This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/19329] New: dl-tls.c assert failure at concurrent pthread_create and dlopen
- From: "nszabolcs at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 04 Dec 2015 12:37:03 +0000
- Subject: [Bug dynamic-link/19329] New: dl-tls.c assert failure at concurrent pthread_create and dlopen
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19329
Bug ID: 19329
Summary: dl-tls.c assert failure at concurrent pthread_create
and dlopen
Product: glibc
Version: 2.22
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: nszabolcs at gmail dot com
Target Milestone: ---
(this is a continuation of bug 17918, but it turns out to be a different
issue that was originally reported there.)
failure:
Inconsistency detected by ld.so: dl-tls.c: 493: _dl_allocate_tls_init:
Assertion `listp->slotinfo[cnt].gen <= _rtld_local._dl_tls_generation' failed!
caused by dlopen (in _dl_add_to_slotinfo and in dl_open_worker) doing
listp->slotinfo[idx].gen = GL(dl_tls_generation) + 1;
//...
if (any_tls && __builtin_expect (++GL(dl_tls_generation) == 0, 0))
while pthread_create (in _dl_allocate_tls_init) concurrently doing
assert (listp->slotinfo[cnt].gen <= GL(dl_tls_generation));
so
T1:
y = x + 1;
++x;
T2:
assert(y <= x);
this is hard to trigger as the race window is short compared to the time
dlopen and pthread_create takes, however if i add a usleep(1000) between
the two operations in T1, it is triggered all the time.
the slotinfo and tls generation update lack any sort of synchronization or
atomics in _dl_allocate_tls_init (dlopen holds GL(dl_load_lock)).
on x86_64 with added usleep:
(gdb) p _rtld_local._dl_tls_dtv_slotinfo_list->slotinfo[0]@64
$11 = {{gen = 0, map = 0x7ffff7ff94e8}, {gen = 1, map = 0x7ffff7ff94e8}, {gen =
2, map = 0x7ffff0000910}, {gen = 0, map = 0x0} <repeats 61 times>}
(gdb) p _rtld_local._dl_tls_generation
$12 = 1
T1:
#0 0x00007ffff7df2097 in nanosleep () at ../sysdeps/unix/syscall-template.S:84
#1 0x00007ffff7df1f74 in usleep (useconds=<optimised out>) at
../sysdeps/posix/usleep.c:32
#2 0x00007ffff7decc6b in dl_open_worker (a=a@entry=0x7ffff7611c80) at
dl-open.c:527
#3 0x00007ffff7de8314 in _dl_catch_error
(objname=objname@entry=0x7ffff7611c70,
errstring=errstring@entry=0x7ffff7611c78,
mallocedp=mallocedp@entry=0x7ffff7611c6f,
operate=operate@entry=0x7ffff7dec720 <dl_open_worker>,
args=args@entry=0x7ffff7611c80) at dl-error.c:187
#4 0x00007ffff7dec2a9 in _dl_open (file=0x7ffff7611ee0 "mod-0.so",
mode=-2147483646, caller_dlopen=0x4007e2 <start+34>, nsid=-2, argc=<optimised
out>,
argv=<optimised out>, env=0x7fffffffe378) at dl-open.c:652
#5 0x00007ffff7bd5ee9 in dlopen_doit (a=a@entry=0x7ffff7611eb0) at dlopen.c:66
#6 0x00007ffff7de8314 in _dl_catch_error (objname=0x7ffff00008d0,
errstring=0x7ffff00008d8, mallocedp=0x7ffff00008c8, operate=0x7ffff7bd5e90
<dlopen_doit>,
args=0x7ffff7611eb0) at dl-error.c:187
#7 0x00007ffff7bd6521 in _dlerror_run (operate=operate@entry=0x7ffff7bd5e90
<dlopen_doit>, args=args@entry=0x7ffff7611eb0) at dlerror.c:163
#8 0x00007ffff7bd5f82 in __dlopen (file=file@entry=0x7ffff7611ee0 "mod-0.so",
mode=mode@entry=2) at dlopen.c:87
#9 0x00000000004007e2 in start (a=<optimised out>) at a.c:19
#10 0x00007ffff79bf3d4 in start_thread (arg=0x7ffff7612700) at
pthread_create.c:333
#11 0x00007ffff76feedd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
T2:
#0 __GI___assert_fail (assertion=0x7ffff7df8840 "listp->slotinfo[cnt].gen <=
GL(dl_tls_generation)", file=0x7ffff7df68e6 "dl-tls.c", line=493,
function=0x7ffff7df9020 <__PRETTY_FUNCTION__.9528> "_dl_allocate_tls_init")
at dl-minimal.c:220
#1 0x00007ffff7deb492 in __GI__dl_allocate_tls_init (result=0x7fffb7fff700) at
dl-tls.c:493
#2 0x00007ffff79bff67 in allocate_stack (stack=<synthetic pointer>,
pdp=<synthetic pointer>, attr=0x7fffffffdf90) at allocatestack.c:579
#3 __pthread_create_2_1 (newthread=newthread@entry=0x7fffffffe078,
attr=attr@entry=0x0, start_routine=start_routine@entry=0x4007c0 <start>,
arg=arg@entry=0xd)
at pthread_create.c:526
#4 0x000000000040062a in main () at a.c:34
i think
GL(dl_tls_generation)
GL(dl_tls_dtv_slotinfo_list)
listp->slotinfo[i].map
listp->slotinfo[i].gen
listp->next
may all be accessed concurrently by pthread_create and dlopen without
any synchronization.
this can also cause wrong maxgen computation into dtv[0].counter
--
You are receiving this mail because:
You are on the CC list for the bug.