This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/19329] New: dl-tls.c assert failure at concurrent pthread_create and dlopen

From: "nszabolcs at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Fri, 04 Dec 2015 12:37:03 +0000
Subject: [Bug dynamic-link/19329] New: dl-tls.c assert failure at concurrent pthread_create and dlopen
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=19329

            Bug ID: 19329
           Summary: dl-tls.c assert failure at concurrent pthread_create
                    and dlopen
           Product: glibc
           Version: 2.22
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: nszabolcs at gmail dot com
  Target Milestone: ---

(this is a continuation of bug 17918, but it turns out to be a different
issue that was originally reported there.)

failure:

Inconsistency detected by ld.so: dl-tls.c: 493: _dl_allocate_tls_init:
Assertion `listp->slotinfo[cnt].gen <= _rtld_local._dl_tls_generation' failed!

caused by dlopen (in _dl_add_to_slotinfo and in dl_open_worker) doing

  listp->slotinfo[idx].gen = GL(dl_tls_generation) + 1;
  //...
  if (any_tls && __builtin_expect (++GL(dl_tls_generation) == 0, 0))

while pthread_create (in _dl_allocate_tls_init) concurrently doing

  assert (listp->slotinfo[cnt].gen <= GL(dl_tls_generation));

so

T1:
  y = x + 1;
  ++x;

T2:
  assert(y <= x);

this is hard to trigger as the race window is short compared to the time
dlopen and pthread_create takes, however if i add a usleep(1000) between
the two operations in T1, it is triggered all the time.

the slotinfo and tls generation update lack any sort of synchronization or
atomics in _dl_allocate_tls_init (dlopen holds GL(dl_load_lock)).

on x86_64 with added usleep:

(gdb) p _rtld_local._dl_tls_dtv_slotinfo_list->slotinfo[0]@64
$11 = {{gen = 0, map = 0x7ffff7ff94e8}, {gen = 1, map = 0x7ffff7ff94e8}, {gen =
2, map = 0x7ffff0000910}, {gen = 0, map = 0x0} <repeats 61 times>}
(gdb) p _rtld_local._dl_tls_generation
$12 = 1

T1:
#0  0x00007ffff7df2097 in nanosleep () at ../sysdeps/unix/syscall-template.S:84
#1  0x00007ffff7df1f74 in usleep (useconds=<optimised out>) at
../sysdeps/posix/usleep.c:32
#2  0x00007ffff7decc6b in dl_open_worker (a=a@entry=0x7ffff7611c80) at
dl-open.c:527
#3  0x00007ffff7de8314 in _dl_catch_error
(objname=objname@entry=0x7ffff7611c70,
errstring=errstring@entry=0x7ffff7611c78,
mallocedp=mallocedp@entry=0x7ffff7611c6f, 
    operate=operate@entry=0x7ffff7dec720 <dl_open_worker>,
args=args@entry=0x7ffff7611c80) at dl-error.c:187
#4  0x00007ffff7dec2a9 in _dl_open (file=0x7ffff7611ee0 "mod-0.so",
mode=-2147483646, caller_dlopen=0x4007e2 <start+34>, nsid=-2, argc=<optimised
out>, 
    argv=<optimised out>, env=0x7fffffffe378) at dl-open.c:652
#5  0x00007ffff7bd5ee9 in dlopen_doit (a=a@entry=0x7ffff7611eb0) at dlopen.c:66
#6  0x00007ffff7de8314 in _dl_catch_error (objname=0x7ffff00008d0,
errstring=0x7ffff00008d8, mallocedp=0x7ffff00008c8, operate=0x7ffff7bd5e90
<dlopen_doit>, 
    args=0x7ffff7611eb0) at dl-error.c:187
#7  0x00007ffff7bd6521 in _dlerror_run (operate=operate@entry=0x7ffff7bd5e90
<dlopen_doit>, args=args@entry=0x7ffff7611eb0) at dlerror.c:163
#8  0x00007ffff7bd5f82 in __dlopen (file=file@entry=0x7ffff7611ee0 "mod-0.so",
mode=mode@entry=2) at dlopen.c:87
#9  0x00000000004007e2 in start (a=<optimised out>) at a.c:19
#10 0x00007ffff79bf3d4 in start_thread (arg=0x7ffff7612700) at
pthread_create.c:333
#11 0x00007ffff76feedd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109

T2:
#0  __GI___assert_fail (assertion=0x7ffff7df8840 "listp->slotinfo[cnt].gen <=
GL(dl_tls_generation)", file=0x7ffff7df68e6 "dl-tls.c", line=493, 
    function=0x7ffff7df9020 <__PRETTY_FUNCTION__.9528> "_dl_allocate_tls_init")
at dl-minimal.c:220
#1  0x00007ffff7deb492 in __GI__dl_allocate_tls_init (result=0x7fffb7fff700) at
dl-tls.c:493
#2  0x00007ffff79bff67 in allocate_stack (stack=<synthetic pointer>,
pdp=<synthetic pointer>, attr=0x7fffffffdf90) at allocatestack.c:579
#3  __pthread_create_2_1 (newthread=newthread@entry=0x7fffffffe078,
attr=attr@entry=0x0, start_routine=start_routine@entry=0x4007c0 <start>,
arg=arg@entry=0xd)
    at pthread_create.c:526
#4  0x000000000040062a in main () at a.c:34


i think
  GL(dl_tls_generation)
  GL(dl_tls_dtv_slotinfo_list)
  listp->slotinfo[i].map
  listp->slotinfo[i].gen
  listp->next

may all be accessed concurrently by pthread_create and dlopen without
any synchronization.

this can also cause wrong maxgen computation into dtv[0].counter

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug dynamic-link/19329] dl-tls.c assert failure at concurrent pthread_create and dlopen
  - From: chan45.lee at samsung dot com
- [Bug dynamic-link/19329] dl-tls.c assert failure at concurrent pthread_create and dlopen
  - From: i.palachev at samsung dot com
- [Bug dynamic-link/19329] dl-tls.c assert failure at concurrent pthread_create and dlopen
  - From: sh0924.hwang at samsung dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]