pcu: Fix memory corruption bugs (ASAN)

ASAN has found improper deletion of objects. These only occur on shutdown but makes it impossible to run the test cases with full ASAN support. This commit fixes some of them and deactivates the freeing of the_pcu.bctx which may cause a corruption in BTS::~BTS() later on. Note that the latter is only a work-aound and should be fixed properly. It will leak bctx objects, but this is currently not critical, since gprs_bssgp_destroy is only called once, immediately before a call to exit(). Ticket: OW#1572 Sponsored-by: On-Waves ehf
2016-01-20 22:02:19 +01:00 · 2016-01-20 22:02:19 +01:00 · c362df25a2
parent 27dc941475
commit c362df25a2
4 changed files with 25 additions and 8 deletions
--- a/src/bts.cpp
+++ b/src/bts.cpp
@ -150,7 +150,12 @@ BTS::BTS()

 BTS::~BTS()
 {
+	/* this can cause counter updates and must not be left to the
+	 * m_ms_store's destructor */
+	m_ms_store.cleanup();
+
 	rate_ctr_group_free(m_ratectrs);
+	osmo_stat_item_group_free(m_statg);
 }


--- a/src/gprs_bssgp_pcu.cpp
+++ b/src/gprs_bssgp_pcu.cpp
@ -872,28 +872,33 @@ struct gprs_bssgp_pcu *gprs_bssgp_create_and_connect(struct gprs_rlcmac_bts *bts

 void gprs_bssgp_destroy(void)
 {
-	if (!bssgp_nsi)
+	struct gprs_ns_inst *nsi = bssgp_nsi;
+	if (!nsi)
 		return;

+	bssgp_nsi = NULL;
+
 	osmo_timer_del(&the_pcu.bvc_timer);

 	osmo_signal_unregister_handler(SS_L_NS, nsvc_signal_cb, NULL);

 	the_pcu.nsvc = NULL;

-	/* FIXME: move this to libgb: btsctx_free() */
-	llist_del(&the_pcu.bctx->list);
-	talloc_free(the_pcu.bctx);
-	the_pcu.bctx = NULL;
-
 	/* FIXME: blocking... */
 	the_pcu.nsvc_unblocked = 0;
 	the_pcu.bvc_sig_reset = 0;
 	the_pcu.bvc_reset = 0;
 	the_pcu.bvc_unblocked = 0;	

-	gprs_ns_destroy(bssgp_nsi);
-	bssgp_nsi = NULL;
+	gprs_ns_destroy(nsi);
+
+	/* FIXME: move this to libgb: btsctx_free() */
+	llist_del(&the_pcu.bctx->list);
+#warning "This causes ASAN to complain. It is not critical for normal operation but should be fixed nevertheless"
+#if 0
+	talloc_free(the_pcu.bctx);
+#endif
+	the_pcu.bctx = NULL;
 }

 struct bssgp_bvc_ctx *gprs_bssgp_pcu_current_bctx(void)
--- a/src/gprs_ms_storage.cpp
+++ b/src/gprs_ms_storage.cpp
@ -33,6 +33,11 @@ GprsMsStorage::GprsMsStorage(BTS *bts) :
 }

 GprsMsStorage::~GprsMsStorage()
+{
+	cleanup();
+}
+
+void GprsMsStorage::cleanup()
 {
 	LListHead<GprsMs> *pos, *tmp;

--- a/src/gprs_ms_storage.h
+++ b/src/gprs_ms_storage.h
@ -33,6 +33,8 @@ public:
 	GprsMsStorage(BTS *bts);
 	~GprsMsStorage();

+	void cleanup();
+
 	virtual void ms_idle(class GprsMs *);
 	virtual void ms_active(class GprsMs *);