[Varnish] #634: Race between HSH_Lookup and EXP_NukeOne

[Varnish]

#634: Race between HSH_Lookup and EXP_NukeOne
----------------------+-----------------------------------------------------
 Reporter:  mpage     |       Owner:  phk  
     Type:  defect    |      Status:  new  
 Priority:  high      |   Milestone:       
Component:  varnishd  |     Version:  trunk
 Severity:  major     |    Keywords:       
----------------------+-----------------------------------------------------
 There is a race that we are encountering frequently when running varnish
 trunk with the file store. The race occurs between HSH_Lookup() and
 EXP_NukeOne(). Here is a brief narrative of what happens:

 Thread T1 is executing HSH_Lookup(). It finds an objcore oc it likes but
 is descheduled prior to line 406. Another thread T2 is scheduled and
 executes EXP_NukeOne(). It finds the objcore oc about to be returned by
 HSH_Lookup() at the head of the LRU with an object of refcnt 1 (since T1
 was descheduled before it could increment the refcnt on oc->obj). It then
 calls

 HSH_Deref(sp->wrk, &(oc->obj));

 When T1 is rescheduled and wakes up oc->obj is now NULL (because of T2)
 and the assert on 408 (of cache_hash.c) is triggered.

 I'm not sure why EXP_NukeOne needs to call HSH_Deref with a pointer to
 oc->obj. The objcore oc is what is stored in the objhead, so nulling
 oc->obj seems like a bad idea. I've attached a diff with a possible fix.

-- 
Ticket URL: <http://varnish-cache.org/ticket/634>
Varnish <http://varnish.projects.linpro.no/>
The Varnish HTTP Accelerator