folly::ConcurrentHashMapSIMD - fix use after free

Summary: The current order of retire and reclaim_nodes in clear() introduces a subtle bug which allows the hazptr library to destroy the Chunks array from reclaim_nodes, freeing the memory at chunks_, then continue reclaiming nodes which involves further access to chunks_.` Reviewed By: magedm Differential Revision: D14968860 fbshipit-source-id: 1bc8e543ae54c3d0e26affb1fd352c58cc5ce897

folly::ConcurrentHashMapSIMD - fix use after free
Summary: The current order of retire and reclaim_nodes in clear() introduces a subtle bug which allows the hazptr library to destroy the Chunks array from reclaim_nodes, freeing the memory at chunks_, then continue reclaiming nodes which involves further access to chunks_.` Reviewed By: magedm Differential Revision: D14968860 fbshipit-source-id: 1bc8e543ae54c3d0e26affb1fd352c58cc5ce897
6afebd2c · Doron Roberts-Kedes · Facebook Github Bot · 662768f3 · 6afebd2c
Commit 6afebd2c authored Apr 17, 2019 by Doron Roberts-Kedes Committed by Facebook Github Bot Apr 17, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

folly/concurrency/detail/ConcurrentHashMap-detail.h folly/concurrency/detail/ConcurrentHashMap-detail.h +1 -1

No files found.
--- a/folly/concurrency/detail/ConcurrentHashMap-detail.h
+++ b/folly/concurrency/detail/ConcurrentHashMap-detail.h
@@ -1351,8 +1351,8 @@ class alignas(64) SIMDTable {
      chunks_.store(newchunks, std::memory_order_release);
      size_ = 0;
    }
-    chunks->retire(HazptrTableDeleter(ccount));
    chunks->reclaim_nodes(ccount);
+    chunks->retire(HazptrTableDeleter(ccount));
  }
  void max_load_factor(float factor) {