Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 8 Jul 2024 21:23:28 +0800
From: "AK47" <250200715@...com>
To: "musl" <musl@...ts.openwall.com>
Subject: Maybe A Bug about timer_create and pthread_barrier_wait

Hello:

&nbsp; &nbsp; I had a low-probability crash in the child thread when using the timer_create interface. After debug, I found that the crash occured when the sub-thread accessed in code "if (b-&gt;_b_waiters)" which&nbsp;&nbsp;is a&nbsp;stack variable created in the main thread and passed to child thread by args. It looks like the main thread's timer_create has finished executing at this point, so the variables (start_args) on the stack have been cleaned up. I take a look at the&nbsp;pthread_barrier_wait code and I think it should be a scheduling problem in pthread_barrier_wait.&nbsp;

&nbsp; &nbsp;Take the timer_create as an example, when the child thread is the first thread for "pthread_barrier_wait" and it is suspened after it executes the code "a_store(&amp;b-&gt;_b_lock, 0)", then the main thread in timer_create will arrive as the last thread, it will nerver wait for the child thread to be rescheduled, the main thread can pass the&nbsp;barrier and continue execution, the args created in timer_create will be cleaned up. when the child thread is finally&nbsp;rescheduled, it access the "b-&gt;_b_waiters" which has already been cleaned up by main thread and the crash will occur.&nbsp;

&nbsp; &nbsp;Is there a bug here? Looking forward to your reply.
      /* First thread to enter the barrier becomes the "instance owner" */
      if (!inst) {
            struct instance new_inst = { 0 };
            int spins = 200;
            b-&gt;_b_inst = inst = &amp;new_inst;
            a_store(&amp;b-&gt;_b_lock, 0);
            if (b-&gt;_b_waiters) __wake(&amp;b-&gt;_b_lock, 1, 1);&nbsp; // crash here b-&gt;_b_waiters
            while (spins-- &amp;&amp; !inst-&gt;finished)



      /* First thread to enter the barrier becomes the "instance owner" */
      if (!inst) {
            struct instance new_inst = { 0 };
            int spins = 200;
            b-&gt;_b_inst = inst = &amp;new_inst;
            a_store(&amp;b-&gt;_b_lock, 0);
            // when the child thread is the first thread and is scheduled out here

            if (b-&gt;_b_waiters) __wake(&amp;b-&gt;_b_lock, 1, 1);
            while (spins-- &amp;&amp; !inst-&gt;finished)



Li
Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.