[riot-notifications] [RIOT-OS/RIOT] gnrc_ipv6_nib/nc: remove from _next_removable on remove (#10975)
notifications at github.com
Fri Feb 8 20:25:47 CET 2019
Ok, I think I got it now! The state corruption happens definitely within the thread, but not due to a remove happening just as something is added to the neighbor cache, but much earlier. It does not lead to a problem immediately due to a quirk of `clist` where the first element is not `list` or `list.next`, but `list.next->next`, so that most of its operations can be done in *O(1)*: `list` is just the entry point into the list, so it never appears in it itself, `list.next` is the last element of the list, so things can be appended in *O(1)* and `list.next->next` is the first.
It's pretty hard to explain, but when the last two **elements** are by change removed directly after each other when the NC is full (which introduces NULL pointers at the last and first **position**) and then two new NC entries are added (which have the same pointer as the removed ones), the NULL pointer at the **position** is first moved to the second **position** and then kept there, due to
When another entry is tried to be added, the cache-out mechanism starts running (since the NC is full again) and tries to pop the first **element** (which is the NULL pointer) and it crashes.
When just the **last** element is removed the situation "fixes" itself, since the entry is still referred to by the first position, so re-adding it just leads to a loop of one (breaking the list, but not the system ;-)).
I provided a unittest to reproduce and illustrate the crash (2451fb36f8d5abea2cbb10cc61d60f597a0518e2 while writing this message).
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the notifications