This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug nptl/20340] New: Crash with SIGEV_THREAD and small interval.

From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Fri, 08 Jul 2016 20:59:45 +0000
Subject: [Bug nptl/20340] New: Crash with SIGEV_THREAD and small interval.
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=20340

            Bug ID: 20340
           Summary: Crash with SIGEV_THREAD and small interval.
           Product: glibc
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nptl
          Assignee: unassigned at sourceware dot org
          Reporter: carlos at redhat dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

As reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1352124

The following program crashes.

cat >> test.c <<EOF
#include <signal.h>
#include <time.h>
#include <limits.h>
#include <unistd.h>
#include <stdio.h>

static void sigev_notify(union sigval arg) {}

int main() {
    timer_t timerid;
    static struct sigevent sevp = {
        .sigev_notify = SIGEV_THREAD,
        .sigev_notify_function = sigev_notify
    };

    timer_create(CLOCK_MONOTONIC, &sevp, &timerid);

    static const struct itimerspec new_value = {
        .it_interval = {
            .tv_sec = 0,
            .tv_nsec = 1000
        },
        .it_value = {
            .tv_sec = 0,
            .tv_nsec = 1000
        }
    };

    timer_settime(&timerid, 0, &new_value, NULL);

    sleep(UINT_MAX);
}
EOF

BUILD=/home/carlos/build/glibc
gcc -Wl,--dynamic-linker=$BUILD/elf/ld.so
-Wl,-rpath=$BUILD:$BUILD/nptl:$BUILD/rt -lpthread -lrt -g3 -O0 -o test test.c

I can reproduce this on master.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  __pthread_create_2_1 (newthread=newthread@entry=0x7faad3185e28,
attr=attr@entry=0x1bfd148, 
    start_routine=start_routine@entry=0x7faad2b48c00 <timer_sigev_thread>,
arg=<optimized out>) at pthread_create.c:713
713           if (pd->stopped_start)
[Current thread is 1 (LWP 12099)]

It appears the entire thread descriptor is pointing at invalid memory.

Given the small timer interval we are very very quickly creating and exiting
threads so there might be reaping issue here or a stack reuse issue with the
stack cache. Either way we should not segfault and we should handle this
gracefully.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug nptl/20340] Crash with SIGEV_THREAD and small interval.
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]