fjpanag commented on issue #7488:
URL: https://github.com/apache/nuttx/issues/7488#issuecomment-1503463630
I finally got it!
The semaphore is freed before its holder is released!
Later on when the holder is to be released, as it still has a reference to
the (now deallocated) semaphore, KASAN throws an error.
*I am currently testing on 59416af3e697ab89a85f8598751654422f63d46c, as it
is one of the revisions that reproduce the issue easily.*
So, what I did is to add the following to `mm_free()`:
```c
extern dq_queue_t g_readytorun;
struct tcb_s *rtcb = g_readytorun.head;
if (rtcb->holdsem && rtcb->holdsem->sem == mem)
{
DEBUGASSERT(0);
}
```
This is to indicate me that a semaphore is to be freed, while it is still
being referenced by this task's holder.
The assertion indeed fires, and KASAN is right to complain later on.
The stack trace at the time of the failure is this:
To my understanding the issue is that the file is locked at fs_tmpfs.c line
1418, and then deallocated at line 1446 without it being unlocked first.
And thus, the lock causes a holder to be allocated for this task which ends
up pointing to a destroyed object.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
