rculfhash: fix: race between replace and del operations
Bug introduced by commit
db00ccc36e7fb04ce8044fb1be7964acd1de6ae0
Here is the race:
Initially in hash table: A
T0 T1
replace A by B
del A
read A->next
-> check REMOVED flag, not set yet.
read A->next
-> check REMOVED flag, not set yet.
cmpxchg A->next to set REMOVED flag
-> cmpxchg succeeds
uatomic_or to set REMOVED flag
uatomic_xchg to atomically set the REMOVAL_OWNER flag
-> first to set the flag.
Replace returns node -> free(A) Del success -> free(A)
With this race, we have a double-free.
The problem with the replace code is that it does not set the
"REMOVAL_OWNER" flag.
Test case to reproduce the bug:
test_urcu_hash 0 2 20 -A -s -M 1 -N 1 -O 1
(2 threads, doing replace/del, with a hash table that has only a single
key for all values). After just a couple of seconds, either the program
hangs, or, more often, it does:
*** glibc detected ***
/media/truecrypt1/compudj/doc/userspace-rcu/tests/.libs/test_urcu_hash:
malloc(): memory corruption (fast): 0x00007ffff3a29e25 ***
Program received signal SIGSEGV, Segmentation fault.
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Tested-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
projects / urcu.git / commit
