public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/6710] New: Observed crash due after dlclose() involving DF_1_NODELETE dependency
@ 2008-06-30 21:25 tstarling at wikimedia dot org
  2008-08-13  4:29 ` [Bug libc/6710] " drepper at redhat dot com
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: tstarling at wikimedia dot org @ 2008-06-30 21:25 UTC (permalink / raw)
  To: glibc-bugs

This bug affects the PHP component called APC, on 64-bit architectures only. I
haven't been able to reproduce it outside of APC, but it looks very much like a
glibc problem. It involves dynamic library dependencies that have DF_1_NODELETE
set in their .dynamic section.

Here's the APC bug report:

http://pecl.php.net/bugs/bug.php?id=10253

I reported it to APC over a year ago. We saw it on redhat, and a credible
comment says that it also affects Debian etch. 

The sequence of events is as follows:
1. Apache dlopens PHP and calls an init function
2. PHP dlopens APC
3. APC depends on librt, so the dynamic linker automatically opens librt
4. Apache finishes configuring and then calls dlclose on PHP. This appears to
free the link map for librt. But because librt has DF_1_NODELETE, it's not
actually deleted, so the link map becomes a dangling pointer.
5. Apache forks lots of times, and each child process dlopens PHP again. Each
child process calls PHP's init function, and so APC is opened again.
6. Exit apache normally
7. During shutdown, glibc attempts to resolve __cxa_finalize from librt. Due to
the corruption of the link map in step 4, it segfaults.

I tried to reproduce this sequence using a simple test app, but it didn't work.
So, to reproduce:

* Use x86_64
* Compile and install Apache 1.3.x, PHP and APC as per standard install instructions
* Confirm that PHP and APC are enabled, say with strace -e trace=open httpd -X
* Run Apache under gdb
* Send SIGTERM, or arrange to have it exit with an error when it tries to bind
port 80
* It should segfault in do_lookup_x()

-- 
           Summary: Observed crash due after dlclose() involving
                    DF_1_NODELETE dependency
           Product: glibc
           Version: 2.3.6
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: tstarling at wikimedia dot org
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: x86_64-redhat-linux
  GCC host triplet: x86_64-redhat-linux
GCC target triplet: x86_64-redhat-linux


http://sourceware.org/bugzilla/show_bug.cgi?id=6710

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug libc/6710] Observed crash due after dlclose() involving DF_1_NODELETE dependency
  2008-06-30 21:25 [Bug libc/6710] New: Observed crash due after dlclose() involving DF_1_NODELETE dependency tstarling at wikimedia dot org
@ 2008-08-13  4:29 ` drepper at redhat dot com
  2009-03-11  0:47 ` lucas at sizzo dot org
  2010-06-01  3:50 ` pasky at suse dot cz
  2 siblings, 0 replies; 4+ messages in thread
From: drepper at redhat dot com @ 2008-08-13  4:29 UTC (permalink / raw)
  To: glibc-bugs


------- Additional Comments From drepper at redhat dot com  2008-08-13 04:28 -------
If there are no bugs in the program itself you have to be able to provide a
reproducer which does not require any outside code.  I tried what you described
and cannot find any problem.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING


http://sourceware.org/bugzilla/show_bug.cgi?id=6710

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug libc/6710] Observed crash due after dlclose() involving DF_1_NODELETE dependency
  2008-06-30 21:25 [Bug libc/6710] New: Observed crash due after dlclose() involving DF_1_NODELETE dependency tstarling at wikimedia dot org
  2008-08-13  4:29 ` [Bug libc/6710] " drepper at redhat dot com
@ 2009-03-11  0:47 ` lucas at sizzo dot org
  2010-06-01  3:50 ` pasky at suse dot cz
  2 siblings, 0 replies; 4+ messages in thread
From: lucas at sizzo dot org @ 2009-03-11  0:47 UTC (permalink / raw)
  To: glibc-bugs


------- Additional Comments From lucas at sizzo dot org  2009-03-11 00:46 -------
I've reproduced this via another that depend on librt and verified the problem 
has been fixed with the release of glibc 2.5. More specifically it was fixed in 
elf/dl-close.c CVS r1.117, git 86d507fee83714136ba6aed311e2989f9cc7c19c. 

I backported and tested this in 2.4 and confirmed the fix running Apache/PHP/
APC.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=6710

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug libc/6710] Observed crash due after dlclose() involving DF_1_NODELETE dependency
  2008-06-30 21:25 [Bug libc/6710] New: Observed crash due after dlclose() involving DF_1_NODELETE dependency tstarling at wikimedia dot org
  2008-08-13  4:29 ` [Bug libc/6710] " drepper at redhat dot com
  2009-03-11  0:47 ` lucas at sizzo dot org
@ 2010-06-01  3:50 ` pasky at suse dot cz
  2 siblings, 0 replies; 4+ messages in thread
From: pasky at suse dot cz @ 2010-06-01  3:50 UTC (permalink / raw)
  To: glibc-bugs


------- Additional Comments From pasky at suse dot cz  2010-06-01 03:49 -------
Thus we can close this.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=6710

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-06-01  3:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-06-30 21:25 [Bug libc/6710] New: Observed crash due after dlclose() involving DF_1_NODELETE dependency tstarling at wikimedia dot org
2008-08-13  4:29 ` [Bug libc/6710] " drepper at redhat dot com
2009-03-11  0:47 ` lucas at sizzo dot org
2010-06-01  3:50 ` pasky at suse dot cz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).