Re: svn commit: r1665888 - /tomcat/native/branches/1.1.x/native/src/poll.c

Mon, 16 Mar 2015 14:42:07 -0700 

2015-03-11 17:44 GMT+03:00  <ma...@apache.org>:
> Author: markt
> Date: Wed Mar 11 14:44:23 2015
> New Revision: 1665888
>
> URL: http://svn.apache.org/r1665888
> Log:
> Fix 57653. Crash when multiple events for same socket are returned via 
> separate apr_pollfd_t structures
>
> Modified:
>     tomcat/native/branches/1.1.x/native/src/poll.c
>
> Modified: tomcat/native/branches/1.1.x/native/src/poll.c
> URL: 
> http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/poll.c?rev=1665888&r1=1665887&r2=1665888&view=diff
> ==============================================================================
> --- tomcat/native/branches/1.1.x/native/src/poll.c (original)
> +++ tomcat/native/branches/1.1.x/native/src/poll.c Wed Mar 11 14:44:23 2015
> @@ -360,7 +360,13 @@ TCN_IMPLEMENT_CALL(jint, Poll, poll)(TCN
>              tcn_socket_t *s = (tcn_socket_t *)fd->client_data;
>              p->set[i*2+0] = (jlong)(fd->rtnevents);
>              p->set[i*2+1] = P2J(s);
> -            if (remove) {
> +            /* If a socket is registered for multiple events and the poller 
> has
> +               multiple events to return it may do as a single pair in this
> +               array or as multiple pairs depending on implementation. On 
> OSX at
> +               least, multiple pairs have been observed. In this case do not 
> try
> +               and remove socket from the pollset for a second time else a 
> crash
> +               will result. */
> +            if (remove && s->pe) {
>                  apr_pollset_remove(p->pollset, fd);
>                  APR_RING_REMOVE(s->pe, link);
>                  APR_RING_INSERT_TAIL(&p->dead_ring, s->pe, tcn_pfde_t, link);

There shall be a separate nested "if (s->pe)" block instead of
combined condition.  This "if" is followed by an "else" branch, which
is now executed in an unexpected way.

Lines 357-356 before the changed code:
        if (!remove)
            now = apr_time_now();

Line 379-385 the "else" branch:
            else {
                /* Update last active with the current time
                 * after the poll call.
                 */
                s->last_active = now;
            }

Note how "now" is uninitialized when "remove" flag is false.

Also, there is a question of porting this fix to Native trunk.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to