Ticket 66: unused condition variable can be to be signaled (PTH)
If pth_cond_awaits waits, it reaquries the mutex and then decrements the waiter count  after pth_wait returns. pth_mutex_aquire can cause a switch to an other task, if the mutex is blocked. If this task issues an other pth_cond_notify on the condition variable, it gets the signaled flag, as a waiter count is not zero. If now the mutex is released, the first task aquires the mutext and then decrements the waiter count to zero. The signal flag is left, so that a contition variable without any waiters is signaled.
If the waiter count is decremented immediatly after the call to pth_wait, this race condition can not happen.
  --- pthsem-2.0.4/pth_sync.c.old 2005-09-22 16:54:36.910273040 +0200
  +++ pthsem-2.0.4/pth_sync.c     2005-09-22 16:56:10.173094936 +0200
  @@ -240,12 +240,13 @@
       pth_mutex_t *mutex = (pth_mutex_t *)(((void **)_cleanvec)[0]);
       pth_cond_t  *cond  = (pth_cond_t  *)(((void **)_cleanvec)[1]);
  +    /* fix number of waiters */
  +    cond->cn_waiters--;
  +
       /* re-acquire mutex when pth_cond_await() is cancelled
          in order to restore the condition variable semantics */
       pth_mutex_acquire(mutex, FALSE, NULL);
  -    /* fix number of waiters */
  -    cond->cn_waiters--;
       return;
   }
  @@ -284,6 +285,10 @@
       cleanvec[1] = cond;
       pth_cleanup_push(pth_cond_cleanup_handler, cleanvec);
       pth_wait(ev);
  +
  +    /* remove us from the number of waiters */
  +    cond->cn_waiters--;
  +
       pth_cleanup_pop(FALSE);
       if (ev_extra != NULL)
           pth_event_isolate(ev);
  @@ -291,9 +296,6 @@
       /* reacquire mutex */
       pth_mutex_acquire(mutex, FALSE, NULL);
  -    /* remove us from the number of waiters */
  -    cond->cn_waiters--;
  -
       /* release mutex (caller had to acquire it first) */
       return TRUE;
   }
mfg Martin Koegler
mkoegler@auto.tuwien.ac.at
Remarks:
Properties:
  | Type: | code |  | Version: | 2.0.4 | 
  | Status: | new |  | Created: | 2005-Sep-22 17:28 | 
  | Severity: | 2 |  | Last Change: | 2005-Sep-22 17:28 | 
  | Priority: | 1 |  | Subsystem: | pth | 
  | Assigned To: | rse |  | Derived From: |  | 
  | Creator: | anonymous |