Re: [9fans] Kernel question: i386 test-and-set problem

9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed

From: miller@hamnavoe.demon.co.uk
To: 9fans@cse.psu.edu
Subject: Re: [9fans] Kernel question: i386 test-and-set problem
Date: Wed,  2 Aug 2000 09:32:59 +0100	[thread overview]
Message-ID: <E13JuLT-0005k5-0V@anchor-post-31.mail.demon.net> (raw)

> We did try your solution since it was the obious one.

Wasn't obvious to me.  It emerged from an attempt to sketch a
correctness proof and then derive a version of the algorithm
which would correspond to it.

> Process p now continues after the sleep:
> 
> 	process p:
> 		sleep(r);
> 		free(r)
> 
> Process y now does
> 
> 		xxx = malloc(234);
> 		xxx->a = 12;
> 
> And finally process x does its lock(r).  We've just
> clobbered some other processes kernel structure.

Ah.  It had not actually occurred to me that a kernel
process might be freeing a data structure while another
process still held a pointer into it.  How naive of me.

If the scenario above is really allowed, I don't see
why it isn't just as much a problem with the existing
kernel.  Even without the interference of postnote(),
we might have sleep(r) finding the wakeup condition
true and returning immediately, so that the free(r) and
malloc() could happen while or even before wakeup(r)
runs.  So when /sys/src/9/port/proc.c:#10217,#10286
is executed, r points to something which is no longer
a Rendez structure.  Therefore r->p could be anything,
and  the lock(&p->rlock) could clobber something or
even cause a memory fault.

Or am I missing something obvious again?

-- Richard

next             reply	other threads:[~2000-08-02  8:32 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2000-08-02  8:32 miller [this message]
  -- strict thread matches above, loose matches on Subject: below --
2000-08-03  9:56 miller
2000-08-02 16:24 presotto
2000-08-02 15:43 jmk
2000-08-02 14:51 miller
2000-08-02 13:20 presotto
2000-07-31 17:26 presotto
2000-07-23 14:41 miller
2000-07-21 13:15 presotto
2000-07-21  9:10 miller
2000-07-20 17:09 presotto
2000-07-20 13:54 miller
2000-07-20  2:03 jmk
2000-07-10 16:21 miller
2000-07-10 12:40 Russ Cox
2000-07-11  8:51 ` Jakub Jermar
2000-07-10  9:57 Jakub Jermar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E13JuLT-0005k5-0V@anchor-post-31.mail.demon.net \
    --to=miller@hamnavoe.demon.co.uk \
    --cc=9fans@cse.psu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).