This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Fix timer_create to initialize timer_t properly

From: Suzuki Poulose <suzuki at in dot ibm dot com>
To: libc <libc-alpha at sourceware dot org>
Date: Wed, 02 Sep 2009 20:59:27 +0530
Subject: [PATCH] Fix timer_create to initialize timer_t properly

Hi

The timer_create() doesn't set the sigev_notify field of the internal
struct timer allocated for SIGEV_THREAD sigevent handlers.

This causes the timers never getting deleted from the list maintained at
__active_timer_sigev_thread.

timer_delete:

           if (kt->sigev_notify == SIGEV_THREAD)
             {
               /* Remove the timer from the list.  */

This keeps a narrow window for a timer to get triggered, and before it
gets a chance, if the timer gets deleted the timer gets freed. But we
still find it in the __active_timer_sigev_thread list and tries to
execute it, resulting in a crash !

The problem is very intermittent. But I can recreate this using the
following shell script:

For eg:

while true; do ./tst-timer >/dev/null; [ $? -ne 0 ] && break; done

Illegal instruction (core dumped)

gdb tst-timer core.28182
[..]
[New Thread 28183]
Core was generated by `./tst-timer'.
Program terminated with signal 4, Illegal instruction.
#0  0x00000200001a8b72 in main_arena () from /lib64/libc.so.6
(gdb) bt
#0  0x00000200001a8b72 in main_arena () from /lib64/libc.so.6
#1  0x000002000002dcda in timer_sigev_thread (arg=0x80004010) at
../nptl/sysdeps/unix/sysv/linux/timer_routines.c:65
#2  0x00000200001b3a74 in start_thread (arg=<value optimized out>) at
pthread_create.c:299
#3  0x000002000011a3ce in thread_start () from /lib64/libc.so.6
(gdb) info th
   3 Thread 28183  0x000002000011a34c in clone () from /lib64/libc.so.6
   2 Thread 28182  0x00000200000e4428 in ?? () from /lib64/libc.so.6
* 1 Thread 28227  0x00000200001a8b72 in main_arena () from /lib64/libc.so.6

The attached patch fixes the issue.

I have verified the patch on s390x architecture.

Thoughts ?

Thanks

Suzuki

2009-09-02	Suzuki K P	<suzuki@in.ibm.com>


	* nptl/sysdeps/unix/sysv/linux/timer_create.c (timer_create): Initialize the 
	sigev_notify field for newly created timer to make sure the timer gets deleted
	from the active timer's list upon timer_delete.  

Index: glibc/nptl/sysdeps/unix/sysv/linux/timer_create.c
===================================================================
--- glibc.orig/nptl/sysdeps/unix/sysv/linux/timer_create.c	2007-10-29 00:53:13.000000000 +0530
+++ glibc/nptl/sysdeps/unix/sysv/linux/timer_create.c	2009-09-02 20:53:18.000000000 +0530
@@ -1,4 +1,4 @@
-/* Copyright (C) 2003,2004, 2007 Free Software Foundation, Inc.
+/* Copyright (C) 2003,2004, 2007, 2009 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Ulrich Drepper <drepper@redhat.com>, 2003.
 
@@ -167,6 +167,7 @@
 	      /* Copy the thread parameters the user provided.  */
 	      newp->sival = evp->sigev_value;
 	      newp->thrfunc = evp->sigev_notify_function;
+	      newp->sigev_notify = SIGEV_THREAD;
 
 	      /* We cannot simply copy the thread attributes since the
 		 implementation might keep internal information for

/* Tests for POSIX timer implementation.
   Copyright (C) 2000, 2002, 2003 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   Contributed by Kaz Kylheku <kaz@ashi.footprints.net>.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public License as
   published by the Free Software Foundation; either version 2.1 of the
   License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; see the file COPYING.LIB.  If not,
   write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
   Boston, MA 02111-1307, USA.  */

#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>


static void
notify_func1 (union sigval sigval)
{
  puts ("notify_func1");
}


static void
notify_func2 (union sigval sigval)
{
  puts ("notify_func2");
}


static void
signal_func (int sig)
{
  static const char text[] = "signal_func\n";
  signal (sig, signal_func);
  write (STDOUT_FILENO, text, sizeof text - 1);
}

static void
intr_sleep (int sec)
{
  struct timespec ts;

  ts.tv_sec = sec;
  ts.tv_nsec = 0;

  while (nanosleep (&ts, &ts) == -1 && errno == EINTR)
    ;
}

#define ZSIGALRM 14


int
main (void)
{
  struct timespec ts;
  timer_t timer_sig, timer_thr1, timer_thr2;
  int retval;
  struct sigevent sigev1 =
  {
    .sigev_notify = SIGEV_SIGNAL,
    .sigev_signo = ZSIGALRM
  };
  struct sigevent sigev2;
  struct itimerspec itimer1 = { { 0, 200000000 }, { 0, 200000000 } };
  struct itimerspec itimer2 = { { 0, 100000000 }, { 0, 500000000 } };
  struct itimerspec itimer3 = { { 0, 150000000 }, { 0, 300000000 } };
  struct itimerspec old;

  retval = clock_gettime (CLOCK_REALTIME, &ts);

  sigev2.sigev_notify = SIGEV_THREAD;
  sigev2.sigev_notify_function = notify_func1;
  sigev2.sigev_notify_attributes = NULL;
  /* It is unnecessary to do the following but to set a good example
     we do it anyhow.  */
  sigev2.sigev_value.sival_ptr = NULL;

  setvbuf (stdout, 0, _IOLBF, 0);

  printf ("clock_gettime returned %d, timespec = { %ld, %ld }\n",
	  retval, ts.tv_sec, ts.tv_nsec);

  retval = clock_getres (CLOCK_REALTIME, &ts);

  printf ("clock_getres returned %d, timespec = { %ld, %ld }\n",
	  retval, ts.tv_sec, ts.tv_nsec);

  if (timer_create (CLOCK_REALTIME, &sigev1, &timer_sig) != 0)
    {
      printf ("timer_create for timer_sig failed: %m\n");
      exit (1);
    }
  if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr1) != 0)
    {
      printf ("timer_create for timer_thr1 failed: %m\n");
      exit (1);
    }
  sigev2.sigev_notify_function = notify_func2;
  if (timer_create (CLOCK_REALTIME, &sigev2, &timer_thr2) != 0)
    {
      printf ("timer_create for timer_thr2 failed: %m\n");
      exit (1);
    }

  if (timer_settime (timer_thr1, 0, &itimer2, &old) != 0)
    {
      printf ("timer_settime for timer_thr1 failed: %m\n");
      exit (1);
    }
  if (timer_settime (timer_thr2, 0, &itimer3, &old) != 0)
    {
      printf ("timer_settime for timer_thr2 failed: %m\n");
      exit (1);
    }

  signal (ZSIGALRM, signal_func);

  if (timer_settime (timer_sig, 0, &itimer1, &old) != 0)
    {
      printf ("timer_settime for timer_sig failed: %m\n");
      exit (1);
    }

  intr_sleep (3);

  if (timer_delete (timer_sig) != 0)
    {
      printf ("timer_delete for timer_sig failed: %m\n");
      exit (1);
    }
  if (timer_delete (timer_thr1) != 0)
    {
      printf ("timer_delete for timer_thr1 failed: %m\n");
      exit (1);
    }

  intr_sleep (3);

  if (timer_delete (timer_thr2) != 0)
    {
      printf ("timer_delete for timer_thr2 failed: %m\n");
      exit (1);
    }

  return 0;
}

Follow-Ups:
- Re: [PATCH] Fix timer_create to initialize timer_t properly
  - From: Joseph S. Myers

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]