[omniORB] Race condition between reference disposal and reuse
Tomislav Jonjic
tjonjic at gmail.com
Mon Nov 16 14:48:03 UTC 2020
Hello,
Starting from 4.2.3, the race between object reference disposal and
reuse (in omni::releaseObjRef() and omni::createLocalObjRef()) has
been eliminated via an explicit refcount lock in respective critical
sections. In addition, releaseObjRef() now logs an error about
spurious ::release() calls on the objref, but it still keeps the
decremented refcount---which leaves the possibility open for another
race...
Between the point the refcount reaches a negative value, and the point
the dying objref entry is actually evicted (by the first
releaseObjRef() call), createLocalObjRef may still find the latter.
Since it detects objrefs pending disposal by comparing the refcount to
zero, it will happily recycle the about-to-be-deleted objref. Testing
for pd_refCount < 1 should eliminate this possibility.
Regards,
Tomislav Jonjic
More information about the omniORB-list
mailing list