Experimental Physics and
Industrial Control System

mdavidsaver via Core-talk <core-talk at aps.anl.gov> · Sat, 03 Apr 2021 18:02:32 -0000

cf. https://github.com/epics-base/epics-base/pull/151

-- 
You received this bug notification because you are a member of EPICS
Core Developers, which is subscribed to EPICS Base.
Matching subscriptions: epics-core-list-subscription
https://bugs.launchpad.net/bugs/1922442

Title:
  Another race in db_close_events()

Status in EPICS Base:
  New

Bug description:
  Mark Rivers reports a valgrind alert in db_close_events().

  https://epics.anl.gov/core-talk/2021/msg00665.php

  This looks like a race leading to a real use-after-free which is
  being "covered up" by the free list.

  >>> ==146728== Thread 25 CAS-client:
  >>> ==146728== Invalid read of size 8
  >>> ==146728==    at 0xE37113: db_close_events (dbEvent.c:378)

  In dbEvent.c  db_close_events()

  >     /* notify the waiting task */
  >     epicsEventSignal(evUser->ppendsem);
  > 
  >     if(evUser->taskid)  // <- line 378
  >         epicsThreadMustJoin(evUser->taskid);
  >     /* evUser has been deleted by the worker */

  Since event_task() is deleting evUser, it looks like everything from the epicsEventSignal()
  onwards is a race.  event_task() also deletes ppendsem, which could happen before
  epicsEventSignal() returns.  So I don't think it would be enough to save 'evUser->taskid'
  before signaling.

  I'm developing a long history with this particular issue.  This being
  the second time I've introduced a similar regression (cf. lp:1730982).
  This time with 37a76b433a9e7d5a8d26a13fd21ad62f20a0c1c1 (in 7.0.3.1).

To manage notifications about this bug go to:
https://bugs.launchpad.net/epics-base/+bug/1922442/+subscriptions

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System