This is the mail archive of the
archer@sourceware.org
mailing list for the Archer project.
[patch] Fix another double free
- From: ppluzhnikov at google dot com (Paul Pluzhnikov)
- To: archer at sourceware dot org
- Date: Thu, 23 Oct 2008 18:15:10 -0700 (PDT)
- Subject: [patch] Fix another double free
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta;t=1224810913; bh=HE9bk4e37ygr/wIAdpn38vWm8Fk=;h=DomainKey-Signature:To:Subject:Message-Id:Date:From; b=SBcZVyfDm07LjKKyYSlr8oTV6QjEsF95ykkzeNdeNcIrToyz4fO5FBKVUWvzcY8g4sRMbpKNCuWXI9nY0QPzRg==
- Domainkey-signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns;h=to:subject:message-id:date:from;b=gEy0ty9mghLYeDn7GpmW18iya2mGdApd7DsvZW9Uh9/F/mTMd2YtOhYbJLBEjBVXJR6oHl4gJovR9yyC8PHCfQ==
Greetings,
I just committed and pushed the change below.
AFAICT, breakage was introduced by:
commit b2b4ceb7d948482cd60d453f22cec7ee578e1632
Author: Thiago Jung Bauermann <bauerman@br.ibm.com>
Date: Mon Apr 28 16:28:10 2008 -0300
Expose threads to Python.
Upstream has not yet been affected.
Here is how the bug could be observed:
--- cut ---
#include <pthread.h>
#include <stdlib.h>
void *fn(void *p)
{
int *ip = (int *)p;
if (*ip) {
abort();
}
}
int main()
{
pthread_t tid;
int x = 0;
pthread_create(&tid, 0, fn, &x);
pthread_join(tid, 0);
x = 1;
pthread_create(&tid, 0, fn, &x);
pthread_join(tid, 0);
return 0;
}
--- cut ---
$ gcc -g thread.c -pthread && ./gdb -q ./a.out
(gdb) run
[Thread debugging using libthread_db enabled]
[New Thread 0x40800960 (LWP 1618)]
[Thread 0x40800960 (LWP 1618) exited]
[New Thread 0x40800960 (LWP 1619)]
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x40800960 (LWP 1619)]
0x00002aaaab695c75 in raise () from /usr/grte/v1/lib64/libc.so.6
(gdb) inf thread
*** glibc detected *** double free or corruption (fasttop): 0x0000000000e8db40 ***
--
Paul Pluzhnikov
2008-10-23 Paul Pluzhnikov <ppluzhnikov@google.com>
* thread.c (prune_threads): Correctly unlink dead threads.
diff --git a/gdb/thread.c b/gdb/thread.c
index a2f29bc..bd60d3f 100644
--- a/gdb/thread.c
+++ b/gdb/thread.c
@@ -461,7 +461,7 @@ prune_threads (void)
Otherwise, advance to the next thread. */
if (!thread_alive (tp))
{
- (*prevp)->next = tp->next;
+ *prevp = tp->next;
free_thread (tp);
}
else