This has been split to a separate ticket from #173.

Per email from Preston Faiks on 2018-06-04, there is an actual observed race condition issue with CFE_ES_AppCreate() out in the field:

When ES is loading and starting apps, one app might fail initialization and call CFE_ES_ExitApp() If that occurs, its app state will be set to CFE_ES_APP_STATE_STOPPED.

When apps are scanned, it will be removed from the app table and that table entry set to not in use.

As ES continues to load apps, it will make use on the now unused app table entry. It will not change the app state in the entry until it has successfully loaded the app into memory.

The process of loading an app into memory can cause the task to pend on file system (or network file system) and allow other tasks to run.

As that app continues to be loaded, another app scan can occur and detect the app entry as both in use and stopped, and will unload it.

When ES finishes loading the app, it will spawn a task at an entry point which was just unloaded by the scanning task, causing it to execute from unloaded memory and crash.

I have reviewed this code again and the race condition risk described is definitely still present in the current development branch, but this isn't the only example. There are other similar race conditions that are possible regarding the use if the RecordUsed boolean field.

Having an observed failure should escalate this in priority now.