Fix incorrect freeing order in ProfiledThread (#292)

jbachorik · jbachorik · commit a8bcee97b78f · 2025-11-10T10:40:35.000+01:00
* Avoid use-after-free in ProfiledThread TLS * Improve docs for critical section (cherry picked from commit 294f19e)
diff --git a/ddprof-lib/src/main/cpp/criticalSection.cpp b/ddprof-lib/src/main/cpp/criticalSection.cpp
@@ -22,7 +22,7 @@ CriticalSection::CriticalSection() : _entered(false), _using_fallback(false), _w
         int tid = OS::threadId();
 
         // Hash TID to distribute across bitmap words, reducing clustering
-        // We are OK with false colision for the fallback - it should be used only for testing when we don't have full profiler initialized
+        // We are OK with false collision for the fallback - it should be used only for testing when we don't have full profiler initialized
         _word_index = hash_tid(tid) % FALLBACK_BITMAP_WORDS;
         uint32_t bit_index = tid % 64;
         _bit_mask = 1ULL << bit_index;
diff --git a/ddprof-lib/src/main/cpp/criticalSection.h b/ddprof-lib/src/main/cpp/criticalSection.h
@@ -29,6 +29,18 @@
  * 
  * This eliminates race conditions between signal handlers and normal code
  * by ensuring only one can hold the critical section at a time per thread.
+ *
+ * !Warning! This is not a generic critical section implementation.
+ * It relies on the fact that 'put' operations can not be preempted by the 'processing' operation.
+ * That means that each 'put' operation will fully complete before 'processing' proceeds.
+ *
+ * The only preemption sequence is like this:
+ * - processing enter
+ * - processing acquire critical section
+ * - signal interrupts processing; results in calling put
+ * - put tries to acquire the critical section and fails
+ * - put bails out
+ * - processing proceeds and eventually releases the critical section
  */
 class CriticalSection {
 private:
diff --git a/ddprof-lib/src/main/cpp/thread.cpp b/ddprof-lib/src/main/cpp/thread.cpp
@@ -158,8 +158,9 @@ void ProfiledThread::release() {
   ProfiledThread *tls = (ProfiledThread *)pthread_getspecific(key);
   if (tls != NULL) {
     tls->releaseFromBuffer();
-    delete tls;
+    // Clear TLS pointer BEFORE deleting to prevent use-after-free if signal fires during delete
     pthread_setspecific(key, NULL);
+    delete tls;
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -158,8 +158,9 @@ void ProfiledThread::release() {`
`158`	`158`	`ProfiledThread tls = (ProfiledThread )pthread_getspecific(key);`
`159`	`159`	`if (tls != NULL) {`
`160`	`160`	`tls->releaseFromBuffer();`
`161`		`- delete tls;`
	`161`	`+ // Clear TLS pointer BEFORE deleting to prevent use-after-free if signal fires during delete`
`162`	`162`	`pthread_setspecific(key, NULL);`
	`163`	`+ delete tls;`
`163`	`164`	`}`
`164`	`165`	`}`
`165`	`166`