httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Stoddard <>
Subject Re: Seg fault: Possible race conditions in mod_mem_cache.c
Date Mon, 06 Sep 2004 16:11:37 GMT
Jean-Jacques Clar wrote:
> Testing 2.0 and 2.1 Head.
> I am running a test that requires frequent ejections of cache entities:
> max_cache_size and max_object_count are smaller than my sampling.
> 2 threads running at the concurrently on 2 CPUs.
> Thread1(T1): an entry is ejected from the cache in cache_insert(),
> resulting in a call to memcahe_cache_free() [c->free_entry(ejected)].
> Refcount is 1, obj->cleanup is 0.
> T2: a thread is calling apr_pool_clear() in worker_main/worker_thread()
> in the mpm main function (using worker|netware). That thread is calling
> decrement_refcount(), the registered cleanup function in mod_mem_cache.c.
> Both threads are working on the same cache_object.
> Refcount is 1, obj->cleanup is 0 when entering decrement_refcount().
> Then there is a race in both functions where the atomic_dec in
> decrement_refcount() will change the refcount to 0 

It should not be possibe for two threads to atomically decrement the refcount on the same
object to 0.  Sounds 
like a bug in netware's apr_atomic_dec() function.


View raw message