allocation* allocate_remaining_memory(void) {
 }
 
 supervisor_allocation* allocate_memory(uint32_t length, bool high) {
-    if ((high_address - low_address) * 4 < (int32_t) length || length % 4 != 0) {
+    if (length == 0 || (high_address - low_address) * 4 < (int32_t) length || length % 4 != 0) {
         return NULL;
     }
     uint8_t index = 0;
@@ -109,7 +117,7 @@ supervisor_allocation* allocate_memory(uint32_t length, bool high) {
         direction = -1;
     }
     for (; index < CIRCUITPY_SUPERVISOR_ALLOC_COUNT; index += direction) {
-        if (allocations[index].ptr == NULL) {
+        if (allocations[index].length == FREE) {
             break;
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,10 @@`
`33`	`33`
`34`	`34`	`#define CIRCUITPY_SUPERVISOR_ALLOC_COUNT (12)`
`35`	`35`
	`36`	`+// Using a zero length to mark an unused allocation makes the code a bit shorter (but makes it`
	`37`	`+// impossible to support zero-length allocations).`
	`38`	`+#define FREE 0`
	`39`	`+`
`36`	`40`	`static supervisor_allocation allocations[CIRCUITPY_SUPERVISOR_ALLOC_COUNT];`
`37`	`41`	`// We use uint32_t* to ensure word (4 byte) alignment.`
`38`	`42`	`uint32_t* low_address;`
`@@ -61,19 +65,23 @@ void free_memory(supervisor_allocation* allocation) {`
`61`	`65`	`}`
`62`	`66`	`if (allocation->ptr == high_address) {`
`63`	`67`	`high_address += allocation->length / 4;`
	`68`	`+ allocation->length = FREE;`
`64`	`69`	`for (index++; index < CIRCUITPY_SUPERVISOR_ALLOC_COUNT; index++) {`
`65`	`70`	`if (allocations[index].ptr != NULL) {`
`66`	`71`	`break;`
`67`	`72`	`}`
`68`	`73`	`high_address += allocations[index].length / 4;`
	`74`	`+ allocations[index].length = FREE;`
`69`	`75`	`}`
`70`	`76`	`} else if (allocation->ptr + allocation->length / 4 == low_address) {`
`71`	`77`	`low_address = allocation->ptr;`
	`78`	`+ allocation->length = FREE;`
`72`	`79`	`for (index--; index >= 0; index--) {`
`73`	`80`	`if (allocations[index].ptr != NULL) {`
`74`	`81`	`break;`
`75`	`82`	`}`
`76`	`83`	`low_address -= allocations[index].length / 4;`
	`84`	`+ allocations[index].length = FREE;`
`77`	`85`	`}`
`78`	`86`	`} else {`
`79`	`87`	`// Freed memory isn't in the middle so skip updating bounds. The memory will be added to the`
`@@ -99,7 +107,7 @@ supervisor_allocation* allocate_remaining_memory(void) {`
`99`	`107`	`}`
`100`	`108`
`101`	`109`	`supervisor_allocation* allocate_memory(uint32_t length, bool high) {`
`102`		`- if ((high_address - low_address) * 4 < (int32_t) length \|\| length % 4 != 0) {`
	`110`	`+ if (length == 0 \|\| (high_address - low_address) * 4 < (int32_t) length \|\| length % 4 != 0) {`
`103`	`111`	`return NULL;`
`104`	`112`	`}`
`105`	`113`	`uint8_t index = 0;`
`@@ -109,7 +117,7 @@ supervisor_allocation* allocate_memory(uint32_t length, bool high) {`
`109`	`117`	`direction = -1;`
`110`	`118`	`}`
`111`	`119`	`for (; index < CIRCUITPY_SUPERVISOR_ALLOC_COUNT; index += direction) {`
`112`		`- if (allocations[index].ptr == NULL) {`
	`120`	`+ if (allocations[index].length == FREE) {`
`113`	`121`	`break;`
`114`	`122`	`}`
`115`	`123`	`}`