Date: Sun, 11 Apr 2004 18:07:21 -0700 (PDT) From: Stephan Uphoff <ups@tree.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/65448: _mtx_unlock_sleep() race condition if ADAPTIVE_MUTEXES is defined Message-ID: <200404120107.i3C17L0O006072@www.freebsd.org> Resent-Message-ID: <200404120110.i3C1AHOb048107@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 65448
>Category: kern
>Synopsis: _mtx_unlock_sleep() race condition if ADAPTIVE_MUTEXES is defined
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 11 18:10:17 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Stephan Uphoff
>Release: current
>Organization:
>Environment:
N/A
>Description:
The following waiting loop is used in _mtx_unlock_sleep()
if both ADAPTIVE_MUTEXES and SMP is defined.
while (mtx_owner(m) == owner && TD_IS_RUNNING(owner)) {
#ifdef __i386__
ia32_pause();
#endif
}
Problem:
The current thread has no lock or reference count
on the "owner" thread.
This means that the thread pointed to by owner
can terminate and become invalid.
If the "owner" thread terminates between the tests
"mtx_owner(m) == owner" and "TD_IS_RUNNING(owner)"
the second test might access an invalid memory address.
Additional Nitpick:
Because TD_IS_RUNNING(owner) is defined as
#define TD_IS_RUNNING(td) ((td)->td_state == TDS_RUNNING)
and
The td_state field is not volatile.
and
ia32_pause() is not marked to modify memory.
the compiler can regard the test "TD_IS_RUNNING(owner)" as being
loop invariant and rewrite the code fragment above as:
if((mtx_owner(m) == owner && TD_IS_RUNNING(owner))
do {
#ifdef __i386__
ia32_pause();
#endif
while (mtx_owner(m) == owner);
This would cause problems.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404120107.i3C17L0O006072>