[Bug libc/770] New: possible deadlock on double-free logging

[Bug libc/770] New: possible deadlock on double-free logging

[qboosh at pld-linux dot org]

_int_free() (malloc/malloc.c), which is called from free() with arena mutex
locked, checks and eventually prints/logs error message.
So if malloc_printerr() handling do some malloc()/free() on the same memory
arena, deadlock can occur.
vsyslog() can call free() during tz manipulation.

Yes, this deadlock is triggered by buggy code.
But it's all inside libc, not caused by actual memory corruption.

-- 
           Summary: possible deadlock on double-free logging
           Product: glibc
           Version: 2.3.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: gotom at debian dot or dot jp
        ReportedBy: qboosh at pld-linux dot org
                CC: glibc-bugs at sources dot redhat dot com


http://sources.redhat.com/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[qboosh at pld-linux dot org]

------- Additional Comments From qboosh at pld-linux dot org  2005-02-26 21:35 -------
Created an attachment (id=424)
 --> (http://sources.redhat.com/bugzilla/attachment.cgi?id=424&action=view)
testcase for deadlock on double-free logging

Simplified testcase to trigger deadlock (originally it was detected in daemon
which didn't want to exit on SIGPIPE when run on NPTL libc - it tried to do
double shutdown).

Deadlock occurs on NPTL libc or when it's linked with linuxthreads libpthread.
When run on just linuxthreads libc it logs double-free error and aborts
(as there is no real locking in single-thread code).

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[qboosh at pld-linux dot org]

------- Additional Comments From qboosh at pld-linux dot org  2005-02-26 21:37 -------
*** Bug 771 has been marked as a duplicate of this bug. ***

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[qboosh at pld-linux dot org]

------- Additional Comments From qboosh at pld-linux dot org  2005-02-26 21:38 -------
*** Bug 772 has been marked as a duplicate of this bug. ***

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[qboosh at pld-linux dot org]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
    Attachment #424|text/plain                  |text/x-c
          mime type|                            |
 Attachment #424 is|1                           |0
              patch|                            |


http://sources.redhat.com/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[bugzilla at tree dot tlrmx dot org]

------- Additional Comments From bugzilla at tree dot tlrmx dot org  2008-04-30 20:27 -------
This happens to us once a day or so (obviously the double-free that causes the
problem is periodic in some fashion). For us deadlocking is mostly worse than
just allowing some potential corruption due to a double-free.

We are using glibc-2.5-12 x86-64 on a CentOS 5 machine.

Here are some musings from #glibc IRC where I reported that I had seen this bug.

<ryanarn> hrm.. that one's been about for a while.  I wonder why there's been no
movement on it.
<sjmunroe> the mutex it locked in free which calls _int_free(), so _int_free
does not know about the lock
<sjmunroe> to avoid this _int_free would have to report the error back to free
so free could do the unlock before reposting the error


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugzilla at tree dot tlrmx
                   |                            |dot org


http://sourceware.org/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2010-06-01 01:50 -------
I cannot reproduce this on a newer glibc, does this error still happen to you?

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING


http://sourceware.org/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[bugzilla at tree dot tlrmx dot org]

------- Additional Comments From bugzilla at tree dot tlrmx dot org  2010-06-01 15:19 -------
Any conceivable testcase is worth nothing compared to the concise explanation of
the problem already recorded in this bug. Tweaks to the allocator could easily
change the exact circumstances and thus invalidate the testcase, while the bug
would still bite real applications. If the problem described wasn't fixed, the
bug still exists. So, did you fix the bug?

Please provide either a reference for the change where you believe you fixed the
bug, or else go fix the bug rather than wasting people's time by asking silly
questions.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW


http://sourceware.org/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2010-06-01 16:10 -------
Why so aggressive?

Hmm, it is curious that the bug should still be there, but I cannot trigger it
no matter how hard I try so far (well, I didn't try that hard yet). The new
ATOMIC_FASTBIN mode shouldn't have the bug anymore, but it is still experimental.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[bugzilla at tree dot tlrmx dot org]

------- Additional Comments From bugzilla at tree dot tlrmx dot org  2010-06-01 18:34 -------
I'd say rather, conservative. For me this is a bug which caused a big clustered
production (revenue generating) system to grind to a halt, often at inopportune
moments. To prove the assertion "somehow this bug has magically gone away
without any action" I have to risk every member of technical staff being woken
in the middle of the night as the app deadlocks suddenly and monitoring systems
start sending alerts. To even prepare for such an escapade might be a week's work.

So I don't want to do that. If the bug is gone, there'll be a patch that fixed
it. I can justify testing such a patch. If there isn't a patch, the bug is just
hiding and this bug report should remain open.

I can confirm (if it's any help) that the testcase supplied by Jakub Bogusz
doesn't deadlock on a modern glibc. But there could be lots of reasons for that.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[matt at wilson dot org]

------- Additional Comments From matt at wilson dot org  2010-09-17 04:48 -------
Probably the same as: http://sourceware.org/bugzilla/show_bug.cgi?id=10282 (fixed)

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/770] possible deadlock on double-free logging

[bugzilla at tree dot tlrmx dot org]

------- Additional Comments From bugzilla at tree dot tlrmx dot org  2010-09-17 10:25 -------
Possibly. It does seem as though there's been considerable churn on that code.
Here we no longer have a double free (we eventually managed to reproduce it on a
test system under valgrind and fixed it) with which to test, and as already
observed Jakub's original testcase no longer shows the problem in modern glibc.
So I guess closing this as a DUP doesn't hurt if that's what you'd like to do.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=770

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.