[Rtai] rt_returnx and rt_msgq_delete bug

mantegazza at aero.polimi.it mantegazza at aero.polimi.it
Wed Dec 9 22:45:49 CET 2009


>
>>> The second was a
> little tricky to find, but it happens when a call to
>>> rt_returnx is made
> and the task that call rt_rpc_whatever is no longer
>>> waiting (so
> rt_rpc_if, rt_rpc_timed and rt_rpc_until are all error prone).
>
>> Possible indeed, but the fix is simply adding the forgotten
>> CHECK_SENDER_MAGIC, as it is in rt_return already.
>
> The problem that I've had was not due to the CHECK_SENDER_MAGIC,
> although this is a problem too. But when a call like rt_rpcx_timed is made
> a
> pointer to a local variable (struct mcb_t mcb) is passed to the receiver
> task,
> this local variable holds data of the message being sent, as bellow
>

OK, I think I got it now, hopefully. Rt_returnx needs to be fully
structuring as the plain rt_return. It wrongly delays a test now. To avoid
annoying users I'll send a separate personal email to you, with a likely
fix for a test within your application.

paolo

>
>   ... rt_rpcx_until(....)  {
>       if (task) {
>             struct mcb_t mcb;     << local variable declared
>             SET_RPC_MCB();     << sets local bariable contents with msg
> sent data
>             return rt_rpc_until(task, (unsigned long)&mcb, &mcb.rbytes,
> time);   << call to rpc send local variable address.
>        }
>   }
>
> In the call to rt_returnx the address of the local variable is used to
> holds the
> replyng msg data. As bellow.
>
>
>     RT_TASK *rt_returnx(RT_TASK *task, void *msg, int size)
>     {
>          if (task) {
>              struct mcb_t *mcb;
>                   
>                  if ((mcb = (struct mcb_t *)task->msg)->rbytes < size) { 
> << task->msg points to local variable alocated in rt_rpcx_whatever.
>                      size = mcb->rbytes;
>                 }
>                 if (size) {
>                     memcpy(mcb->rbuf, msg, size);
>                 }
>              return rt_return(task, 0);
>          }
>     }
>
>
> So in the line "if ((mcb = (struct mcb_t *)task->msg)->rbytes < size)" of
> rt_retunx function, "(struct mcb_t *)task->msg" points to the local
> variable
> alocated in rt_rpcx_until (for example), the problem occurs if the
> function
> rt_rpcx_until has alredy returned, so the memory of the local variable has
> other contents, which in my case leads to a things like NULL pointer of
> segmetation problems, as the call to memcpy(mcb->rbuf, msg, size) in
> rt_returnx used completely random params.
>
> Well I tried to explain what I've noted that happens, can't say for sure
> if I was
> clear, I'm terrible with explanations :).
>
> Ahh, was about to forget, but also noted that the call to
> CHECK_SENDER_MAGIC, may fail it's not race condtion safe, as there's a
> test to see if the TASK realy exists, but that TASK can be deleted just
> after
> the test and just before a call to rt_global_save_flags_and_cli().
>
> Anyway sorry for my bad (maybe awful) english :).
>
> Regards,
> Fernando.
>
> --- Em qua, 9/12/09, Paolo Mantegazza <mantegazza at aero.polimi.it>
> escreveu:
>
> De: Paolo Mantegazza <mantegazza at aero.polimi.it>
> Assunto: Re: [Rtai] rt_returnx and rt_msgq_delete bug
> Para: "Fernando Augusto" <fernando_aug at yahoo.com.br>
> Cc: rtai at rtai.org
> Data: Quarta-feira, 9 de Dezembro de 2009, 14:26
>
> Fernando Augusto wrote:
>> Hi all,
>>
>> This is my first e-mail to this list, although, I've been using rtai
>> since begning of 2009. Great to see the list fully active, different
>> from some oher lists out there. Anyway, I just happen to run into two
>> bugs.
>> The first is on rt_msgq_delete (rt_tbx_delete), which always return
>> error if you never use rt_tbx_broadcast. A call to a rt_sem_delete
>> (which was never created rt_tbx_broadcast isn't called) make the
>> function fail.
>>
>
> OK, agreed.
>
>> The second was a little tricky to find, but it happens when a call to
>> rt_returnx is made and the task that call rt_rpc_whatever is no longer
>> waiting (so rt_rpc_if, rt_rpc_timed and rt_rpc_until are all error
>> prone).
>
> Possible indeed, but the fix is simply adding the forgotten
> CHECK_SENDER_MAGIC, as it is in rt_return already.
>
> paolo
>>
>> Anyway I've searched the list and didn't find anything about these bugs,
>> so solved them myself. I'm sending a patch (for rtai 3.7.1) atached that
>> solves both. If there is any interest I can made the patch for head cvs
>> version.
>>
>> Best regards,
>> Fernando Almeida.
>>
>>
>>
>>   
>>    ____________________________________________________________________________________
>> Veja quais são os assuntos do momento no Yahoo! +Buscados
>> http://br.maisbuscados.yahoo.com
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Rtai mailing list
>> Rtai at rtai.org
>> https://mail.rtai.org/cgi-bin/mailman/listinfo/rtai
>
>
>
>
>
>       ____________________________________________________________________________________
> Veja quais são os assuntos do momento no Yahoo! +Buscados
> http://br.maisbuscados.yahoo.com




More information about the Rtai mailing list