lib/42876: realloc crash with threads

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/42876: realloc crash with threads
From: njoly%pasteur.fr@localhost
Date: Tue, 23 Feb 2010 14:45:00 +0000 (UTC)

>Number:         42876
>Category:       lib
>Synopsis:       realloc crash with threads
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 23 14:45:00 +0000 2010
>Originator:     Nicolas Joly
>Release:        NetBSD 5.99.24
>Organization:
Institut Pasteur
>Environment:
System: NetBSD lanfeust.sis.pasteur.fr 5.99.24 NetBSD 5.99.24 (LANFEUST) #6: 
Tue Feb 23 13:24:16 CET 2010 
njoly%lanfeust.sis.pasteur.fr@localhost:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/LANFEUST
 amd64
Architecture: x86_64
Machine: amd64
>Description:
There seems to be a race when using concurrent realloc call with multiple
threads. The following testcase, which makes 4 threads call realloc with
random values, crash with a NULL pointer dereference.

njoly@lanfeust [netbsd/threads]> cat thread_realloc.c
#include <err.h>
#include <pthread.h>
#include <stdlib.h>
#include <unistd.h>

#define THR_NUM 4

static int quit = 0;

void *thr_func(void *arg) {
  int val;
  size_t len;
  void *buf, *new;

  srand(time(NULL));

  buf = new = NULL;
  while (quit != 1) {
    val = rand() % 10; len = val * 1024 * 1024;
    new = realloc(buf, len);
    if (len && new == NULL) { break; }
    buf = new;
  }
  free(buf);

  return NULL; }

int main() {
  int res, i;
  pthread_t thr[THR_NUM];

  for (i = 0; i < THR_NUM; i++) {
    res = pthread_create(&thr[i], NULL, thr_func, NULL);
    if (res != 0)
      errx(1, "pthread_create failed");
  }

  sleep(10);
  quit = 1;

  for (i = 0; i < THR_NUM; i++) {
    res = pthread_join(thr[i], NULL);
    if (res != 0)
      errx(1, "pthread_join failed");
  }

  return 0; }
njoly@lanfeust [netbsd/threads]> cc -pthread -g -Wall -Werror   -o 
thread_realloc thread_realloc.c
njoly@lanfeust [netbsd/threads]> ./thread_realloc 
zsh: segmentation fault (core dumped)  ./thread_realloc
njoly@lanfeust [netbsd/threads]> gdb thread_realloc thread_realloc.core 
GNU gdb 6.5
[...]
Core was generated by `thread_realloc'.
Program terminated with signal 11, Segmentation fault.
#0  realloc (ptr=0x7f7ffaa00000, size=9437184)
    at /local/src/NetBSD/src/lib/libc/stdlib/jemalloc.c:2872
2872                            node->size = newcsize;
(gdb) p node->size
Cannot access memory at address 0x28
(gdb) p node
$1 = (chunk_node_t *) 0x0
(gdb) bt
#0  realloc (ptr=0x7f7ffaa00000, size=9437184)
    at /local/src/NetBSD/src/lib/libc/stdlib/jemalloc.c:2872
#1  0x0000000000400b66 in thr_func (arg=0x0) at thread_realloc.c:21
#2  0x00007f7ffd80a660 in pthread__create_tramp (cookie=<value optimized out>)
    at /local/src/NetBSD/src/lib/libpthread/pthread.c:470
#3  0x00007f7ffd46e4e0 in ___lwp_park50 () from /usr/lib/libc.so.12
Cannot access memory at address 0x7f7ffd400000
(gdb) info threads
  5 process 72227  0x00007f7ffd43672a in _sys___nanosleep50 ()
   from /usr/lib/libc.so.12
  4 process 203299  pthread__mutex_pause ()
    at /local/src/NetBSD/src/lib/libpthread/pthread_mutex.c:171
  3 process 268835  0x00007f7ffd46e4ca in ___lwp_park50 ()
   from /usr/lib/libc.so.12
  2 process 334371  0x00007f7ffd46e4ca in ___lwp_park50 ()
   from /usr/lib/libc.so.12
* 1 process 137763  realloc (ptr=0x7f7ffaa00000, size=9437184)
    at /local/src/NetBSD/src/lib/libc/stdlib/jemalloc.c:2872

>How-To-Repeat:
Run the provided testcase.
>Fix:
n/a

Prev by Date: Re: standards/30623 (HUGE_VALx is not a constant expression)
Next by Date: Re: standards/42828: Almquist shell always evaluates the contents of ${ENV} even if non-interactive
Previous by Thread: Re: standards/30623 (HUGE_VALx is not a constant expression)
Next by Thread: Re: lib/42876: realloc crash with threads
Indexes:

Home | Main Index | Thread Index | Old Index