[PATCH] Fix timer_create to initialize timer_t properly

Suzuki Poulose suzuki@in.ibm.com
Wed Sep 2 15:45:00 GMT 2009


Hi

The timer_create() doesn't set the sigev_notify field of the internal
struct timer allocated for SIGEV_THREAD sigevent handlers.

This causes the timers never getting deleted from the list maintained at
__active_timer_sigev_thread.

timer_delete:

            if (kt->sigev_notify == SIGEV_THREAD)
              {
                /* Remove the timer from the list.  */

This keeps a narrow window for a timer to get triggered, and before it
gets a chance, if the timer gets deleted the timer gets freed. But we
still find it in the __active_timer_sigev_thread list and tries to
execute it, resulting in a crash !

The problem is very intermittent. But I can recreate this using the
following shell script:

For eg:


while true; do ./tst-timer >/dev/null; [ $? -ne 0 ] && break; done

Illegal instruction (core dumped)

gdb tst-timer core.28182
[..]
[New Thread 28183]
Core was generated by `./tst-timer'.
Program terminated with signal 4, Illegal instruction.
#0  0x00000200001a8b72 in main_arena () from /lib64/libc.so.6
(gdb) bt
#0  0x00000200001a8b72 in main_arena () from /lib64/libc.so.6
#1  0x000002000002dcda in timer_sigev_thread (arg=0x80004010) at
../nptl/sysdeps/unix/sysv/linux/timer_routines.c:65
#2  0x00000200001b3a74 in start_thread (arg=<value optimized out>) at
pthread_create.c:299
#3  0x000002000011a3ce in thread_start () from /lib64/libc.so.6
(gdb) info th
    3 Thread 28183  0x000002000011a34c in clone () from /lib64/libc.so.6
    2 Thread 28182  0x00000200000e4428 in ?? () from /lib64/libc.so.6
* 1 Thread 28227  0x00000200001a8b72 in main_arena () from /lib64/libc.so.6



The attached patch fixes the issue.

I have verified the patch on s390x architecture.

Thoughts ?

Thanks

Suzuki

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: fix-timer-create-delete-crash.diff
URL: <http://sourceware.org/pipermail/libc-alpha/attachments/20090902/be010ee1/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tst-timer.c
URL: <http://sourceware.org/pipermail/libc-alpha/attachments/20090902/be010ee1/attachment.c>


More information about the Libc-alpha mailing list