Someone found a race condition in thread_exit in the base OS/161
system: if you get a timer interrupt at the wrong time, it may end up
calling as_activate on a stale address space pointer.
The quick fix is to move the splhigh() up before the call to
as_destroy, like in the enclosed patch.
(A better fix is to store the address in a temporary and set
curthread->vmspace to NULL before calling as_destroy.)
Index: src/kern/thread/thread.c
===================================================================
RCS file: /disk/disk0/cs161/CVSREPO/os161/src/kern/thread/thread.c,v
retrieving revision 1.22
diff -U6 -r1.22 thread.c
--- thread.c 2002/03/05 21:58:22 1.22
+++ thread.c 2002/03/17 18:27:27
@@ -438,23 +438,24 @@
assert(curthread->stack[0] == (char)0xae);
assert(curthread->stack[1] == (char)0x11);
assert(curthread->stack[2] == (char)0xda);
assert(curthread->stack[3] == (char)0x33);
}
+ splhigh();
+
if (curthread->vmspace) {
as_destroy(curthread->vmspace);
curthread->vmspace = NULL;
}
if (curthread->cwd) {
VOP_DECREF(curthread->cwd);
curthread->cwd = NULL;
}
- splhigh();
assert(numthreads>0);
numthreads--;
mi_switch(S_ZOMB);
panic("Thread came back from the dead!\n");
}
--
- David A. Holland / dholland(a)eecs.harvard.edu
Show replies by date