This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/14333] Fix the race between atexit() and exit()


https://sourceware.org/bugzilla/show_bug.cgi?id=14333

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot com
           Assignee|unassigned at sourceware dot org   |ppluzhnikov at google dot com

--- Comment #5 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
Test case that reliably reproduce the crash, courtesy Ricky Zhou
<rickyz@google.com>:

#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>

const size_t kNumThreads = 1024;
const size_t kNumHandlers = 1024;

void no_op() {}
void *threadfunc(void *unused) {
  size_t i;
  for (i = 0; i < kNumHandlers; ++i) {
    atexit(&no_op);
  }
  return NULL;
}

int main(int argc, char **argv) {
  size_t i;
  pthread_t thr;
  pthread_attr_t attr;
  pthread_attr_init(&attr);
  pthread_attr_setdetachstate(&attr, 1);

  for (i = 0; i < kNumThreads; ++i) {
    pthread_create(&thr, &attr, threadfunc, NULL);
  }

  exit(0);
}


Crashes reliably with today's trunk. AddressSanitizer shows:

./elf/ld.so --library-path .:nptl:math:dlfcn ./a.out
ASAN:DEADLYSIGNAL
=================================================================
==28165==ERROR: AddressSanitizer: SEGV on unknown address 0x61905e800009 (pc
0x7fa05bbc1d50 bp 0x619004fb4680 sp 0x7fa053bf5e40 T1014)
    #0 0x7fa05bbc1d4f in __new_exitfn /glibc-git/stdlib/cxa_atexit.c:74
    #1 0x7fa05bbc1ee8 in __internal_atexit /glibc-git/stdlib/cxa_atexit.c:35
    #2 0x7fa05bbc1ee8 in __GI___cxa_atexit /glibc-git/stdlib/cxa_atexit.c:58
    #3 0x7fa05c171746 in __interceptor___cxa_atexit
../../../../libsanitizer/asan/asan_interceptors.cc:716
    #4 0x400acc  (/glibc-git/build-system-gcc/elf/ld.so+0x400acc)
    #5 0x7fa05bf2c7b3 in start_thread /nptl/pthread_create.c:333
    #6 0x7fa05bc703ae in __clone (libc.so.6+0xe53ae)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /glibc-git/stdlib/cxa_atexit.c:74 in
__new_exitfn
Thread T1014 created by T0 here:
    #0 0x7fa05c171aa9 in __interceptor_pthread_create
../../../../libsanitizer/asan/asan_interceptors.cc:236
    #1 0x400bc5  (/glibc-git/build-system-gcc/elf/ld.so+0x400bc5)
    #2 0x7fa05bbacd34 in __libc_start_main ../csu/libc-start.c:289

==28165==ABORTING
$ ./elf/ld.so --library-path .:nptl:math:dlfcn ./a.out
=================================================================
ASAN:DEADLYSIGNAL
==29431==AddressSanitizer: while reporting a bug found another one. Ignoring.
==29431==ERROR: AddressSanitizer: attempting double-free on 0x619004e67480 in
thread T0:
    #0 0x7f5038e35a80 in __interceptor_free
../../../../libsanitizer/asan/asan_malloc_linux.cc:45
    #1 0x7f50387f5c5f in __run_exit_handlers /glibc-git/stdlib/exit.c:92
    #2 0x7f50387f5c99 in __GI_exit /glibc-git/stdlib/exit.c:105
    #3 0x400bea  (/glibc-git/build-system-gcc/elf/ld.so+0x400bea)
    #4 0x7f50387e0d34 in __libc_start_main ../csu/libc-start.c:289
    #5 0x4009c8  (/glibc-git/build-system-gcc/elf/ld.so+0x4009c8)

0x619004e67480 is located 0 bytes inside of 1040-byte region
[0x619004e67480,0x619004e67890)
freed by thread T0 here:
    #0 0x7f5038e35a80 in __interceptor_free
../../../../libsanitizer/asan/asan_malloc_linux.cc:45
    #1 0x7f50387f5c5f in __run_exit_handlers /glibc-git/stdlib/exit.c:92

previously allocated by thread T983 here:
    #0 0x7f5038e35f40 in __interceptor_calloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:70
    #1 0x7f50387f5e42 in __new_exitfn /glibc-git/stdlib/cxa_atexit.c:101

Thread T983 created by T0 here:
    #0 0x7f5038da5aa9 in __interceptor_pthread_create
../../../../libsanitizer/asan/asan_interceptors.cc:236
    #1 0x400bc5  (/glibc-git/build-system-gcc/elf/ld.so+0x400bc5)
    #2 0x7f50387e0d34 in __libc_start_main ../csu/libc-start.c:289

SUMMARY: AddressSanitizer: double-free
../../../../libsanitizer/asan/asan_malloc_linux.cc:45 in __interceptor_free

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]