Skip to content

sharpdisplay: Fix memory corruption across soft-reset #3497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 1, 2020
Merged

sharpdisplay: Fix memory corruption across soft-reset #3497

merged 1 commit into from
Oct 1, 2020

Conversation

jepler
Copy link

@jepler jepler commented Oct 1, 2020

It was incorrect to NULL out the pointer to our heap allocated buffer in reset, because subsequent to framebuffer_reset, but while the heap was still active, we could call get_bufinfo again, leading to a fresh allocation on the heap that is about to be destroyed.

Typical stack trace:

#1  0x0006c368 in sharpdisplay_framebuffer_get_bufinfo
#2  0x0006ad6e in _refresh_display
#3  0x0006b168 in framebufferio_framebufferdisplay_background
#4  0x00069d22 in displayio_background
#5  0x00045496 in supervisor_background_tasks
#6  0x000446e8 in background_callback_run_all
#7  0x00045546 in supervisor_run_background_tasks_if_tick
#8  0x0005b042 in common_hal_neopixel_write
#9  0x00044c4c in clear_temp_status
#10 0x000497de in spi_flash_flush_keep_cache
#11 0x00049a66 in supervisor_external_flash_flush
#12 0x00044b22 in supervisor_flash_flush
#13 0x0004490e in filesystem_flush
#14 0x00043e18 in cleanup_after_vm
#15 0x0004414c in run_repl
#16 0x000441ce in main

When this happened -- which was inconsistent -- the display would keep some heap allocation across reset which is exactly what we need to avoid.

NULLing the pointer in reconstruct follows what RGBMatrix does, and that code is a bit more battle-tested anyway.

If I had a motivation for structuring the SharpMemory code differently, I can no longer recall it.

Testing performed: Restarted my complicated calculator program over 100 iterations without observing signs of heap corruption.

Closes: #3473

@jepler
sharpdisplay: Fix memory corruption across soft-reset
d7c3f81 
It was incorrect to NULL out the pointer to our heap allocated buffer in
`reset`, because subsequent to framebuffer_reset, but while
the heap was still active, we could call `get_bufinfo` again,
leading to a fresh allocation on the heap that is about to be destroyed.

Typical stack trace:
```
#1  0x0006c368 in sharpdisplay_framebuffer_get_bufinfo
#2  0x0006ad6e in _refresh_display
#3  0x0006b168 in framebufferio_framebufferdisplay_background
#4  0x00069d22 in displayio_background
adafruit#5  0x00045496 in supervisor_background_tasks
adafruit#6  0x000446e8 in background_callback_run_all
adafruit#7  0x00045546 in supervisor_run_background_tasks_if_tick
adafruit#8  0x0005b042 in common_hal_neopixel_write
adafruit#9  0x00044c4c in clear_temp_status
adafruit#10 0x000497de in spi_flash_flush_keep_cache
adafruit#11 0x00049a66 in supervisor_external_flash_flush
adafruit#12 0x00044b22 in supervisor_flash_flush
adafruit#13 0x0004490e in filesystem_flush
adafruit#14 0x00043e18 in cleanup_after_vm
adafruit#15 0x0004414c in run_repl
adafruit#16 0x000441ce in main
```
When this happened -- which was inconsistent -- the display would keep
some heap allocation across reset which is exactly what we need to avoid.

NULLing the pointer in reconstruct follows what RGBMatrix does, and that
code is a bit more battle-tested anyway.

If I had a motivation for structuring the SharpMemory code differently,
I can no longer recall it.

Testing performed: Ran my complicated calculator program over multiple
iterations without observing signs of heap corruption.

Closes: adafruit#3473
ladyada
ladyada approved these changes Oct 1, 2020
View reviewed changes
Copy link
Member

@ladyada ladyada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

didnt test but code looks good!

jepler added a commit to jepler/circuitpython that referenced this pull request Oct 1, 2020
@jepler
terminal: Correct logic error in supervisor_start_terminal
63c3c01 
If `supervisor_start_terminal` is called twice in a row without
`supervisor_stop_terminal`, it would lose track of a supervisor
allocation.

This can occur when setting the rotation of a display, including the
way that a FramebufferDisplay sets rotation _AFTER_ initial construction,
first with a stack like
```
#0  supervisor_start_terminal
#1  in displayio_display_core_construct
#2  in common_hal_framebufferio_framebufferdisplay_construct
```
and then with a stack like
```
#0  supervisor_start_terminal
#1  in common_hal_framebufferio_framebufferdisplay_construct
#2  in framebufferio_framebufferdisplay_make_new
```
.. without an intervening stop_terminal call.

For reasons I didn't fully explore, this did not become a problem until
the ability to re-allocate a freed supervisor allocation was
implemented in adafruit#3482.  Demonstrating the problem requires adafruit#3482 + adafruit#3497
+ this PR.
@jepler jepler mentioned this pull request Oct 1, 2020
Merged
@tannewt tannewt merged commit b9890f2 into adafruit:main Oct 1, 2020
@jepler jepler deleted the issue3473 branch November 3, 2021 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ladyada ladyada ladyada approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Memory corruption: feather nrf52840 + sharp memory display 400x240
3 participants
@jepler @ladyada @tannewt