Ticket #913 (closed defect: fixed)

Opened 13 months ago

Last modified 13 months ago

Concurrency problem in select ioqueue may corrupt descriptor set

Reported by: bennylp Owned by: bennylp
Priority: major Milestone: release-1.4
Component: pjlib Version: trunk
Keywords: Cc:

Description (last modified by bennylp) (diff)

If one thread is unregistering the socket while another is issuing pending operation such as recv or send, this may corrupt the descriptor set in the ioqueue, causing subsequent select() inside pj_ioqueue_poll() to return error.

Detailed scenario:

  • thread A issues pj_ioqueue_recv(), and midway it is interrupted by thread B
  • thread B issues pj_ioqueue_unregister(sock) which closes the socket.
  • thread A resumes execution, ultimately gaining the key's mutex. But it does not check if the key has been unregistered. It adds the socket handle (which has been closed by thread B) to the read descriptor set.
  • subsequent select() will return -1 since it contains invalid handle

This will cause the ioqueue to stop receiving events.

Change History

Changed 13 months ago by bennylp

  • priority changed from normal to major
  • description modified (diff)
  • summary changed from Concurrency problem in ioqueue to Concurrency problem in select ioqueue may corrupt descriptor set

Changed 13 months ago by bennylp

  • status changed from new to closed
  • resolution set to fixed

In r2826:

  • fixed the concurrency problem
  • also fixed ioqueue unregister test in pjlib-test
Note: See TracTickets for help on using tickets.