12650 – Memory leak with dlopen() and thread-local storage variables

Bug 12650 - Memory leak with dlopen() and thread-local storage variables

Summary: Memory leak with dlopen() and thread-local storage variables

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	2.13

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ulrich Drepper

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-04-07 14:05 UTC by Robert Rex
Modified:	2014-06-27 13:17 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Possible patch to fix described memory leak (846 bytes, patch) 2011-04-07 14:05 UTC, Robert Rex	Details \| Diff
Test executable (351 bytes, text/x-csrc) 2011-04-07 14:05 UTC, Robert Rex	Details
Test library (145 bytes, text/x-csrc) 2011-04-07 14:06 UTC, Robert Rex	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Rex 2011-04-07 14:05:04 UTC

Created attachment 5652 [details]
Possible patch to fix described memory leak

See this thread: http://sourceware.org/ml/libc-help/2011-04/msg00000.html

A memory leak occurs when executing the following steps:
(1) A program opens a shared library object with dlopen().
(2) A new thread is created (pthread_create()).
(3) The thread calls a function of the shared library which references a
thread-local storage variable.
(4) The function returns and the thread exits.

(my attached test case repeats steps 2-4 10000 times for a better demonstration)

-> Result: The thread-local storage variable has been created via
___tls_get_addr() for each thread, but nothing is deallocated.
This only happens in case the dynamic library has been loaded by
dlopen() and not "directly" at load time.
I reproduced this issue with glibc in version 2.13 (but older versions seem also to be affected [I also used CentOS 5.5, Ubuntu 10.10 [EGLIBC] and some Debian system]).

Valgrind confirms this assumption:

# valgrind --leak-check=full ./test
[...]
==18274== HEAP SUMMARY:
==18274==     in use at exit: 41,114 bytes in 10,005 blocks
==18274==   total heap usage: 10,012 allocs, 7 frees, 42,196 bytes allocated
==18274==
==18274== 39,996 bytes in 9,999 blocks are definitely lost in loss
record 7 of 7
==18274==    at 0x4024DB9: memalign (vg_replace_malloc.c:581)
==18274==    by 0x401119B: tls_get_addr_tail (dl-tls.c:529)
==18274==    by 0x4011689: ___tls_get_addr (dl-tls.c:767)
==18274==    by 0x402B5B6: ???
==18274==    by 0x45B7CC8: start_thread (pthread_create.c:304)
==18274==    by 0x411269D: clone (clone.S:130)
==18274==
==18274== LEAK SUMMARY:
[...]

I attached a possible patch that fixed the leak for me. Before re-initializing the TLS in get_cached_stack() it runs through the appropriate DTV and deallocates all memory blocks.

Comment 1 Robert Rex 2011-04-07 14:05:59 UTC

Created attachment 5653 [details]
Test executable

Comment 2 Robert Rex 2011-04-07 14:06:37 UTC

Created attachment 5654 [details]
Test library

Comment 3 Ulrich Drepper 2011-04-11 02:48:14 UTC

I've checked in a similar patch.

Comment 4 Paul Pluzhnikov 2012-02-22 23:38:12 UTC

(In reply to comment #3)
> I've checked in a similar patch.

For reference, the patch is:

2011-04-10  Ulrich Drepper  <drepper@gmail.com>

	[BZ #12650]
	* sysdeps/i386/dl-tls.h: Define TLS_DTV_UNALLOCATED.
	* sysdeps/ia64/dl-tls.h: Likewise.
	* sysdeps/powerpc/dl-tls.h: Likewise.
	* sysdeps/s390/dl-tls.h: Likewise.
	* sysdeps/sh/dl-tls.h: Likewise.
	* sysdeps/sparc/dl-tls.h: Likewise.
	* sysdeps/x86_64/dl-tls.h: Likewise.
	* elf/dl-tls.c: Don't define TLS_DTV_UNALLOCATED here.

http://repo.or.cz/w/glibc.git/commitdiff/e6c61494125126d2ba77e5d99f83887a2ed49783