EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  <20212022  2023  2024  Index 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  <20212022  2023  2024 
<== Date ==> <== Thread ==>
Subject: [Bug 1922442] Re: Another race in db_close_events()
From: Andrew Johnson via Core-talk <core-talk at aps.anl.gov>
To: core-talk at aps.anl.gov
Date: Sun, 04 Jul 2021 03:48:11 -0000 
** Changed in: epics-base
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of EPICS
Core Developers, which is subscribed to EPICS Base.
Matching subscriptions: epics-core-list-subscription
https://bugs.launchpad.net/bugs/1922442

Title:
  Another race in db_close_events()

Status in EPICS Base:
  Fix Released

Bug description:
  Mark Rivers reports a valgrind alert in db_close_events().

  https://epics.anl.gov/core-talk/2021/msg00665.php

  This looks like a race leading to a real use-after-free which is
  being "covered up" by the free list.

  >>> ==146728== Thread 25 CAS-client:
  >>> ==146728== Invalid read of size 8
  >>> ==146728==    at 0xE37113: db_close_events (dbEvent.c:378)

  In dbEvent.c  db_close_events()

  >     /* notify the waiting task */
  >     epicsEventSignal(evUser->ppendsem);
  > 
  >     if(evUser->taskid)  // <- line 378
  >         epicsThreadMustJoin(evUser->taskid);
  >     /* evUser has been deleted by the worker */

  Since event_task() is deleting evUser, it looks like everything from the epicsEventSignal()
  onwards is a race.  event_task() also deletes ppendsem, which could happen before
  epicsEventSignal() returns.  So I don't think it would be enough to save 'evUser->taskid'
  before signaling.


  I'm developing a long history with this particular issue.  This being
  the second time I've introduced a similar regression (cf. lp:1730982).
  This time with 37a76b433a9e7d5a8d26a13fd21ad62f20a0c1c1 (in 7.0.3.1).

To manage notifications about this bug go to:
https://bugs.launchpad.net/epics-base/+bug/1922442/+subscriptions
References:
[Bug 1922442] [NEW] Another race in db_close_events() mdavidsaver via Core-talk
Navigate by Date:
Prev: [Bug 1913699] Re: vxWorks compilation fails with undeclared function Andrew Johnson via Core-talk
Next: Build failed in Jenkins: EPICS-3.14 #1084 Jenkins EPICS PSI via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  <20212022  2023  2024 
Navigate by Thread:
Prev: [Bug 1922442] Re: Another race in db_close_events() mdavidsaver via Core-talk
Next: Build failed: EPICS Base 7 base-7.0-286 AppVeyor via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  <20212022  2023  2024 
ANJ, 04 Jul 2021 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·