Bugzilla – Bug 492
Crash in AcpiPsDeleteParseTree after an allocation failure in AcpiPsCompleteThisOp
Last modified: 2008-09-26 19:54:26
You need to log in before you can comment on or make changes to this bug.
This crash occurs in AcpiPsDeleteParseTree() called from AcpiPsExecuteMethod() when on the testing conditions a call to AcpiPsAllocOp() in AcpiPsCompleteThisOp() results in a failure. The crash occurs due to presence in the initial Method Op parse tree of some Op object previously deleted according with Allocate error processing branch in AcpiPsCompleteThisOp (see below): AcpiPsCompleteThisOp ( ... default: ReplacementOp = AcpiPsAllocOp (AML_INT_RETURN_VALUE_OP); if (!ReplacementOp) { goto AllocateError; } ... AllocateError: /* Always delete the subtree, even on error */ AcpiPsDeleteParseTree (Op); return_ACPI_STATUS (AE_NO_MEMORY); On the normal conditions when AcpiPsAllocOp above succeeds the ReplacementOp relocates the Op in the initial Method Op parse tree and the next call to AcpiPsDeleteParseTree in AcpiPsExecuteMethod is processed smoothly. It looks like the comment "Always delete the subtree, even on error" is not exactly substantiated. When on the considered testing conditions the call to AcpiPsDeleteParseTree on the AllocateError branch is avoided no any problem occurs. INTERNAL API TS BUG NUMBER: 44
Created an attachment (id=795) [details] proposed patch Currently, it does not unlink the Op from parent tree if allocation fails, this causes segmentation fault at the next call to AcpiPsDeleteParseTree. This patch continue to unlink the Op from parent tree if allocation fails.
Created an attachment (id=799) [details] updated patch Added else case when allocation of ReplacementOp fails
ship in ACPICA release 20080926