Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Bug in CpiSubscriptionManager::WaitForPendingAdd
03-02-2013, 11:00 AM
Post: #1
Bug in CpiSubscriptionManager::WaitForPendingAdd
There's a problem in the code for CpiSubscriptionManager::WaitForPendingAdd when multiple threads have put PendingSubscription objects with the same Sid in the iPendingSubscriptions vector.

On line 523 of CpiSubscription.cpp, the call to RemovePendingAdd erases the first PendingSubscription object with a matching Sid. If the vector contains more than one PendingSubscription object with the same Sid, the object that's removed from the vector might not be the same PendingSubscription object that was created in line 515 and assigned to the 'pending' variable. If so, when control passes back to WaitForPendingAdd, the delete operation on line 526 will delete a PendingSubscription object that's still part of the vector. This causes an assertion failure when another thread subsequently attempts to Signal() the semaphone inside this deleted object on line 592.

I also noticed that the other calls to RemovePendingAdd (from lines 535 and 614) don't do a delete for the removed object. This would presumably cause a small memory leak.

I think all these problems can be fixed by moving the delete operation from line 526 to precede the break instruction on line 594.
Find all posts by this user
04-02-2013, 10:59 AM
Post: #2
RE: Bug in CpiSubscriptionManager::WaitForPendingAdd
(03-02-2013 11:00 AM)simoncn Wrote:  There's a problem in the code for CpiSubscriptionManager::WaitForPendingAdd when multiple threads have put PendingSubscription objects with the same Sid in the iPendingSubscriptions vector.

Nice spot! Your suggested fix looks good; I've applied it locally so it'll hopefully be on github this evening.
Find all posts by this user


Forum Jump: