Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Jun 2002 17:53:17 -0700
From:      Terry Lambert <tlambert2@mindspring.com>
To:        Jonathan Lemon <jlemon@flugsvamp.com>
Cc:        dillon@apollo.backplane.com, hackers@freebsd.org
Subject:   Re: Bug in wakeup() (stable and current) ?
Message-ID:  <3D166D7D.6CD9CC90@mindspring.com>
References:  <local.mail.freebsd-hackers/200206232014.g5NKE5x3058562@apollo.backplane.com> <local.mail.freebsd-hackers/20020623201933.GM53232@elvis.mu.org> <200206232158.g5NLw9c49030@prism.flugsvamp.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Jonathan Lemon wrote:
> >    Look at the code carefully.  It's *removing* the element from the list,
> >    the conditionally restarting rather then removing the element from the
> >    list and unconditionally restarting.  The only reason it works at all
> >    is because sys/queue.h does not clear out the pointers in the node
> >    that was just removed.  The code is just plain wrong, though, because
> >    the queue mechanisms make no such (documented) guarentee.
> 
> Looks like the original damage happened in r1.21, where the temporary
> variable (used to hold the next item on the list) was replaced by a
> dereference through the pointer of the item that was just removed.
> 
> The code works simply because it relies TAILQ_REMOVE() not changing
> the tqe_next pointer.  I suppose that this should either be documented,
> or the loop changed back to use a temp variable:
> 
>         for (td = TAILQ_FIRST(qp); td != NULL; td = tdq) {
>                 tdq = TAILQ_NEXT(td, td_slpq);
>                 ...
>         }

Too bad the first argument to TAILQ_FOREACH isn't a pointer to a
pointer, instead of just a pointer.  I guess the double dereference
is considered "too expensive".

It's a bummer that you can't safely use TAILQ_REMOVE inside the
TAILQ_FOREACH.

FWIW, this looks like a general bug in queue.h for all queue and
list types, so there are probably other places it would be an issue.
8-(.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D166D7D.6CD9CC90>