[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MiNT] tfork() bug.

To: <mint@lists.fishpool.fi>
Subject: Re: [MiNT] tfork() bug.
From: Ole <ole@monochrom.net>
Date: Wed, 16 May 2012 14:30:33 +0200
In-reply-to: <4FB38FA8.50005@fairlite.co.uk>
List-help: <mailto:ecartis@lists.fishpool.fi?Subject=help>
List-id: <mint.lists.fishpool.fi>
List-owner: <mailto:tjhukkan@fishpool.fi>
List-post: <mailto:mint@lists.fishpool.fi>
List-subscribe: <mailto:mint-request@lists.fishpool.fi?Subject=subscribe>
List-unsubscribe: <mailto:mint-request@lists.fishpool.fi?Subject=unsubscribe>
References: <7056cab2ac2ed3d6d842575e2d0f8974-EhVcX1lFRQVaRwYcDTpQCEFddQZLVF5dQUNBAjBeX15ZVF0WXV1oAFFQMl5cQkIDXl1ZQVA=-webmailer1@server03.webmailer.hosteurope.de> <4FB2CDCA.8050901@fairlite.co.uk> <f6e8ef24f54194e59b7ac612a82627fa-EhVcX1lFRQVaRwYcDTpQCEFddQZLVF5dQUNBAjBeX15ZVF0WXV1oAFFQMl5cQkIDXVpeRlg=-webmailer1@server03.webmailer.hosteurope.de> <4FB38FA8.50005@fairlite.co.uk>
Reply-to: ole@monochrom.net
Sender: mint-bounce@lists.fishpool.fi
User-agent: Host Europe Webmailer/2.0

Am Mittwoch, den 16.05.2012, 13:29 +0200 schrieb Alan Hourihane<alanh@fairlite.co.uk>:

It sounds like a bug, but the kernel is guarding against any problems
with Mfree() in tfork().


No - there is an BIG problem. It's an race condition.
The Mfree() was meant to free the p_env of the new thread, not of the
main thread.

If anything access the environment in the main thread - it will accessan

pointer which is already freed.

If there is no race condition ( for example because you lock the threaduntiltfork() finished - I already tried that) - then the tfork function willdouble

free the environment pointer of the thread.

(which is another bug - but it doesn't trigger, because of the racecondition)


The kernel probably just returns failure

because the memory block isn't allocated. If there is anmalloc(sizeof(environment)) before the free()(maybe from within another thread), then I'm pretty sure it will notreturn an error(because there is an allocated block with that address). It will freean memory pointer which is allocated

by something totally different. And so on...

Greets,
Ole

Follow-Ups:
- Re: [MiNT] tfork() bug.
  - From: Alan Hourihane <alanh@fairlite.co.uk>

References:
- [MiNT] tfork() bug.
  - From: "m0n0" <ole@monochrom.net>
- Re: [MiNT] tfork() bug.
  - From: Alan Hourihane <alanh@fairlite.co.uk>
- Re: [MiNT] tfork() bug.
  - From: "m0n0" <ole@monochrom.net>
- Re: [MiNT] tfork() bug.
  - From: Alan Hourihane <alanh@fairlite.co.uk>

Prev by Date: Re: [MiNT] tfork() bug.
Next by Date: Re: [MiNT] tfork() bug.
Previous by thread: Re: [MiNT] tfork() bug.
Next by thread: Re: [MiNT] tfork() bug.
Index(es):
- Date
- Thread