From 24b739817fb719553dd4840308ee32ff60c88c1f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 9 Mar 2018 14:19:51 +0100 Subject: [PATCH] Fix double free in Store::queryPathInfo() It was holding on to a Value* (i.e. a std::shared_ptr*) outside of the pathInfoCache lock, so the std::shared_ptr could be destroyed between the release of the lock and the decrement of the std::shared_ptr refcount. This can happen if more than 'path-info-cache-size' paths are added in the meantime, *or* if clearPathInfoCache() is called. The hydra-queue-runner queue monitor thread periodically calls the later, so is likely to trigger a crash. Fixes https://github.com/NixOS/hydra/issues/542. --- src/libutil/lru-cache.hh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/libutil/lru-cache.hh b/src/libutil/lru-cache.hh index 3cb5d5088..9b8290e63 100644 --- a/src/libutil/lru-cache.hh +++ b/src/libutil/lru-cache.hh @@ -2,6 +2,7 @@ #include #include +#include namespace nix { @@ -63,18 +64,17 @@ public: /* Look up an item in the cache. If it exists, it becomes the most recently used item. */ - // FIXME: use boost::optional? - Value * get(const Key & key) + std::experimental::optional get(const Key & key) { auto i = data.find(key); - if (i == data.end()) return 0; + if (i == data.end()) return {}; /* Move this item to the back of the LRU list. */ lru.erase(i->second.first.it); auto j = lru.insert(lru.end(), i); i->second.first.it = j; - return &i->second.second; + return i->second.second; } size_t size()