[Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free
@ 2014-08-08 10:02 vries at gcc dot gnu.org
  2014-08-08 10:29 ` [Bug testsuite/62060] " vries at gcc dot gnu.org
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: vries at gcc dot gnu.org @ 2014-08-08 10:02 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

            Bug ID: 62060
           Summary: g++.dg/tsan/cond_race.C triggers heap-use-after-free
           Product: gcc
           Version: 4.10.0
            Status: UNCONFIRMED
          Severity: minor
          Priority: P3
         Component: testsuite
          Assignee: unassigned at gcc dot gnu.org
          Reporter: vries at gcc dot gnu.org

When testing a gcc patch, I ran into this failure
...
-./gcc/testsuite/g++/g++.sum:PASS: g++.dg/tsan/cond_race.C   -O2  output
pattern test, ThreadSanitizer: data race.*pthread_cond_signal.*
+./gcc/testsuite/g++/g++.sum:FAIL: g++.dg/tsan/cond_race.C   -O2  output
pattern test, is ==================
...

I've run into the same failure before, here:
https://gcc.gnu.org/ml/gcc-patches/2014-04/msg01758.html .

Also, I've noticed it here:
https://gcc.gnu.org/ml/gcc-testresults/2014-01/msg00127.html .


The complete failure from the log is:
...
FAIL: g++.dg/tsan/cond_race.C   -O2  output pattern test, is ==================
WARNING: ThreadSanitizer: heap-use-after-free (pid=5192)
  Read of size 8 at 0x7d180000efc8 by thread T1:
    #0 pthread_cond_signal src/libsanitizer/tsan/tsan_interceptors.cc:1011
(libtsan.so.0+0x000000027794)
    #1 thr(void*) src/gcc/testsuite/g++.dg/tsan/cond_race.C:20
(cond_race.exe+0x000000001033)

  Previous write of size 8 at 0x7d180000efc8 by main thread:
    #0 operator delete(void*) src/libsanitizer/tsan/tsan_interceptors.cc:583
(libtsan.so.0+0x000000025ab9)
    #1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:34
(cond_race.exe+0x000000000ea0)

  Location is heap block of size 96 at 0x7d180000efa0 allocated by main thread:
    #0 operator new(unsigned long)
src/libsanitizer/tsan/tsan_interceptors.cc:551 (libtsan.so.0+0x000000025863)
    #1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:25
(cond_race.exe+0x000000000e12)

  Thread T1 (tid=5200, running) created by main thread at:
    #0 pthread_create src/libsanitizer/tsan/tsan_interceptors.cc:853
(libtsan.so.0+0x000000026f54)
    #1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:29
(cond_race.exe+0x000000000e5a)

SUMMARY: ThreadSanitizer: heap-use-after-free
src/gcc/testsuite/g++.dg/tsan/cond_race.C:20 thr(void*)
==================
ThreadSanitizer: reported 1 warnings
, should match ThreadSanitizer: data race.*pthread_cond_signal.*
...

When compiling and running from the command line, the expected output is
produced:
...
WARNING: ThreadSanitizer: data race (pid=6294)
  Write of size 8 at 0x7d180000efc8 by main thread:
    #0 operator delete(void*) src/libsanitizer/tsan/tsan_interceptors.cc:583
(libtsan.so.0+0x000000025ab9)
    #1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:34
(cond_race.exe+0x000000000d00)

  Previous read of size 8 at 0x7d180000efc8 by thread T1:
    #0 pthread_cond_signal src/libsanitizer/tsan/tsan_interceptors.cc:1011
(libtsan.so.0+0x000000027794)
    #1 thr(void*) src/gcc/testsuite/g++.dg/tsan/cond_race.C:20
(cond_race.exe+0x000000000e93)

  Location is heap block of size 96 at 0x7d180000efa0 allocated by main thread:
    #0 operator new(unsigned long)
src/libsanitizer/tsan/tsan_interceptors.cc:551 (libtsan.so.0+0x000000025863)
    #1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:25
(cond_race.exe+0x000000000c72)

  Thread T1 (tid=6296, running) created by main thread at:
    #0 pthread_create src/libsanitizer/tsan/tsan_interceptors.cc:853
(libtsan.so.0+0x000000026f54)
    #1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:29
(cond_race.exe+0x000000000cba)

SUMMARY: ThreadSanitizer: data race
src/gcc/testsuite/g++.dg/tsan/cond_race.C:34 main
...

So, it seems there is a data race between:
- the write from the delete at line 34, and
- the read from the pthread_cond_signal at line 20.

If the write comes first, we get the heap-use-after-free message. If the read
comes first, we get the data race message.

Tentatively setting component to testsuite.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
  2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
@ 2014-08-08 10:29 ` vries at gcc dot gnu.org
  2014-08-08 12:18 ` chefmax at gcc dot gnu.org
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: vries at gcc dot gnu.org @ 2014-08-08 10:29 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

vries at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |chefmax at gcc dot gnu.org

--- Comment #1 from vries at gcc dot gnu.org ---
Tentative patch:
...
diff --git a/gcc/testsuite/g++.dg/tsan/cond_race.C
b/gcc/testsuite/g++.dg/tsan/cond_race.C
index a937614..90dfb19 100644
--- a/gcc/testsuite/g++.dg/tsan/cond_race.C
+++ b/gcc/testsuite/g++.dg/tsan/cond_race.C
@@ -1,5 +1,5 @@
 /* { dg-shouldfail "tsan" } */
-/* { dg-output "ThreadSanitizer: data race.*" } */
+/* { dg-output "ThreadSanitizer: (data race|heap-use-after-free).*" } */
 /* { dg-output "pthread_cond_signal.*" } */

 #include <stdio.h>
...


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
  2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
  2014-08-08 10:29 ` [Bug testsuite/62060] " vries at gcc dot gnu.org
@ 2014-08-08 12:18 ` chefmax at gcc dot gnu.org
  2014-08-08 13:29 ` vries at gcc dot gnu.org
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: chefmax at gcc dot gnu.org @ 2014-08-08 12:18 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

--- Comment #2 from Maxim Ostapenko <chefmax at gcc dot gnu.org> ---
(In reply to vries from comment #1)
> Tentative patch:
> ...
> diff --git a/gcc/testsuite/g++.dg/tsan/cond_race.C
> b/gcc/testsuite/g++.dg/tsan/cond_race.C
> index a937614..90dfb19 100644
> --- a/gcc/testsuite/g++.dg/tsan/cond_race.C
> +++ b/gcc/testsuite/g++.dg/tsan/cond_race.C
> @@ -1,5 +1,5 @@
>  /* { dg-shouldfail "tsan" } */
> -/* { dg-output "ThreadSanitizer: data race.*" } */
> +/* { dg-output "ThreadSanitizer: (data race|heap-use-after-free).*" } */
>  /* { dg-output "pthread_cond_signal.*" } */
>  
>  #include <stdio.h>
> ...

This test was copied from LLVM compiler-rt testsuite. I see that compiler-rt
developers added sleep (1) right after pthread_mutex_unlock to avoid this
problem. Perhaps we should do the same?

diff --git a/gcc/testsuite/g++.dg/tsan/cond_race.C
b/gcc/testsuite/g++.dg/tsan/cond_race.C
index a937614..805465d 100644
--- a/gcc/testsuite/g++.dg/tsan/cond_race.C
+++ b/gcc/testsuite/g++.dg/tsan/cond_race.C
@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <pthread.h>
+#include <unistd.h>

 struct Ctx {
   pthread_mutex_t m;
@@ -31,6 +32,8 @@ int main() {
   while (!c->done)
     pthread_cond_wait(&c->c, &c->m);
   pthread_mutex_unlock(&c->m);
+  // w/o this sleep, it can be reported as use-after-free
+  sleep(1);
   delete c;
   pthread_join(th, 0);
 }


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
  2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
  2014-08-08 10:29 ` [Bug testsuite/62060] " vries at gcc dot gnu.org
  2014-08-08 12:18 ` chefmax at gcc dot gnu.org
@ 2014-08-08 13:29 ` vries at gcc dot gnu.org
  2014-08-08 16:02 ` tetra2005 at gmail dot com
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: vries at gcc dot gnu.org @ 2014-08-08 13:29 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

--- Comment #3 from vries at gcc dot gnu.org ---
Created attachment 33275
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=33275&action=edit
script to find differences

It seems we're missing more changes:
...
$ ./find.sh
--- compiler-rt/test/tsan/cond_race.cc    2014-08-08 14:23:28.907916207 +0200
+++ devel/src/gcc/testsuite/g++.dg/tsan/cond_race.C    2014-07-28
09:45:52.277091371 +0200
@@ -6,7 +5,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <pthread.h>
-#include <unistd.h>

 struct Ctx {
   pthread_mutex_t m;
@@ -33,8 +31,6 @@
   while (!c->done)
     pthread_cond_wait(&c->c, &c->m);
   pthread_mutex_unlock(&c->m);
-  // w/o this sleep, it can be reported as use-after-free
-  sleep(1);
   delete c;
   pthread_join(th, 0);
 }
--- compiler-rt/test/tsan/thread_leak2.c    2014-08-08 14:23:28.927916207 +0200
+++ devel/src/gcc/testsuite/c-c++-common/tsan/thread_leak2.c    2014-07-28
09:45:52.185091367 +0200
@@ -1,16 +1,19 @@
+
 #include <pthread.h>
-#include <stdio.h>
+#include <unistd.h>

 void *Thread(void *x) {
   return 0;
 }

 int main() {
+  int i;
+  for (i = 0; i < 5; i++) {
   pthread_t t;
   pthread_create(&t, 0, Thread, 0);
-  pthread_detach(t);
-  printf("PASS\n");
+  }
+  sleep(1);
   return 0;
 }

--- compiler-rt/test/tsan/mutexset1.cc    2014-08-08 14:23:28.919916207 +0200
+++ devel/src/gcc/testsuite/c-c++-common/tsan/mutexset1.c    2014-07-28
16:48:55.546509594 +0200
@@ -16,7 +17,8 @@

 void *Thread2(void *x) {
   Global--;
-  return NULL;
+
 }

 int main() {
@@ -34,4 +29,12 @@
   pthread_join(t[0], NULL);
   pthread_join(t[1], NULL);
   pthread_mutex_destroy(&mtx);
+  return 0;
 }
+
--- compiler-rt/test/tsan/tls_race.cc    2014-08-08 14:23:28.907916207 +0200
+++ devel/src/gcc/testsuite/c-c++-common/tsan/tls_race.c    2014-07-28
09:45:52.185091367 +0200
@@ -1,10 +1,9 @@
+
 #include <pthread.h>
 #include <stddef.h>
-#include <unistd.h>

 void *Thread(void *a) {
-  sleep(1);
   *(int*)a = 43;
   return 0;
 }
--- compiler-rt/test/tsan/atomic_stack.cc    2014-08-08 14:23:28.995916208
+0200
+++ devel/src/gcc/testsuite/c-c++-common/tsan/atomic_stack.c    2014-07-28
09:45:52.185091367 +0200
@@ -21,9 +22,10 @@
   pthread_create(&t[1], NULL, Thread2, NULL);
   pthread_join(t[0], NULL);
   pthread_join(t[1], NULL);
+  return 0;
 }


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
  2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2014-08-08 13:29 ` vries at gcc dot gnu.org
@ 2014-08-08 16:02 ` tetra2005 at gmail dot com
  2014-08-08 16:15 ` tetra2005 at gmail dot com
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: tetra2005 at gmail dot com @ 2014-08-08 16:02 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

Yuri Gribov <tetra2005 at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kcc at gcc dot gnu.org

--- Comment #4 from Yuri Gribov <tetra2005 at gmail dot com> ---
Adding kcc. It may make sense to detect testsuite changes during libsanitizer
merges.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
  2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
                   ` (3 preceding siblings ...)
  2014-08-08 16:02 ` tetra2005 at gmail dot com
@ 2014-08-08 16:15 ` tetra2005 at gmail dot com
  2015-01-12 20:34 ` bernd.edlinger at hotmail dot de
  2015-01-13  8:26 ` vries at gcc dot gnu.org
  6 siblings, 0 replies; 8+ messages in thread
From: tetra2005 at gmail dot com @ 2014-08-08 16:15 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

Yuri Gribov <tetra2005 at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #5 from Yuri Gribov <tetra2005 at gmail dot com> ---
Also added Jakub. Looks like LLVM and GCC use orthogonal approaches to deflake
TSan tests: GCC does this in source code
(https://groups.google.com/forum/#!topic/thread-sanitizer/KIok3F_b1oI) whereas
LLVM chose to go with retrying testrunner
(http://lists.cs.uiuc.edu/pipermail/llvm-commits/Week-of-Mon-20140526/218813.html).


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
  2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
                   ` (4 preceding siblings ...)
  2014-08-08 16:15 ` tetra2005 at gmail dot com
@ 2015-01-12 20:34 ` bernd.edlinger at hotmail dot de
  2015-01-13  8:26 ` vries at gcc dot gnu.org
  6 siblings, 0 replies; 8+ messages in thread
From: bernd.edlinger at hotmail dot de @ 2015-01-12 20:34 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

Bernd Edlinger <bernd.edlinger at hotmail dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bernd.edlinger at hotmail dot de

--- Comment #6 from Bernd Edlinger <bernd.edlinger at hotmail dot de> ---
should be fixed by r219367


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [Bug testsuite/62060] g++.dg/tsan/cond_race.C triggers heap-use-after-free
  2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
                   ` (5 preceding siblings ...)
  2015-01-12 20:34 ` bernd.edlinger at hotmail dot de
@ 2015-01-13  8:26 ` vries at gcc dot gnu.org
  6 siblings, 0 replies; 8+ messages in thread
From: vries at gcc dot gnu.org @ 2015-01-13  8:26 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060

vries at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from vries at gcc dot gnu.org ---
Marking resolved, fixed


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2015-01-13  8:26 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-08 10:02 [Bug testsuite/62060] New: g++.dg/tsan/cond_race.C triggers heap-use-after-free vries at gcc dot gnu.org
2014-08-08 10:29 ` [Bug testsuite/62060] " vries at gcc dot gnu.org
2014-08-08 12:18 ` chefmax at gcc dot gnu.org
2014-08-08 13:29 ` vries at gcc dot gnu.org
2014-08-08 16:02 ` tetra2005 at gmail dot com
2014-08-08 16:15 ` tetra2005 at gmail dot com
2015-01-12 20:34 ` bernd.edlinger at hotmail dot de
2015-01-13  8:26 ` vries at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).