Add missing local root in win32 Unix.select

[dra27]

This fixes #9043.

The patch is organised in three commits. The first is the simplest fix:

-- a/otherlibs/win32unix/select.c
+++ b/otherlibs/win32unix/select.c
@@ -961,9 +961,10 @@ static int fdlist_to_fdset(value fdlist, fd_set *fdset)
 static value fdset_to_fdlist(value fdlist, fd_set *fdset)
 {
   value res = Val_int(0);
-  Begin_roots2(fdlist, res)
+  value s = Val_int(0);
+  Begin_roots3(fdlist, res, s)
     for (/*nothing*/; fdlist != Val_int(0); fdlist = Field(fdlist, 1)) {
-      value s = Field(fdlist, 0);
+      s = Field(fdlist, 0);
       if (FD_ISSET(Socket_val(s), fdset)) {
         value newres = caml_alloc_small(2, 0);
         Field(newres, 0) = s;

It appears that the planets aligned (consistently) in such a way that msvc64 AppVeyor was routinely triggering a GC at the caml_alloc_small and fdlist was moved. The planets had to be aligned to the point that the test was failing only as part of make all and not as make one.

I did a limited test to confirm the problem by manually inserting a call caml_gc_full_major immediately after the value s = Field(… line. This causes all the Windows ports to freeze at this stage, suggesting a problem. With the Begin_roots3 version, they continue to work.

The second commit converts the entire function to use CAMLparam instead (I think it only used Begin_roots2 because it was taken from an old function which predates those macros).

While going through select.c, I noticed uses of Store_field following caml_alloc_small which violates GC Rule 5 (although I'm not sure that it's a problematic violation of Rule 5, since the expressions in question don't allocate).

[gasche]

cc our local-roots experts, I guess @let-def, @stedolan and @jhjourdan.

[dra27]

Smoking gun on my fork's AppVeyor with v=31 and extra printfs around the initialisation of s you can clearly see the minor gc run and the value being promoted.

[xavierleroy]

Congratulations and thanks for the detective work!

The fixes are correct as far as I can say.

Concerning GC rule 5, it is a hard rule: caml_alloc_small does not initialize the contents of the new block, while Store_field, which is a wrapper around caml_modify, reads the old value of the modified field. So, the original code was reading uninitialized memory....

[xavierleroy]

For the record: the original code (with Begin_roots2) was modeled after the fdset_to_fdlist function from otherlibs/unix/select.c, which still uses... old-style Begin_roots2/End_roots root management.

[dra27]

Indeed - I think it's OK only to "upgrade" these macros when something's actually changed/corrected?

[dra27]

(the Unix version obviously has no problem, since the representation of fd's is simpler)

[xavierleroy]

Could you please add a Changes entry in the 4.10 section? We'll cherry-pick to 4.10, of course.

[dra27]

Thanks @xavierleroy - I was happy to keep it without a Changes entry, but it's now rebased with one (on each changing commit, @gasche 😉). I'll merge once CI re-passes and cherry-pick to 4.10