[omniORB] Missing Object Reference ( bug in omniORB !)
Sai-Lai Lo
S.Lo@uk.research.att.com
03 Nov 2000 10:35:48 +0000
Dmitry,
Thanks for the bug report.
I'll suggest this fix:
omniObject *
omni::locateObject(omniObjectManager*,omniObjectKey &k)
{
omni_mutex_lock sync(omniObject::objectTableLock);
omniObject* p = omniObject::localObjectTable[omniORB::hash(k)];
while (p) {
if (p->pd_objkey.native == k) {
p->setRefCount(p->getRefCount()+1);
return p;
}
p = p->pd_next;
}
return 0;
}
omniORB 2.8 also suffers this problem and I've checked in the fix to
the CVS omni2_8_develop branch.
omniORB 3 uses a new locate object mechanism and does not have this
problem.
>>>>> dmitry dolinsky writes:
> Looks like we found the cause for that mysterious problem with invalid
> object reference, calling wrong object etc.
> The bug is in this routine (objectRef.cc):
> omniObject *
> omni::locateObject(omniObjectManager*,omniObjectKey &k)
> {
> omniObject::objectTableLock.lock();
> omniObject **p = &omniObject::localObjectTable[omniORB::hash(k)];
> while (*p) {
> if ((*p)->pd_objkey.native == k) {
> (*p)->setRefCount((*p)->getRefCount()+1);
> omniObject::objectTableLock.unlock();
> return *p;
> }
> p = &((*p)->pd_next);
> }
> ....
> The problem is that unlock() happens before *p is dereferenced. So if
> another object is added to the list between unlock and return, p will end
> up pointing to a different object. It becomes clearer if you look at
> p = &((*p)->pd_next);
> p is set to be the address of a pd_next (pointer to the next element in the
> list). Inserting a new element may change the value of pd_next and
> therefore the value of *p.
--
Sai-Lai Lo S.Lo@uk.research.att.com
AT&T Laboratories Cambridge WWW: http://www.uk.research.att.com
24a Trumpington Street Tel: +44 1223 343000
Cambridge CB2 1QA Fax: +44 1223 313542
ENGLAND