From ce5766c409ca3e27e62a300b89511b9d0fcd6c18 Mon Sep 17 00:00:00 2001 From: Ali Saidi Date: Fri, 2 Nov 2012 11:50:16 -0500 Subject: mem: fix use after free issue in memories until 4-phase work complete. --- src/mem/simple_dram.cc | 9 ++++++++- src/mem/simple_dram.hh | 6 ++++++ src/mem/simple_mem.cc | 8 +++++++- src/mem/simple_mem.hh | 6 ++++++ 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/mem/simple_dram.cc b/src/mem/simple_dram.cc index 42c97977a..3dc59e8e0 100644 --- a/src/mem/simple_dram.cc +++ b/src/mem/simple_dram.cc @@ -474,6 +474,13 @@ SimpleDRAM::printQs() const { bool SimpleDRAM::recvTimingReq(PacketPtr pkt) { + /// @todo temporary hack to deal with memory corruption issues until + /// 4-phase transactions are complete + for (int x = 0; x < pendingDelete.size(); x++) + delete pendingDelete[x]; + pendingDelete.clear(); + + // This is where we enter from the outside world DPRINTF(DRAM, "Inside recvTimingReq: request %s addr %lld size %d\n", pkt->cmdString(),pkt->getAddr(), pkt->getSize()); @@ -495,7 +502,7 @@ SimpleDRAM::recvTimingReq(PacketPtr pkt) // simply drop inhibited packets for now if (pkt->memInhibitAsserted()) { DPRINTF(DRAM,"Inhibited packet -- Dropping it now\n"); - delete pkt; + pendingDelete.push_back(pkt); return true; } diff --git a/src/mem/simple_dram.hh b/src/mem/simple_dram.hh index 373408c2a..de597d668 100644 --- a/src/mem/simple_dram.hh +++ b/src/mem/simple_dram.hh @@ -453,6 +453,12 @@ class SimpleDRAM : public AbstractMemory Stats::Formula writeRowHitRate; Stats::Formula avgGap; + /** @todo this is a temporary workaround until the 4-phase code is + * committed. upstream caches needs this packet until true is returned, so + * hold onto it for deletion until a subsequent call + */ + std::vector pendingDelete; + public: void regStats(); diff --git a/src/mem/simple_mem.cc b/src/mem/simple_mem.cc index e78b57928..d3a53a26f 100644 --- a/src/mem/simple_mem.cc +++ b/src/mem/simple_mem.cc @@ -94,10 +94,16 @@ SimpleMemory::doFunctionalAccess(PacketPtr pkt) bool SimpleMemory::recvTimingReq(PacketPtr pkt) { + /// @todo temporary hack to deal with memory corruption issues until + /// 4-phase transactions are complete + for (int x = 0; x < pendingDelete.size(); x++) + delete pendingDelete[x]; + pendingDelete.clear(); + if (pkt->memInhibitAsserted()) { // snooper will supply based on copy of packet // still target's responsibility to delete packet - delete pkt; + pendingDelete.push_back(pkt); return true; } diff --git a/src/mem/simple_mem.hh b/src/mem/simple_mem.hh index f1bad7d9f..ab002f270 100644 --- a/src/mem/simple_mem.hh +++ b/src/mem/simple_mem.hh @@ -118,6 +118,12 @@ class SimpleMemory : public AbstractMemory EventWrapper releaseEvent; + /** @todo this is a temporary workaround until the 4-phase code is + * committed. upstream caches needs this packet until true is returned, so + * hold onto it for deletion until a subsequent call + */ + std::vector pendingDelete; + public: SimpleMemory(const SimpleMemoryParams *p); -- cgit v1.2.3