From eb33bda5ce238e834482ab7ac3d70f247159650f Mon Sep 17 00:00:00 2001
From: Ivan Maidanski <ivmai@mail.ru>
Date: Fri, 10 Nov 2017 20:07:16 +0300
Subject: [PATCH] Fix data race when getting object size in explicitly-typed
 allocators

* typd_mlc.c (COMPLEX): Reformat comment.
* typd_mlc.c (GC_malloc_explicitly_typed,
GC_malloc_explicitly_typed_ignore_off_page, GC_calloc_explicitly_typed):
Always use BYTES_TO_GRANULES(GC_size(op)) instead of GC_size_map[lb] to
determine size of the allocated object in granules (because the value
of GC_size_map[lb] might be updated by another thread since the value
use in GC_malloc_kind); add comment.
---
 typd_mlc.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/typd_mlc.c b/typd_mlc.c
index aa6972d3..d2ebf1a0 100644
--- a/typd_mlc.c
+++ b/typd_mlc.c
@@ -199,7 +199,7 @@ GC_make_sequence_descriptor(complex_descriptor *first,
 /* each of which can be described by a simple descriptor.       */
 /* We try to optimize some common cases.                        */
 /* If the result is COMPLEX, then a complex_descr* is returned  */
-/* in *complex_d.                                                       */
+/* in *complex_d.                                               */
 /* If the result is LEAF, then we built a LeafDescriptor in     */
 /* the structure pointed to by leaf.                            */
 /* The tag in the leaf structure is not set.                    */
@@ -597,7 +597,9 @@ GC_API GC_ATTR_MALLOC void * GC_CALL GC_malloc_explicitly_typed(size_t lb,
     op = GC_malloc_kind(lb, GC_explicit_kind);
     if (EXPECT(NULL == op, FALSE))
         return NULL;
-    lg = SMALL_OBJ(lb) ? GC_size_map[lb] : BYTES_TO_GRANULES(GC_size(op));
+    /* It is not safe to use GC_size_map[lb] to compute lg here as the  */
+    /* the former might be updated asynchronously.                      */
+    lg = BYTES_TO_GRANULES(GC_size(op));
     op[GRANULES_TO_WORDS(lg) - 1] = d;
     return op;
 }
@@ -620,7 +622,8 @@ GC_API GC_ATTR_MALLOC void * GC_CALL
             UNLOCK();
             op = (ptr_t)GENERAL_MALLOC_IOP(lb, GC_explicit_kind);
             if (0 == op) return 0;
-            lg = GC_size_map[lb];       /* May have been uninitialized. */
+            /* See the comment in GC_malloc_explicitly_typed.   */
+            lg = BYTES_TO_GRANULES(GC_size(op));
         } else {
             GC_eobjfreelist[lg] = obj_link(op);
             obj_link(op) = 0;
@@ -670,7 +673,7 @@ GC_API GC_ATTR_MALLOC void * GC_CALL GC_calloc_explicitly_typed(size_t n,
     op = GC_malloc_kind(lb, GC_array_kind);
     if (EXPECT(NULL == op, FALSE))
         return NULL;
-    lg = SMALL_OBJ(lb) ? GC_size_map[lb] : BYTES_TO_GRANULES(GC_size(op));
+    lg = BYTES_TO_GRANULES(GC_size(op));
     if (descr_type == LEAF) {
         /* Set up the descriptor inside the object itself.      */
         volatile struct LeafDescriptor * lp =
-- 
2.40.0