[Bug gdb/29311] New: [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free^M

[Bug gdb/29311] New: [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free^M

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

            Bug ID: 29311
           Summary: [gdb] ThreadSanitizer: data race
                    (/lib64/libtsan.so.2+0x4c5e2) in free^M
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: vries at gcc dot gnu.org
  Target Milestone: ---

I build gdb with gcc 12.1.0 (system gcc) and -fsanitize=thread on openSUSE
(with system glibc 2.35) Tumbleweed, and ran the testsuite, and ran into issues
with gdb.ada/char_enum_unicode.exp:
...
WARNING: ThreadSanitizer: data race (pid=21301)^M
  Write of size 8 at 0x7b2000008080 by main thread:^M
    #0 free <null> (libtsan.so.2+0x4c5e2)^M
    #1 _dl_close_worker <null> (ld-linux-x86-64.so.2+0x4b7b)^M
    #2 convert_between_encodings(char const*, char const*, unsigned char
const*, unsigned int, int, obstack*, transliterations)
/data/vries/gdb_versions/devel/src/gdb/charset.c:584 (gdb+0x64fc37)^M
  ...
^M
  Previous write of size 8 at 0x7b2000008080 by thread T1:^M
    [failed to restore the stack]^M
...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free^M

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
Created attachment 14187
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14187&action=edit
gdb.log

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[gdb] ThreadSanitizer: data |[gdb] ThreadSanitizer: data
                   |race                        |race
                   |(/lib64/libtsan.so.2+0x4c5e |(/lib64/libtsan.so.2+0x4c5e
                   |2) in free^M                |2) in free

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

--- Comment #2 from Tom de Vries <vries at gcc dot gnu.org> ---
Created attachment 14188
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14188&action=edit
LOG.txt

When trying to reproduce from the command line:
...
$ bash -x ./gdb.sh ./outputs/gdb.ada/char_enum_unicode/foo -batch -ex "break
foo.adb:26" 2>&1 | tee LOG.txt^C
...
I run into a different problem:
...
WARNING: ThreadSanitizer: data race (pid=30917)
  Write of size 8 at 0x7b0400004070 by main thread:
    #0 free <null> (libtsan.so.2+0x4c5e2)
    #1 xfree<char> /data/vries/gdb_versions/devel/src/gdb/../gdbsupport/gdb-x\
free.h:37 (gdb+0x650f17)
    #2 charset_vector::clear() /data/vries/gdb_versions/devel/src/gdb/charset\
.c:703 (gdb+0x651354)
    #3 charset_vector::~charset_vector() /data/vries/gdb_versions/devel/src/g\
db/charset.c:697 (gdb+0x6512d3)
    #4 <null> <null> (libtsan.so.2+0x32643)
    #5 captured_main_1 /data/vries/gdb_versions/devel/src/gdb/main.c:1310 (gd\
b+0xa3975a)

  Previous read of size 1 at 0x7b0400004072 by thread T1:
    [failed to restore the stack]
...

Same thing if I remove -batch and type quit instead.

So, is this a problem with

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

--- Comment #3 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #2)
> So, is this a problem with 
order of destroying things?

First the threads need to be destroyed, before objects that may have been used
by those threads?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #3)
> (In reply to Tom de Vries from comment #2)
> > So, is this a problem with 
> order of destroying things?
> 
> First the threads need to be destroyed, before objects that may have been
> used by those threads?

Hmm, in a way it could be.

There's a static vector, which is written by the main thread at initialization
time, then read by various threads, and destroyed upon exit by the main thread.

We don't wait on pending tasks before exit, so some of those could still be
running and accessing the vector, or rather, what it points to.

This stops us from xfreeing the strings contained in the vector:
...
diff --git a/gdb/charset.c b/gdb/charset.c
index 74f742e0aa7..e9d28fcb1b1 100644
--- a/gdb/charset.c
+++ b/gdb/charset.c
@@ -694,7 +694,7 @@ struct charset_vector
 {
   ~charset_vector ()
   {
-    clear ();
+    charsets.clear ();
   }

   void clear ()
...
and that fixes the race condition from comment 2.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

--- Comment #5 from Tom de Vries <vries at gcc dot gnu.org> ---
I tried to reproduce the problem outside gdb using:
...
$ cat test.c
#include <iconv.h>
#include <pthread.h>

const char *from = "UTF-8";
const char *to = "UTF-32LE";

static void
bar (void)
{
  int i;
  for (i = 0; i < 1000; ++i)
    {
      iconv_t handle = iconv_open (to, from);
      iconv_close (handle);
    }
}

static void *
foo (void *arg)
{
  bar ();
  return NULL;
}

int
main (void)
{
  pthread_t threadId;

  int i;
  for (i = 0; i < 4; ++i)
    {
      pthread_create (&threadId, NULL, &foo, NULL);
      pthread_detach (threadId);
    }

  bar ();

  return 0;
}
...
but no luck there.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

--- Comment #6 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #4)
> (In reply to Tom de Vries from comment #3)
> > (In reply to Tom de Vries from comment #2)
> > > So, is this a problem with 
> > order of destroying things?
> > 
> > First the threads need to be destroyed, before objects that may have been
> > used by those threads?
> 
> Hmm, in a way it could be.
> 
> There's a static vector, which is written by the main thread at
> initialization time, then read by various threads, and destroyed upon exit
> by the main thread.
> 
> We don't wait on pending tasks before exit, so some of those could still be
> running and accessing the vector, or rather, what it points to.
> 
> This stops us from xfreeing the strings contained in the vector:
> ...
> diff --git a/gdb/charset.c b/gdb/charset.c
> index 74f742e0aa7..e9d28fcb1b1 100644
> --- a/gdb/charset.c
> +++ b/gdb/charset.c
> @@ -694,7 +694,7 @@ struct charset_vector
>  {
>    ~charset_vector ()
>    {
> -    clear ();
> +    charsets.clear ();
>    }
>  
>    void clear ()
> ...
> and that fixes the race condition from comment 2.

https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=4f92e10cda142fd1f213e01a53ca687e38cddf22

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

--- Comment #7 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #0)
> I build gdb with gcc 12.1.0 (system gcc) and -fsanitize=thread on openSUSE
> (with system glibc 2.35) Tumbleweed, and ran the testsuite, and ran into
> issues with gdb.ada/char_enum_unicode.exp:
> ...
> WARNING: ThreadSanitizer: data race (pid=21301)^M
>   Write of size 8 at 0x7b2000008080 by main thread:^M
>     #0 free <null> (libtsan.so.2+0x4c5e2)^M
>     #1 _dl_close_worker <null> (ld-linux-x86-64.so.2+0x4b7b)^M
>     #2 convert_between_encodings(char const*, char const*, unsigned char
> const*, unsigned int, int, obstack*, transliterations)
> /data/vries/gdb_versions/devel/src/gdb/charset.c:584 (gdb+0x64fc37)^M
>   ...
> ^M
>   Previous write of size 8 at 0x7b2000008080 by thread T1:^M
>     [failed to restore the stack]^M
> ...

https://sourceware.org/pipermail/gdb-patches/2022-July/190743.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/29311] [gdb] ThreadSanitizer: data race (/lib64/libtsan.so.2+0x4c5e2) in free

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29311

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
   Target Milestone|---                         |13.1
         Resolution|---                         |FIXED

--- Comment #8 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #7)
> (In reply to Tom de Vries from comment #0)
> > I build gdb with gcc 12.1.0 (system gcc) and -fsanitize=thread on openSUSE
> > (with system glibc 2.35) Tumbleweed, and ran the testsuite, and ran into
> > issues with gdb.ada/char_enum_unicode.exp:
> > ...
> > WARNING: ThreadSanitizer: data race (pid=21301)^M
> >   Write of size 8 at 0x7b2000008080 by main thread:^M
> >     #0 free <null> (libtsan.so.2+0x4c5e2)^M
> >     #1 _dl_close_worker <null> (ld-linux-x86-64.so.2+0x4b7b)^M
> >     #2 convert_between_encodings(char const*, char const*, unsigned char
> > const*, unsigned int, int, obstack*, transliterations)
> > /data/vries/gdb_versions/devel/src/gdb/charset.c:584 (gdb+0x64fc37)^M
> >   ...
> > ^M
> >   Previous write of size 8 at 0x7b2000008080 by thread T1:^M
> >     [failed to restore the stack]^M
> > ...
> 
> https://sourceware.org/pipermail/gdb-patches/2022-July/190743.html

https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=7d1a572d6b5194d36a96f36b3d28ce591341deb6

-- 
You are receiving this mail because:
You are on the CC list for the bug.