[Rtai] rt_returnx and rt_msgq_delete bug

Paolo Mantegazza mantegazza at aero.polimi.it
Thu Dec 10 14:31:55 CET 2009 

Your fixes, modified the way I like them, are in RTAI CVSes now.

paolo

Fernando Augusto wrote:
>>> The second was a
> little tricky to find, but it happens when a call to
>>> rt_returnx is made
> and the task that call rt_rpc_whatever is no longer
>>> waiting (so
> rt_rpc_if, rt_rpc_timed and rt_rpc_until are all error prone).
> 
>> Possible indeed, but the fix is simply adding the forgotten 
>> CHECK_SENDER_MAGIC, as it is in rt_return already.
> 
> The problem that I've had was not due to the CHECK_SENDER_MAGIC, 
> although this is a problem too. But when a call like rt_rpcx_timed is made a 
> pointer to a local variable (struct mcb_t mcb) is passed to the receiver task, 
> this local variable holds data of the message being sent, as bellow
> 
> 
>   ... rt_rpcx_until(....)  {
>       if (task) {
>             struct mcb_t mcb;     << local variable declared
>             SET_RPC_MCB();     << sets local bariable contents with msg sent data
>             return rt_rpc_until(task, (unsigned long)&mcb, &mcb.rbytes, time);   << call to rpc send local variable address.
>        }
>   }
> 
> In the call to rt_returnx the address of the local variable is used to holds the 
> replyng msg data. As bellow.
> 
> 
>     RT_TASK *rt_returnx(RT_TASK *task, void *msg, int size)
>     {
>          if (task) {
>              struct mcb_t *mcb;
>                    
>                  if ((mcb = (struct mcb_t *)task->msg)->rbytes < size) {  << task->msg points to local variable alocated in rt_rpcx_whatever.
>                      size = mcb->rbytes;
>                 }
>                 if (size) {
>                     memcpy(mcb->rbuf, msg, size);
>                 }
>              return rt_return(task, 0);
>          }
>     }
> 
> 
> So in the line "if ((mcb = (struct mcb_t *)task->msg)->rbytes < size)" of 
> rt_retunx function, "(struct mcb_t *)task->msg" points to the local variable 
> alocated in rt_rpcx_until (for example), the problem occurs if the function 
> rt_rpcx_until has alredy returned, so the memory of the local variable has 
> other contents, which in my case leads to a things like NULL pointer of 
> segmetation problems, as the call to memcpy(mcb->rbuf, msg, size) in 
> rt_returnx used completely random params. 
> 
> Well I tried to explain what I've noted that happens, can't say for sure if I was 
> clear, I'm terrible with explanations :).
> 
> Ahh, was about to forget, but also noted that the call to 
> CHECK_SENDER_MAGIC, may fail it's not race condtion safe, as there's a 
> test to see if the TASK realy exists, but that TASK can be deleted just after 
> the test and just before a call to rt_global_save_flags_and_cli().
> 
> Anyway sorry for my bad (maybe awful) english :).
> 
> Regards,
> Fernando.
> 
> --- Em qua, 9/12/09, Paolo Mantegazza <mantegazza at aero.polimi.it> escreveu:
> 
> De: Paolo Mantegazza <mantegazza at aero.polimi.it>
> Assunto: Re: [Rtai] rt_returnx and rt_msgq_delete bug
> Para: "Fernando Augusto" <fernando_aug at yahoo.com.br>
> Cc: rtai at rtai.org
> Data: Quarta-feira, 9 de Dezembro de 2009, 14:26
> 
> Fernando Augusto wrote:
>> Hi all,
>>
>> This is my first e-mail to this list, although, I've been using rtai since begning of 2009. Great to see the list fully active, different from some oher lists out there. Anyway, I just happen to run into two bugs. 
>> The first is on rt_msgq_delete (rt_tbx_delete), which always return error if you never use rt_tbx_broadcast. A call to a rt_sem_delete (which was never created rt_tbx_broadcast isn't called) make the function fail.
>>
> 
> OK, agreed.
> 
>> The second was a little tricky to find, but it happens when a call to rt_returnx is made and the task that call rt_rpc_whatever is no longer waiting (so rt_rpc_if, rt_rpc_timed and rt_rpc_until are all error prone).
> 
> Possible indeed, but the fix is simply adding the forgotten CHECK_SENDER_MAGIC, as it is in rt_return already.
> 
> paolo
>> Anyway I've searched the list and didn't find anything about these bugs, so solved them myself. I'm sending a patch (for rtai 3.7.1) atached that solves both. If there is any interest I can made the patch for head cvs version.
>>
>> Best regards,
>> Fernando Almeida.
>>
>>
>>
>>        ____________________________________________________________________________________
>> Veja quais são os assuntos do momento no Yahoo! +Buscados
>> http://br.maisbuscados.yahoo.com
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Rtai mailing list
>> Rtai at rtai.org
>> https://mail.rtai.org/cgi-bin/mailman/listinfo/rtai
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Veja quais são os assuntos do momento no Yahoo! +Buscados
> http://br.maisbuscados.yahoo.com

More information about the Rtai mailing list