Replied: Tue, 28 Apr 1998 16:07:14 -0400
Replied: "Kamal A Mostafa <kamal@images.com> "
Received: from mail.eecis.udel.edu by whimsy.udel.edu id aa13709;
          28 Apr 1998 02:27 EDT
Received: from green.images.com (green.images.com [198.207.178.4]) by orange.images.com (8.8.5/SCO5) with ESMTP id XAA16947; Mon, 27 Apr 1998 23:26:55 -0700 (PDT)
Received: (from kamal@localhost) by green.images.com (8.8.5/SCO5) id XAA00282; Mon, 27 Apr 1998 23:26:54 -0700 (PDT)
Message-ID: <19980427232654.24285@images.com>
Date: Mon, 27 Apr 1998 23:26:54 -0700
From: Kamal A Mostafa <kamal@images.com>
To: stenn@whimsy.udel.edu
Cc: Kamal A Mostafa <kamal@images.com>
Subject: 5.93: bug in my new TIMER_DEQUEUE()
References: <19980403225715.03704@green>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=82I3+IH0IqGh5yIs
X-Mailer: Mutt 0.89i+KAM
In-Reply-To: <19980403225715.03704@green>; from Kamal A Mostafa on Fri, Apr 03, 1998 at 10:57:15PM -0800


--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii

Hi Harlan-

Looks like one of my patches got lost in the shuffle...  5.93 contains
my first (buggy) version of TIMER_DEQUEUE().  Luckily, this stuff only
gets used with -DDEBUG_TIMERQUEUE anyway, so this isn't a showstopper
or anything.

Anyway... Here's another copy of the mail I sent you when I discovered it,
detailing the issue.  New patch to 5.93 xntpd/ntp_timer.c attached.
(Sorry 'bout this!)

 -k

On Fri, Apr 03, 1998 at 10:57:15PM -0800, Kamal A Mostafa wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Back to work...  I discovered a bug in my new xntpd TIMER_DEQUEUE() function
> (only affects a binary compiled with -DDEBUG_TIMERQUEUE).
> 
> New patch attached to fix it (needs to be applied on top of my first
> TIMERQUEUE patch) -- or just modify ntp_timer.c manually, details here:
> 
> Here's what I had coded (bottom of ntp_timer.c)...
> 
> 	void TIMER_DEQUEUE(struct event *ev)
> 	{
> 		EV_LINKCHK( ev, "TIMER_DEQUEUE(): ev" );
> 		WINNT_WAIT();
> 		if ((ev)->next != 0) {
> 			(ev)->next->prev = (ev)->prev;
> 			(ev)->prev->next = (ev)->next;
> 			(ev)->next = (ev)->prev = 0;
> 		}
> 		WINNT_RELS();
> 	}
> 
> Alas, there is at least one normal situation where TIMER_DEQUEUE() gets
> passed an 'ev' which isn't actually queued (through peer_clear()).
> Which is why TIMER_DEQUEUE() cleverly watches out for (ev)->next being != 0.
> 
> My EV_LINKCHK() is misplaced -- it shouldn't check the linkage-sanity until
> it's determined that this 'ev' is actually linked.  It should look like this:
> 
> 	void TIMER_DEQUEUE(struct event *ev)
> 	{
> 		EV_ASSERT( ev, "TIMER_DEQUEUE(): ev" );		 /* change */
> 		WINNT_WAIT();
> 		if ((ev)->next != 0) {
> 			EV_LINKCHK( ev, "TIMER_DEQUEUE(): ev" ); /* change */
> 			(ev)->next->prev = (ev)->prev;
> 			(ev)->prev->next = (ev)->next;
> 			(ev)->next = (ev)->prev = 0;
> 		}
> 		WINNT_RELS();
> 	}
> 
> 
> Best,
> 
>  -k
> 
> P.S.  I'm mortified at how similar TIMER_DEQUEUE is to DEBUG_TIMERQUEUE...
> Their only difference is "BUG".  What does *that* mean?  ;-}
> 

--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Description: tqdebug2.patch
Content-Disposition: attachment; filename="tqdebug2.patch"

*** xntpd/ntp_timer.c.orig Mon Apr 27 23:12:30 1998
--- xntpd/ntp_timer.c Mon Apr 27 23:20:38 1998
***************
*** 542,548 ****
   */
  void TIMER_DEQUEUE(struct event *ev)
  {
! 	EV_LINKCHK( ev, "TIMER_DEQUEUE(): ev" );
  	WINNT_WAIT();
  	if ((ev)->next != 0) {
  		(ev)->next->prev = (ev)->prev;
--- 542,548 ----
   */
  void TIMER_DEQUEUE(struct event *ev)
  {
! 	EV_ASSERT( ev, "TIMER_DEQUEUE(): ev" );
  	WINNT_WAIT();
  	if ((ev)->next != 0) {
  		EV_LINKCHK( ev, "TIMER_DEQUEUE(): ev" );
***************
*** 545,550 ****
  	EV_LINKCHK( ev, "TIMER_DEQUEUE(): ev" );
  	WINNT_WAIT();
  	if ((ev)->next != 0) {
  		(ev)->next->prev = (ev)->prev;
  		(ev)->prev->next = (ev)->next;
  		(ev)->next = (ev)->prev = 0;
--- 545,551 ----
  	EV_ASSERT( ev, "TIMER_DEQUEUE(): ev" );
  	WINNT_WAIT();
  	if ((ev)->next != 0) {
+ 		EV_LINKCHK( ev, "TIMER_DEQUEUE(): ev" );
  		(ev)->next->prev = (ev)->prev;
  		(ev)->prev->next = (ev)->next;
  		(ev)->next = (ev)->prev = 0;

--82I3+IH0IqGh5yIs--
