[Bug 2035] psxcancel reveals NULL pointer access in _Thread_queue_Extract()

bugzilla-daemon at rtems.org bugzilla-daemon at rtems.org
Thu Dec 6 09:13:15 UTC 2012


https://www.rtems.org/bugzilla/show_bug.cgi?id=2035

--- Comment #3 from Sebastian Huber <sebastian.huber at embedded-brains.de> 2012-12-06 03:13:15 CST ---
This is definitely a bug in pthread_exit().  Here we have:

[...]
      /*
       * Process join
       */
      if ( api->detachstate == PTHREAD_CREATE_JOINABLE ) {
        unblocked = _Thread_queue_Dequeue( &api->Join_List );
        if ( unblocked ) {
          do {
            *(void **)unblocked->Wait.return_argument = value_ptr;
          } while ( (unblocked = _Thread_queue_Dequeue( &api->Join_List )) );
        } else {
          _Thread_Set_state(
            the_thread,
            STATES_WAITING_FOR_JOIN_AT_EXIT | STATES_TRANSIENT
          );

          <-- This sets the thread into a waiting state, but this seems to have
no effect.

           _RTEMS_Unlock_allocator();
          _Thread_Enable_dispatch();
          /* now waiting for thread to arrive */
          _RTEMS_Lock_allocator();
          _Thread_Disable_dispatch();
        }
      }

      /*
       *  Now shut down the thread
       */
      _Thread_Close( the_information, the_thread ); <-- This function thinks
that the thread is in a waiting state and tries to remove it from the wait
queue which is NULL.  The thread state is inconsistent: it indicates that it is
waiting on a queue, but the queue does not exist.
[...]

-- 
Configure bugmail: https://www.rtems.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the bugs mailing list