Fixed undefined behavior caused by using pointers as counters. Supersedes #41

iboB · iboB · commit 0260452df70a · 2022-01-28T16:02:32.000+02:00
diff --git a/src/object_type_info.cpp b/src/object_type_info.cpp
@@ -87,18 +87,17 @@ object_type_info::call_table_message object_type_info::make_call_table_message(m
 void object_type_info::fill_call_table()
 {
     // first pass
-    // find top bid messages and prepare to calculate message buffer length length
+    // find top bid messages and prepare to calculate message buffer length
 
-    intptr_t message_data_buffer_size = 0;
-
-    // in this pass we make use of the fact that _call_table begin starts as nullptr
-    // for a new type so we will use it as a counter
+    uint_fast32_t message_data_buffer_size = 0;
+    uint_fast32_t num_top_bidders_per_message[DYNAMIX_MAX_MESSAGES] = {};
 
     for (const mixin_type_info* info : _compact_mixins)
     {
         for (const internal::message_for_mixin& msg : info->message_infos)
         {
             call_table_entry& table_entry = _call_table[msg.message->id];
+            auto& num_top_bidders = num_top_bidders_per_message[msg.message->id];
 
             if (msg.message->mechanism == internal::message_t::unicast)
             {
@@ -114,26 +113,27 @@ void object_type_info::fill_call_table()
                     table_entry.top_bid_message = make_call_table_message(info->id, msg);
 
                     // also remove the top-priority size we've accumulated
-                    message_data_buffer_size -= reinterpret_cast<intptr_t>(table_entry.begin) / sizeof(*table_entry.begin);
-                    table_entry.begin = nullptr;
+                    I_DYNAMIX_ASSERT(message_data_buffer_size >= num_top_bidders);
+                    message_data_buffer_size -= num_top_bidders;
+                    num_top_bidders = 0;
                 }
                 else if (table_entry.top_bid_message.data->priority == msg.priority)
                 {
-                    if (!table_entry.begin)
+                    if (num_top_bidders == 0)
                     {
                         // same-priority message
                         // we will need a buffer for those if they're top-priority
                         // add one to the buffer for the first one too
                         ++message_data_buffer_size;
 
-                        // hacky usage of end to count top bidders
+                        // also count top bidders for this particular message
                         // we need this so we can update message_data_buffer_size if we encounter
                         // a message with a higher priority
-                        ++table_entry.begin;
+                        ++num_top_bidders;
                     }
 
                     ++message_data_buffer_size;
-                    ++table_entry.begin;
+                    ++num_top_bidders;
 
                     // we have multiple bidders for the same priority
                     if (table_entry.top_bid_message.data->bid < msg.bid)
@@ -142,9 +142,9 @@ void object_type_info::fill_call_table()
                     }
                 }
             }
-            if(msg.message->mechanism == internal::message_t::multicast)
+            else if (msg.message->mechanism == internal::message_t::multicast)
             {
-                if (!table_entry.begin)
+                if (num_top_bidders == 0)
                 {
                     // for each new mulicast message add one more element to the buffer
                     // it will be filled with nullptr so that we know when to stop when
@@ -156,9 +156,8 @@ void object_type_info::fill_call_table()
                     table_entry.top_bid_message = make_call_table_message(info->id, msg);
                 }
 
-                // again we use begin to set the size of the buffer this particular message needs
                 ++message_data_buffer_size;
-                ++table_entry.begin;
+                ++num_top_bidders;
             }
         }
     }
@@ -175,16 +174,16 @@ void object_type_info::fill_call_table()
         for (const internal::message_for_mixin& msg : info->message_infos)
         {
             call_table_entry& table_entry = _call_table[msg.message->id];
+            const auto num_top_bidders = num_top_bidders_per_message[msg.message->id];
 
-            if(table_entry.begin)
+            if (num_top_bidders)
             {
                 if (!table_entry.end)
                 {
-                    // begin is not null and end is null, so this message has not been updated
-                    // but needs to be
+                    // end is null, so this message has not been updated, but needs to be
 
                     auto begin = message_data_buffer_ptr;
-                    message_data_buffer_ptr += reinterpret_cast<intptr_t>(table_entry.begin) / sizeof(*table_entry.begin);
+                    message_data_buffer_ptr += num_top_bidders;
 
                     if (msg.message->mechanism == internal::message_t::multicast)
                     {

Original file line number	Diff line number	Diff line change
`@@ -87,18 +87,17 @@ object_type_info::call_table_message object_type_info::make_call_table_message(m`
`87`	`87`	`void object_type_info::fill_call_table()`
`88`	`88`	`{`
`89`	`89`	`// first pass`
`90`		`- // find top bid messages and prepare to calculate message buffer length length`
	`90`	`+ // find top bid messages and prepare to calculate message buffer length`
`91`	`91`
`92`		`- intptr_t message_data_buffer_size = 0;`
`93`		`-`
`94`		`- // in this pass we make use of the fact that _call_table begin starts as nullptr`
`95`		`- // for a new type so we will use it as a counter`
	`92`	`+ uint_fast32_t message_data_buffer_size = 0;`
	`93`	`+ uint_fast32_t num_top_bidders_per_message[DYNAMIX_MAX_MESSAGES] = {};`
`96`	`94`
`97`	`95`	`for (const mixin_type_info* info : _compact_mixins)`
`98`	`96`	`{`
`99`	`97`	`for (const internal::message_for_mixin& msg : info->message_infos)`
`100`	`98`	`{`
`101`	`99`	`call_table_entry& table_entry = _call_table[msg.message->id];`
	`100`	`+ auto& num_top_bidders = num_top_bidders_per_message[msg.message->id];`
`102`	`101`
`103`	`102`	`if (msg.message->mechanism == internal::message_t::unicast)`
`104`	`103`	`{`
`@@ -114,26 +113,27 @@ void object_type_info::fill_call_table()`
`114`	`113`	`table_entry.top_bid_message = make_call_table_message(info->id, msg);`
`115`	`114`
`116`	`115`	`// also remove the top-priority size we've accumulated`
`117`		`- message_data_buffer_size -= reinterpret_cast<intptr_t>(table_entry.begin) / sizeof(*table_entry.begin);`
`118`		`- table_entry.begin = nullptr;`
	`116`	`+ I_DYNAMIX_ASSERT(message_data_buffer_size >= num_top_bidders);`
	`117`	`+ message_data_buffer_size -= num_top_bidders;`
	`118`	`+ num_top_bidders = 0;`
`119`	`119`	`}`
`120`	`120`	`else if (table_entry.top_bid_message.data->priority == msg.priority)`
`121`	`121`	`{`
`122`		`- if (!table_entry.begin)`
	`122`	`+ if (num_top_bidders == 0)`
`123`	`123`	`{`
`124`	`124`	`// same-priority message`
`125`	`125`	`// we will need a buffer for those if they're top-priority`
`126`	`126`	`// add one to the buffer for the first one too`
`127`	`127`	`++message_data_buffer_size;`
`128`	`128`
`129`		`- // hacky usage of end to count top bidders`
	`129`	`+ // also count top bidders for this particular message`
`130`	`130`	`// we need this so we can update message_data_buffer_size if we encounter`
`131`	`131`	`// a message with a higher priority`
`132`		`- ++table_entry.begin;`
	`132`	`+ ++num_top_bidders;`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`++message_data_buffer_size;`
`136`		`- ++table_entry.begin;`
	`136`	`+ ++num_top_bidders;`
`137`	`137`
`138`	`138`	`// we have multiple bidders for the same priority`
`139`	`139`	`if (table_entry.top_bid_message.data->bid < msg.bid)`
`@@ -142,9 +142,9 @@ void object_type_info::fill_call_table()`
`142`	`142`	`}`
`143`	`143`	`}`
`144`	`144`	`}`
`145`		`- if(msg.message->mechanism == internal::message_t::multicast)`
	`145`	`+ else if (msg.message->mechanism == internal::message_t::multicast)`
`146`	`146`	`{`
`147`		`- if (!table_entry.begin)`
	`147`	`+ if (num_top_bidders == 0)`
`148`	`148`	`{`
`149`	`149`	`// for each new mulicast message add one more element to the buffer`
`150`	`150`	`// it will be filled with nullptr so that we know when to stop when`
`@@ -156,9 +156,8 @@ void object_type_info::fill_call_table()`
`156`	`156`	`table_entry.top_bid_message = make_call_table_message(info->id, msg);`
`157`	`157`	`}`
`158`	`158`
`159`		`- // again we use begin to set the size of the buffer this particular message needs`
`160`	`159`	`++message_data_buffer_size;`
`161`		`- ++table_entry.begin;`
	`160`	`+ ++num_top_bidders;`
`162`	`161`	`}`
`163`	`162`	`}`
`164`	`163`	`}`
`@@ -175,16 +174,16 @@ void object_type_info::fill_call_table()`
`175`	`174`	`for (const internal::message_for_mixin& msg : info->message_infos)`
`176`	`175`	`{`
`177`	`176`	`call_table_entry& table_entry = _call_table[msg.message->id];`
	`177`	`+ const auto num_top_bidders = num_top_bidders_per_message[msg.message->id];`
`178`	`178`
`179`		`- if(table_entry.begin)`
	`179`	`+ if (num_top_bidders)`
`180`	`180`	`{`
`181`	`181`	`if (!table_entry.end)`
`182`	`182`	`{`
`183`		`- // begin is not null and end is null, so this message has not been updated`
`184`		`- // but needs to be`
	`183`	`+ // end is null, so this message has not been updated, but needs to be`
`185`	`184`
`186`	`185`	`auto begin = message_data_buffer_ptr;`
`187`		`- message_data_buffer_ptr += reinterpret_cast<intptr_t>(table_entry.begin) / sizeof(*table_entry.begin);`
	`186`	`+ message_data_buffer_ptr += num_top_bidders;`
`188`	`187`
`189`	`188`	`if (msg.message->mechanism == internal::message_t::multicast)`
`190`	`189`	`{`