From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-458030-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 6246 invoked by alias); 8 Aug 2014 12:18:21 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 6218 invoked by uid 48); 8 Aug 2014 12:18:17 -0000
From: "chefmax at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
Date: Fri, 08 Aug 2014 12:18:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: testsuite
X-Bugzilla-Version: 4.10.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: minor
X-Bugzilla-Who: chefmax at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-62060-4-5I5up0vx4b@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-62060-4@http.gcc.gnu.org/bugzilla/>
References: <bug-62060-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00527.txt.bz2

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

--- Comment #2 from Maxim Ostapenko <chefmax at gcc dot gnu.org> ---
(In reply to vries from comment #1)
> Tentative patch:
> ...
> diff --git a/gcc/testsuite/g++.dg/tsan/cond_race.C
> b/gcc/testsuite/g++.dg/tsan/cond_race.C
> index a937614..90dfb19 100644
> --- a/gcc/testsuite/g++.dg/tsan/cond_race.C
> +++ b/gcc/testsuite/g++.dg/tsan/cond_race.C
> @@ -1,5 +1,5 @@
>  /* { dg-shouldfail "tsan" } */
> -/* { dg-output "ThreadSanitizer: data race.*" } */
> +/* { dg-output "ThreadSanitizer: (data race|heap-use-after-free).*" } */
>  /* { dg-output "pthread_cond_signal.*" } */
>  
>  #include <stdio.h>
> ...

This test was copied from LLVM compiler-rt testsuite. I see that compiler-rt
developers added sleep (1) right after pthread_mutex_unlock to avoid this
problem. Perhaps we should do the same?

diff --git a/gcc/testsuite/g++.dg/tsan/cond_race.C
b/gcc/testsuite/g++.dg/tsan/cond_race.C
index a937614..805465d 100644
--- a/gcc/testsuite/g++.dg/tsan/cond_race.C
+++ b/gcc/testsuite/g++.dg/tsan/cond_race.C
@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <pthread.h>
+#include <unistd.h>

 struct Ctx {
   pthread_mutex_t m;
@@ -31,6 +32,8 @@ int main() {
   while (!c->done)
     pthread_cond_wait(&c->c, &c->m);
   pthread_mutex_unlock(&c->m);
+  // w/o this sleep, it can be reported as use-after-free
+  sleep(1);
   delete c;
   pthread_join(th, 0);
 }