[cups-devel] [MOD] STR #4719: Assert failure but NULL check present - race condition?

[Till Kamppeter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

At Ubuntu the following bug got reported:

https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1495276

The problem described there is that CUPS terminates on the assert() failure
in the avahi_entry_group_free(*srv); call in

- ----------
static void
dnssdDeregisterInstance(
    cupsd_srv_t     *srv,		/* I - Service */
    int             from_callback)	/* I - Called from callback? */
{
  if (!srv || !*srv)
    return;

#  ifdef HAVE_DNSSD
  (void)from_callback;

  DNSServiceRefDeallocate(*srv);

#  else /* HAVE_AVAHI */
  if (!from_callback)
    avahi_threaded_poll_lock(DNSSDMaster);

  avahi_entry_group_free(*srv);

  if (!from_callback)
    avahi_threaded_poll_unlock(DNSSDMaster);
#  endif /* HAVE_DNSSD */

  *srv = NULL;
}
- ----------

in scheduler/dirsvc.c. avahi_entry_group_free() is defined as follows:

- ----------
int avahi_entry_group_free(AvahiEntryGroup *group) {
    AvahiClient *client = group->client;
    int r = AVAHI_OK;

    assert(group);
[...]
}
- ----------

So *srv in the avahi_entry_group_free(*srv); call must have been NULL, but
dnssdDeregisterInstance() did not return on

- ----------
  if (!srv || !*srv)
    return;
- ----------

This looks like that *srv got changed by another thread after the NULL
check and before the avahi_entry_group_free(*srv);. Note that from_callback
was 1 in this call and so avahi_threaded_poll_lock(DNSSDMaster); did not
get executed in this case (see the stack traces attached to the Ubuntu bug
report).

The thread stack trace attached to the Ubuntu bug report also reveals that
there were two parallel threads and the other thread was also in the
dnssdDeregisterInstance() function.

Link: https://www.cups.org/str.php?L4719
Version: 2.1-current
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJV+JJZAAoJENujp6sI12IjjCAP/17NXto98AUpHZ7cQtOG1zrG
5J7DAEM/0D1n3cgTylDH1E/f3XQFp2L4k6u2HCNbJoUksPRwudwYfusAbY+UfTq4
VEu2wqZPTecttyFElXNAOjhLEl1UcheD5VZCWB/6VQxOgfstzbErhjztbGkqoBFh
m9BJxGUgWGadTgCTS7ByrEAKjh2z2s7TUBfSg0+f3YimF7uzQUYJjY5+yykII3zR
q0DUSojzn9pivSHGkzYVZHljqP4PpKWBLAmFnnEQx+QV/Bm1kjQsThSQoS81bH1A
klkPc4J7JXgqB1SljZDn5eT795iMVBTUYBeOHSPPYFw89fkMGfU57zF4KdpDMVr8
NcSnVzpvnk4/NrU3uzWF2ljLNHnNF6KbCMc/PeaKtRLqm4mI4c1NIBPPUY0aZrdv
gqsePH6w+Cpg1+1Hi4K0JeHXcVOT6OL6eMSMzhmM00ZgNUiGvCy4dzbZwvibDvZc
RDgYWYFpdU7+FJAhDsIGzKS2ysZQNxmbV6vabcfXRtXVeLfUw2fP1UaSNLXNtrqx
Au5PuYLnrBZlQ1yt97pdfyqrmtxJBNeehK4hutYWgYr2Zb8BKmoLMKrB5K46OCrY
7DyIQ84nmLbv0ZduT8ExeB6ERPXa1RddnmzCR9BiVWFe+PG4Gs9XOavMlM3nvsn6
49sEYx/6C0Db/ihaYH+s
=6tbj
-----END PGP SIGNATURE-----