Comments on: Conservative stack scanning 101

By: Joe Larson

Joe Larson — Thu, 07 Aug 2008 21:56:17 +0000

I just found your site while looking at an old IOCCC entry your wrote called adventure. Then I saw this entry.

I love this stuff.

I was actually looking you up in reference to that IOCCC entry. If you would please e-mail me.

By: jorendorff

jorendorff — Thu, 30 Aug 2007 15:37:07 +0000

Someone has! Specifically, Leon Sha. See bug 391333. The patch for Solaris is attached.

I hate to disappoint, but it looks pretty easy:

#ifdef MMGC_SPARC
#define FLUSHWIN() asm(”ta 3″);
#else
#define FLUSHWIN()
#endif

By: Wes Garland

Wes Garland — Thu, 30 Aug 2007 14:13:29 +0000

That’s really quite clever. Thanks for the dissection!

Has this been ported to Solaris yet? The SPARC ABI uses a nifty sliding-register scheme for function argument passing, I’d like to see how THAT works.

By: jorendorff

jorendorff — Thu, 09 Aug 2007 19:42:43 +0000

Anders,

Yes, errors of both kinds (incorrectly marking something that isn’t really reachable, and incorrectly collecting something that is) are possible. Even C can’t create a rock it can’t lift, or (which is the moral equivalent) a GC that it can’t fool.

For another way to fool MMgc, open MMgc/GC.h and search for GCHiddenPointer.

MMgc actually does detect the “disguised” reference in the specific case you describe. However, see bug 388070.

By: Anders

Anders — Thu, 09 Aug 2007 18:52:04 +0000

> C can do anything

Not quite (please correct me if I’m wrong). That’s where the “conservative” part comes in. Since C don’t really know what is on the stack or in the heap (i.e. what data types), it just errs on the safe side and assumes everything (well maybe only the n-byte aligned?) is pointers. So even if it sees a string it will treat it as a pointer and if the characters of that string can be interpreted as a pointer to a block of memory that the allocator have allocated, that block will be marked as referenced. But (a) this probably doesn’t happen very often in practice, since the character sequence (or the integer or floating point number) must be interpreted as a pointer that point exactly to the start of an allocated block and (b) even if it did, the worst thing that could happen is that a block of memory wouldn’t be collected immediately.

But this also means that another way of fooling the GC is by instead of keeping a pointer the the start of an allocated block, holding a pointer to the second byte (or any other place relative to the allocated block). While your code might know how to access the block based on the offset into the block, the GC probably isn’t conservative enough to recognize the “disguised” reference and will collect and free the referenced block in error.