![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
Opened 16 years ago
Closed 16 years ago
#520 closed defect (fixed)
Race condition may cause ioqueue corruption (thanks Philippe Leuba)
| Reported by: | bennylp | Owned by: | bennylp |
|---|---|---|---|
| Priority: | normal | Milestone: | release-0.9.0 |
| Component: | pjlib | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: |
Description
Quoting Philippe email:
When I destroy the transports, they call pj_ioqueue_unregister with the key as parameter. The function start by calling pj_list_erase(key), then decrement_counter when PJ_IOQUEUE_HAS_SAFE_UNREG is set. The problem is that decrement_counter call pj_list_erase(key) once again. Depending the timing between the main thread and the worker thread, this double call to pj_list_erase can corrupt the list, apparently because some element can be put in the closing_list in the meantime.
This is because pj_list_erase do not reset next and prev pointer of the key, but only link together the prev and next elements.
I fixed the problem by putting the pj_list_erase between ifdef:
#if !PJ_IOQUEUE_HAS_SAFE_UNREG pj_list_erase(key); #endif
An other solution, more general would be to modify pj_list_erase in order reset the next and prev pointer of the key to itself like pj_list_init does.
Change History (1)
comment:1 Changed 16 years ago by bennylp
- Resolution set to fixed
- Status changed from new to closed
Fixed in r1905. Thanks Philippe.