[Rtai] rt_returnx and rt_msgq_delete bug

Fernando Augusto fernando_aug at yahoo.com.br
Wed Dec 9 18:07:10 CET 2009 

>> The second was a
little tricky to find, but it happens when a call to
>> rt_returnx is made
and the task that call rt_rpc_whatever is no longer
>> waiting (so
rt_rpc_if, rt_rpc_timed and rt_rpc_until are all error prone).

> Possible indeed, but the fix is simply adding the forgotten 
> CHECK_SENDER_MAGIC, as it is in rt_return already.

The problem that I've had was not due to the CHECK_SENDER_MAGIC, 
although this is a problem too. But when a call like rt_rpcx_timed is made a 
pointer to a local variable (struct mcb_t mcb) is passed to the receiver task, 
this local variable holds data of the message being sent, as bellow


  ... rt_rpcx_until(....)  {
      if (task) {
            struct mcb_t mcb;     << local variable declared
            SET_RPC_MCB();     << sets local bariable contents with msg sent data
            return rt_rpc_until(task, (unsigned long)&mcb, &mcb.rbytes, time);   << call to rpc send local variable address.
       }
  }

In the call to rt_returnx the address of the local variable is used to holds the 
replyng msg data. As bellow.


    RT_TASK *rt_returnx(RT_TASK *task, void *msg, int size)
    {
         if (task) {
             struct mcb_t *mcb;
                   
                 if ((mcb = (struct mcb_t *)task->msg)->rbytes < size) {  << task->msg points to local variable alocated in rt_rpcx_whatever.
                     size = mcb->rbytes;
                }
                if (size) {
                    memcpy(mcb->rbuf, msg, size);
                }
             return rt_return(task, 0);
         }
    }


So in the line "if ((mcb = (struct mcb_t *)task->msg)->rbytes < size)" of 
rt_retunx function, "(struct mcb_t *)task->msg" points to the local variable 
alocated in rt_rpcx_until (for example), the problem occurs if the function 
rt_rpcx_until has alredy returned, so the memory of the local variable has 
other contents, which in my case leads to a things like NULL pointer of 
segmetation problems, as the call to memcpy(mcb->rbuf, msg, size) in 
rt_returnx used completely random params. 

Well I tried to explain what I've noted that happens, can't say for sure if I was 
clear, I'm terrible with explanations :).

Ahh, was about to forget, but also noted that the call to 
CHECK_SENDER_MAGIC, may fail it's not race condtion safe, as there's a 
test to see if the TASK realy exists, but that TASK can be deleted just after 
the test and just before a call to rt_global_save_flags_and_cli().

Anyway sorry for my bad (maybe awful) english :).

Regards,
Fernando.

--- Em qua, 9/12/09, Paolo Mantegazza <mantegazza at aero.polimi.it> escreveu:

De: Paolo Mantegazza <mantegazza at aero.polimi.it>
Assunto: Re: [Rtai] rt_returnx and rt_msgq_delete bug
Para: "Fernando Augusto" <fernando_aug at yahoo.com.br>
Cc: rtai at rtai.org
Data: Quarta-feira, 9 de Dezembro de 2009, 14:26

Fernando Augusto wrote:
> Hi all,
> 
> This is my first e-mail to this list, although, I've been using rtai since begning of 2009. Great to see the list fully active, different from some oher lists out there. Anyway, I just happen to run into two bugs. 
> The first is on rt_msgq_delete (rt_tbx_delete), which always return error if you never use rt_tbx_broadcast. A call to a rt_sem_delete (which was never created rt_tbx_broadcast isn't called) make the function fail.
> 

OK, agreed.

> The second was a little tricky to find, but it happens when a call to rt_returnx is made and the task that call rt_rpc_whatever is no longer waiting (so rt_rpc_if, rt_rpc_timed and rt_rpc_until are all error prone).

Possible indeed, but the fix is simply adding the forgotten CHECK_SENDER_MAGIC, as it is in rt_return already.

paolo
> 
> Anyway I've searched the list and didn't find anything about these bugs, so solved them myself. I'm sending a patch (for rtai 3.7.1) atached that solves both. If there is any interest I can made the patch for head cvs version.
> 
> Best regards,
> Fernando Almeida.
> 
> 
> 
>       ____________________________________________________________________________________
> Veja quais são os assuntos do momento no Yahoo! +Buscados
> http://br.maisbuscados.yahoo.com
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Rtai mailing list
> Rtai at rtai.org
> https://mail.rtai.org/cgi-bin/mailman/listinfo/rtai





      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.rtai.org/pipermail/rtai/attachments/20091209/3020411f/attachment-0001.htm>

More information about the Rtai mailing list