From: Jan Kiszka <jan.kiszka@domain.hid>
To: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org>
Cc: Wolfgang Mauerer <wolfgang.mauerer@domain.hid>,
xenomai-core <xenomai@xenomai.org>,
Gernot Hillier <gernot.hillier@domain.hid>
Subject: [Xenomai-core] Potential heap corruption on thread cleanup
Date: Wed, 03 Mar 2010 09:58:28 +0100 [thread overview]
Message-ID: <4B8E24B4.9000806@domain.hid> (raw)
[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]
Hi Gilles,
I'm pushing your findings to the list, also as my colleagues showed
strong interest - this thing may explain rare corruptions for us as well.
I thought a bit about that likely u_mode-related crash in your test case
and have the following theory so far: If the xeno_current_mode storage
is allocated on the application heap (!HAVE_THREAD, that's also what we
are forced to use), it is automatically freed on thread termination in
the context of the dying thread. If the thread is already migrated to
secondary or if that happens while it is cleaned up (i.e. before calling
for exit into the kernel), there is no problem, Xenomai will not touch
the mode storage anymore. But if the thread happens to delete the
storage "silently", without any migration, the final exit will trigger
one further access. And that takes place against an invalid head area at
this point.
Does this make sense?
If that is true, all we need to do is to force a migration before
releasing the mode storage. Could you check this?
Jan
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 257 bytes --]
next reply other threads:[~2010-03-03 8:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-03 8:58 Jan Kiszka [this message]
2010-03-03 9:04 ` [Xenomai-core] Potential heap corruption on thread cleanup Gilles Chanteperdrix
2010-03-03 9:13 ` Jan Kiszka
2010-03-03 9:16 ` Gilles Chanteperdrix
2010-03-04 18:28 ` Jan Kiszka
2010-03-04 18:36 ` Gilles Chanteperdrix
2010-03-04 20:25 ` Jan Kiszka
2010-03-04 20:42 ` Gilles Chanteperdrix
2010-03-05 11:21 ` Jan Kiszka
2010-03-05 11:30 ` Gilles Chanteperdrix
2010-03-05 11:39 ` Jan Kiszka
2010-03-05 11:42 ` Gilles Chanteperdrix
2010-03-05 11:45 ` Jan Kiszka
2010-03-05 11:08 ` Wolfgang Mauerer
2010-03-05 11:29 ` Gilles Chanteperdrix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B8E24B4.9000806@domain.hid \
--to=jan.kiszka@domain.hid \
--cc=gernot.hillier@domain.hid \
--cc=gilles.chanteperdrix@xenomai.org \
--cc=wolfgang.mauerer@domain.hid \
--cc=xenomai@xenomai.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.