[libcamera-devel] [PATCH v3 05/11] libcamera: request: A request canary

Kieran Bingham kieran.bingham at ideasonboard.com
Fri Mar 26 16:11:35 CET 2021 

Hi Laurent,

On 26/03/2021 02:51, Laurent Pinchart wrote:
> Hi Kieran,
> 
> Thank you for the patch.
> 
> On Thu, Mar 25, 2021 at 01:42:25PM +0000, Kieran Bingham wrote:
>> Request objects are created and owned by the application, but are of
>> course utilised widely throughout the internals of libcamera.
>>
>> If the application free's the requests while they are still active
>> within libcamera a use after free will occur. While this can be trapped
>> by tools such as valgrind, given the importance of this object and the
>> relationship of external ownership, it may have some value to provide
>> Debug build (disabled at Release build) assertions on the condition of
>> these objects.
>>
>> Make sure the request fails an assertion immediately if used after free.
>>
>> Signed-off-by: Kieran Bingham <kieran.bingham at ideasonboard.com>
>>
>> ---
>> I've removed the RFC from this, and I actually even more so believe this
>> is a good facility to provide on the Request object.
>>
>> Mostly because the Request object is the only object which is given to
>> libcamera from the application (yes, created by libcamera, but that's
>> separate), and is expected to be free'd by the application.
>>
>> If an application free's requests while they are still in use within
>> libcamera, the symptoms can be distinctly misleading and lead to rabbit
>> holes.
>>
>> Therefore, I think the Request object is the one place where extra
>> safety checking (in debug builds) is worth while.
> 
> Should the canary_ member be compiled out in non-debug builds ?

It could be. It's small so I don't think it's an expensive waste of
memory - but I don't expect it to be used in Release builds.

This is just to satisfy the assertions.


>> Yes, of course if an application free's a request while it's in use with
>> libcamera - then it's the applications fault, not ours - but because of
>> the nature of requests, this could be an easy trap to fall into - and I
>> don't want to find that reported as bugs in libcamera.
> 
> When Request will become Extensible, do you think the canary_ field
> could be moved to the Private class ? That would make me feel better
> about this feature :-)

Certainly, I'd have no issue with that, as long as we guarantee that
when the Request is released, so is the Private, but I think we can say
that's fine :-D

> Actually, maybe we could use the d_ pointer and o_ pointer to replace
> the canary, but checking the point to each other ?

Ah, I think I see what you mean. Yes, I think there is a possibility
there. As long as it doesn't then mean we try to access an invalid
unique_ptr and crash before we can ASSERT() ;-)

It may be that this then gives us a flexible method to apply the same
assertions on any public object (which is why we would use extensible in
the first place) and could add a layer of protection to other public
objects. Perhaps things like Buffers where the application might have
ownership, and could release them at the wrong time ...

I'll investigate when I get back to getting Request Extensible.


>> ---
>>  include/libcamera/request.h |  2 ++
>>  src/libcamera/request.cpp   | 18 ++++++++++++++++++
>>  2 files changed, 20 insertions(+)
>>
>> diff --git a/include/libcamera/request.h b/include/libcamera/request.h
>> index 4cf5ff3f7d3b..965ffa6b45b2 100644
>> --- a/include/libcamera/request.h
>> +++ b/include/libcamera/request.h
>> @@ -79,6 +79,8 @@ private:
>>  	const uint64_t cookie_;
>>  	Status status_;
>>  	bool cancelled_;
>> +
>> +	uint32_t canary_;
>>  };
>>  
>>  } /* namespace libcamera */
>> diff --git a/src/libcamera/request.cpp b/src/libcamera/request.cpp
>> index 7b7ef6814686..c4258480b12b 100644
>> --- a/src/libcamera/request.cpp
>> +++ b/src/libcamera/request.cpp
>> @@ -19,6 +19,8 @@
>>  #include "libcamera/internal/log.h"
>>  #include "libcamera/internal/tracepoints.h"
>>  
>> +#define REQUEST_CANARY 0x1F2E3D4C
>> +
>>  /**
>>   * \file request.h
>>   * \brief Describes a frame capture request to be processed by a camera
>> @@ -90,6 +92,8 @@ Request::Request(Camera *camera, uint64_t cookie)
>>  
>>  	LIBCAMERA_TRACEPOINT(request_construct, this);
>>  
>> +	canary_ = REQUEST_CANARY;
> 
> You can move this to the member initializer list.
> 
>> +
>>  	LOG(Request, Debug) << "Created request - cookie: " << cookie_;
>>  }
>>  
>> @@ -100,6 +104,8 @@ Request::~Request()
>>  	delete metadata_;
>>  	delete controls_;
>>  	delete validator_;
>> +
>> +	canary_ = 0;
>>  }
>>  
>>  /**
>> @@ -114,6 +120,8 @@ Request::~Request()
>>   */
>>  void Request::reuse(ReuseFlag flags)
>>  {
>> +	ASSERT(canary_ == REQUEST_CANARY);
>> +
>>  	LIBCAMERA_TRACEPOINT(request_reuse, this);
>>  
>>  	pending_.clear();
>> @@ -179,6 +187,8 @@ void Request::reuse(ReuseFlag flags)
>>   */
>>  int Request::addBuffer(const Stream *stream, FrameBuffer *buffer)
>>  {
>> +	ASSERT(canary_ == REQUEST_CANARY);
>> +
>>  	if (!stream) {
>>  		LOG(Request, Error) << "Invalid stream reference";
>>  		return -EINVAL;
>> @@ -214,6 +224,8 @@ int Request::addBuffer(const Stream *stream, FrameBuffer *buffer)
>>   */
>>  FrameBuffer *Request::findBuffer(const Stream *stream) const
>>  {
>> +	ASSERT(canary_ == REQUEST_CANARY);
>> +
>>  	const auto it = bufferMap_.find(stream);
>>  	if (it == bufferMap_.end())
>>  		return nullptr;
>> @@ -281,6 +293,7 @@ FrameBuffer *Request::findBuffer(const Stream *stream) const
>>   */
>>  void Request::complete()
>>  {
>> +	ASSERT(canary_ == REQUEST_CANARY);
>>  	ASSERT(status_ == RequestPending);
>>  	ASSERT(!hasPendingBuffers());
>>  
>> @@ -306,6 +319,8 @@ void Request::complete()
>>   */
>>  bool Request::completeBuffer(FrameBuffer *buffer)
>>  {
>> +	ASSERT(canary_ == REQUEST_CANARY);
>> +
>>  	LIBCAMERA_TRACEPOINT(request_complete_buffer, this, buffer);
>>  
>>  	int ret = pending_.erase(buffer);
>> @@ -326,6 +341,9 @@ std::string Request::toString() const
>>  	/* Pending, Completed, Cancelled(X). */
>>  	static const char *statuses = "PCX";
>>  
>> +	if (canary_ != REQUEST_CANARY)
>> +		return "Invalid Canary on Request";
> 
> As all bets are off in this case, should we ASSERT() to catch this
> condition as early as possible ?
> 
>> +
>>  	/* Example Output: Request(55:P:1/2:6523524) */
>>  	ss << "Request (" << sequence_ << ":" << statuses[status_] << ":"
>>  	   << pending_.size() << "/" << bufferMap_.size() << ":"
> 

-- 
Regards
--
Kieran

More information about the libcamera-devel mailing list