Potential crash in xTaskResumeAll !!!???

nobody wrote on Monday, April 17, 2006:

Can someone please check the following:

in xTaskResumeAll(…)

vListRemove( &( pxTCB->xEventListItem ) );

!!! If the task was not listed in any event list (vTaskDelay for example), the vListRemove will incorrectly remove it from previous event list, or worse yet, it might incorrectly modify unknown region if the pxNext and pxPrevious was not initialized.
Please look also in:

in vListRemove(…)

pxItemToRemove->pxNext->pxPrevious = pxItemToRemove->pxPrevious;

!!! The pxNext pointer may be pointing to nothing or to an old link (to pxListEnd of a waiting list in a queue for example).

Please check, Thank you.

rtel wrote on Monday, April 17, 2006:

> Can someone please check the following:
>
> in xTaskResumeAll(…)
> …
> vListRemove( &( pxTCB->xEventListItem ) );
>
>
> !!! If the task was not listed in any event list (vTaskDelay for example), the
> vListRemove will incorrectly remove it from previous event list, or worse yet,
> it might incorrectly modify unknown region if the pxNext and pxPrevious was
> not initialized.

This line of code removes tasks from the pending ready list.  When the scheduler is locked the ready and delayed lists cannot be modified so tasks that are woken by events are placed in the pending ready list to wait for the scheduler to become unlocked.  As the ready and delayed lists cannot be modified tasks cannot be placed in the pending ready list using their generic list item, so are instead placed in the pending ready list using their event list item.  The line of code you refer to follows a while loop, that obtains the event list item from the pending ready list, then removes it from the pending ready list.  As the event list item came from the pending ready list it must be referenced from the list and vListRemove() is valid.

Places where tasks get added to the pending ready list:

+ vTaskPrioritySet() - here the pending ready list is used if the task is currently in a ready list.  When a task is in a ready list the event list item is free and can therefore be legitimately used to place the task in the pending ready list.

+ vTaskResume() - here the pending ready list is used for a task that was previously in the suspended list.  Again when a task is in the suspended list the event list item is free and can therefore be legitimately used to place the task in the pending ready list.

+ xTaskRemoveFromEventList() - here the event list item is removed from an event list and placed in the pending ready list.  Again this is therefore valid as the event list is removed from one list before being inserted into another.

> Please look also in:
>
> in vListRemove(…)
> …
> pxItemToRemove->pxNext->pxPrevious = pxItemToRemove->pxPrevious;
>
> !!! The pxNext pointer may be pointing to nothing or to an old link (to pxListEnd
> of a waiting list in a queue for example).

The pxNext pointer never points to nothing as the list is circular.  If you are finding that pxNext points to nothing than an error has occurred prior to this statement being processed.

Regards.

nobody wrote on Monday, April 17, 2006:

Glad to read that my worries are unfounded.
Thanks.

I was implementing a DoubleQueueWait (waiting for two queues) when I found that second use of xEventListItem during some greps.
Just to make sure I didn’t screw things up,
I’ll post the patch as soon as I feel comfortable with it.

nobody wrote on Monday, April 17, 2006:

Here it is,

https://sourceforge.net/forum/forum.php?thread_id=1248938&forum_id=382005