[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #27377] "op_completed" semaphore mechanism crash error

From: hanhui
Subject: [lwip-devel] [bug #27377] "op_completed" semaphore mechanism crash error
Date: Fri, 04 Sep 2009 02:38:08 +0000
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727)


                 Summary: "op_completed" semaphore mechanism crash error
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: hanhui03
            Submitted on: Fri Sep  4 02:38:06 2009
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: CVS Head



lwip application layer use tcpip_apimsg()[or other similar functions] send a
message to tcpip thread. for example: netconn_XXX() usually call
tcpip_apimsg() to execute do_XXX() function.

tcpip_apimsg() first call sys_mbox_post() send a message, and then wait tcpip
thread execute this message. if user thread priority higher than tcpip thread,
sys_mbox_post() do not make a scheduling. and then user thread wait a
conn->op_completed semaphore block itself.

if before user thread call sys_mbox_post(), conn->op_completed semaphore
already been signaled. user thread will not have any block. and tcpip_apimsg()
will return immediately. but the message which tcpip_apimsg() send, is a LOCAL
VARIABLE, the message must be damaged, and then tcpip thread fetch this
message pointer. the message body is DEAD. Crash!

The above situation really happened! because not all conn->op_completed
semaphore signals are activated by do_XXX() function. for example: net
interface have a receive event, then tcpip thread are going to execute. if
this packet is a tcp packet, then tcp_input() will be called. in tcp_input()
function will call TCP_EVEN_SEND() or TCP_EVENT_RECV(). and then will call
send_tcp() or poll_tcp(). then do_writemore() or do_close_internal() will be
called. and then conn->op_completed semaphore will be signaled. if above case
are happening in tcpip_apimsg() are going to send a message. Crash!

I tested using the two thread: one recv() and another send(), using one
socket. these two thread priority higher than tcpip thread. use of large
amounts of data test. and than crashed. When the system crashes, I see
tcpip_apimsg() do not make any scheduling. in other words sys_mbox_post() and
sys_arch_sem_wait() hasn't been blocked, conn->op_completed semaphore already
been signaled.

but I using one thread first recv() and then send(), do not crash.

tcpip_apimsg(struct api_msg *apimsg)
  struct tcpip_msg msg;
  if (mbox != SYS_MBOX_NULL) {
    msg.type = TCPIP_MSG_API;
    msg.msg.apimsg = apimsg;
    // tcp_input() ->  TCP_EVENT_SENT()  ->  (pcb)->sent()  ->  
    // sent_tcp()  ->  do_writemore()  ->  sys_arch_sem_signal() !!!! error
    sys_mbox_post(mbox, &msg);
    sys_arch_sem_wait(apimsg->msg.conn->op_completed, 0);
    return ERR_OK;
  return ERR_VAL;


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]