anchao commented on issue #17418: URL: https://github.com/apache/nuttx/issues/17418#issuecomment-3606619459
> The test case contains main thread and a detached thread, here is the sequence which trigger used after free: > > 1. main thread enter exit process > 2. main thread remove self from task group > 3. main thread cancel test thread > 4. test thread remove self from task group > 5. task group is freed affer step 4 since all threads in the group exit > 6. main thread run again and crash immediately since it's tcb(group) is freed at step 4 > > This problem isn't related to SMP directly. This process won't be triggered because the group is bound to the main thread, and its lifecycle is controlled by `tg_members`. You need to further examine the implementation details of `nxsched_release_tcb()` and `group_leave()`. The group is not immediately released when the main process exits: <img width="1962" height="393" alt="Image" src="https://github.com/user-attachments/assets/eb0c6982-aa20-4932-8c16-d364f59e90db"; /> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
