Page History

...

The following sequence of operation occurs.

Thread	Queue Before	Operation	Queue After
`T1`	head -> A -> B -> C -> tail	Enters `queue_dequeue()` function head = A, tail = C next = B after executing `data = next->data;` This thread gets pre-empted	head -> A -> B -> C -> tail
`T2`	head -> A -> B -> C -> tail	Removes node A	head -> B -> C -> tail
`T2`	head -> B -> C -> tail	Removes node B	head -> C -> tail
`T2`	head -> C -> tail	Enqueues node A back into the queue	head -> A -> C -> tail
`T2`	head -> A -> C -> tail	Removes node C	head -> A -> tail
`T2`	head -> A -> tail	Enqueues a new node D After enqueue operation thread 2 gets pre-empted	head -> A -> D -> tail
`T1`	head -> A -> D -> tail	Thread 1 starts execution Compares the local head= `q->head` = A (true in this case) Updates `q->head` with node B (but node B is removed)	undefined {}

According to the above sequence of events now head will be pointing to memory which was freed.

...

The likelihood of having a race condition is low. Once the race condition occurs, the reading memory that has already been freed can lead to abnormal program termination or unintended information disclosure.

Guideline	Severity	Likelihood	Remediation Cost	Priority	Level
CON39-C	Medium	unlikely	High	P2	L3

...

Space shortcuts

Page tree

Versions Compared

Old Version 10

New Version 11

Key