[rtems commit] score: PR2140: Fix _Thread_queue_Process_timeout()

Mon Aug 26 07:57:27 UTC 2013

Module:    rtems
Branch:    master
Commit:    f8f1bdad2770c280ec019cf8f048346451a2e0ea
Changeset: http://git.rtems.org/rtems/commit/?id=f8f1bdad2770c280ec019cf8f048346451a2e0ea

Author:    Sebastian Huber <sebastian.huber at embedded-brains.de>
Date:      Fri Aug 23 12:19:13 2013 +0200

score: PR2140: Fix _Thread_queue_Process_timeout()

The _Thread_queue_Process_timeout() operation had several race
conditions in the event of nested interrupts.  Protect the critical
sections via disabled interrupts.

---

 cpukit/score/src/threadqprocesstimeout.c |   45 ++++++++++++++++++++++++-----
 1 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/cpukit/score/src/threadqprocesstimeout.c b/cpukit/score/src/threadqprocesstimeout.c
index 6aaf445..7b58edb 100644
--- a/cpukit/score/src/threadqprocesstimeout.c
+++ b/cpukit/score/src/threadqprocesstimeout.c
@@ -25,7 +25,8 @@ void _Thread_queue_Process_timeout(
   Thread_Control *the_thread
 )
 {
-  Thread_queue_Control *the_thread_queue = the_thread->Wait.queue;
+  Thread_queue_Control *the_thread_queue;
+  ISR_Level             level;
 
   /*
    *  If the_thread_queue is not synchronized, then it is either
@@ -39,15 +40,43 @@ void _Thread_queue_Process_timeout(
    *  a timeout is not allowed to occur.
    */
 
-  if ( the_thread_queue->sync_state != THREAD_BLOCKING_OPERATION_SYNCHRONIZED &&
-       _Thread_Is_executing( the_thread ) ) {
-    if ( the_thread_queue->sync_state != THREAD_BLOCKING_OPERATION_SATISFIED ) {
-      the_thread->Wait.return_code = the_thread->Wait.queue->timeout_status;
-      the_thread_queue->sync_state = THREAD_BLOCKING_OPERATION_TIMEOUT;
+  _ISR_Disable( level );
+  the_thread_queue = the_thread->Wait.queue;
+  if ( the_thread_queue != NULL ) {
+    if ( the_thread_queue->sync_state != THREAD_BLOCKING_OPERATION_SYNCHRONIZED &&
+         _Thread_Is_executing( the_thread ) ) {
+      if ( the_thread_queue->sync_state != THREAD_BLOCKING_OPERATION_SATISFIED ) {
+        the_thread->Wait.return_code = the_thread_queue->timeout_status;
+        the_thread_queue->sync_state = THREAD_BLOCKING_OPERATION_TIMEOUT;
+      }
+      _ISR_Enable( level );
+    } else {
+      bool we_did_it;
+
+      _ISR_Enable( level );
+
+      /*
+       * After we enable interrupts here, a lot may happen in the meantime,
+       * e.g. nested interrupts may release the resource that times out here.
+       * So we enter _Thread_queue_Extract() speculatively.  Inside this
+       * function we check the actual status under ISR disable protection.
+       * This ensures that exactly one executing context performs the extract
+       * operation (other parties may call _Thread_queue_Dequeue()).  If this
+       * context won, then we have a timeout.
+       *
+       * We can use the_thread_queue pointer here even if
+       * the_thread->Wait.queue is already set to NULL since the extract
+       * operation will only use the thread queue discipline to select the
+       * right extract operation.  The timeout status is set during thread
+       * queue initialization.
+       */
+      we_did_it = _Thread_queue_Extract( the_thread_queue, the_thread );
+      if ( we_did_it ) {
+        the_thread->Wait.return_code = the_thread_queue->timeout_status;
+      }
     }
   } else {
-    the_thread->Wait.return_code = the_thread->Wait.queue->timeout_status;
-    _Thread_queue_Extract( the_thread->Wait.queue, the_thread );
+    _ISR_Enable( level );
   }
 }
 


