Fix a memory corruption problem deep inside the registry when subscriptions/triggers are processed. The create_value function will malloc space for the pointers to keyval objects, but doesn't actually allocate space for the objects themselves. When constructing the gpr_notify_data object, we forgot to OBJ_NEW the keyval objects. Since the create_value function didn't explicitly NULL those memory locations, it just so happened that there was a non-NULL address in them....which we dutifully dumped a keyval into.

This fix includes two parts: (a) we now initialize the keyval pointer locations to NULL after the malloc, and (b) we now OBJ_NEW the keyvals prior to storing info in them. BTW, in case anyone reads this and wonders why we don't just OBJ_NEW the keyvals in create_value, the reason is simply that some places in the code use static keyvals and simply assign those addresses into the value object's array. So not everyone wants to OBJ_NEW keyvals - by not forcing it here in create_value, we give the user the flexibility to do whatever they want. This commit was SVN r13300.
2007-01-25 12:54:02 +00:00 · 2007-01-25 12:54:02 +00:00 · 53967bd698
--- a/orte/mca/gpr/base/gpr_base_create_value_keyval.c
+++ b/orte/mca/gpr/base/gpr_base_create_value_keyval.c
@ -55,6 +55,8 @@ int orte_gpr_base_create_value(orte_gpr_value_t **value,
            OBJ_RELEASE(val);
            return ORTE_ERR_OUT_OF_RESOURCE;
        }
+        /* initialize it to NULL */
+        memset(val->keyvals, 0, cnt * sizeof(orte_gpr_keyval_t*));
    }

    /* get space for the specified number of tokens */
@ -65,7 +67,8 @@ int orte_gpr_base_create_value(orte_gpr_value_t **value,
            OBJ_RELEASE(val);
            return ORTE_ERR_OUT_OF_RESOURCE;
        }
-        val->tokens[num_tokens] = NULL; /* NULL-terminate the array */
+        /* initialize it to NULL and ensure that the array is NULL terminated */
+        memset(val->tokens, 0, (1+num_tokens) * sizeof(char*));
    }
    
    val->addr_mode = addr_mode;
--- a/orte/mca/gpr/replica/functional_layer/gpr_replica_trig_ops_fn.c
+++ b/orte/mca/gpr/replica/functional_layer/gpr_replica_trig_ops_fn.c
@ -1217,6 +1217,7 @@ int orte_gpr_replica_check_subscription(orte_gpr_replica_subscription_t *sub)
                }

                /* send back the recorded data */
+                value->keyvals[0] = OBJ_NEW(orte_gpr_keyval_t);
                if (ORTE_SUCCESS != (rc = orte_gpr_replica_dict_reverse_lookup(
                                        &((value->keyvals[0])->key), ptr[i]->seg,
                                        ptr[i]->iptr->itag))) {