public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug malloc/15073] New: Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption
@ 2013-01-28 16:18 jpieper at jaybridge dot com
  2013-01-28 16:44 ` [Bug malloc/15073] " ngallaher+sources at deepthought dot org
                   ` (23 more replies)
  0 siblings, 24 replies; 25+ messages in thread
From: jpieper at jaybridge dot com @ 2013-01-28 16:18 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=15073

             Bug #: 15073
           Summary: Race condition using ATOMIC_FASTBINS in _int_free
                    causes crash or heap corruption
           Product: glibc
           Version: 2.15
            Status: NEW
          Severity: normal
          Priority: P2
         Component: malloc
        AssignedTo: unassigned@sourceware.org
        ReportedBy: jpieper@jaybridge.com
    Classification: Unclassified


Created attachment 6833
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6833
Reproduction recipe

I reported the following bug in ubuntu's libc about 6 months ago where the
ATOMIC_FASTBINS feature can crash or cause heap corruption.

https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1020210

I'm pasting the content of that problem here and will attach the reproduction
recipe.  Unfortunately, the reproduction recipe is only reliable with the exact
version of eglibc in ubuntu, given enough time to build an arbitrary version, I
should be able to create one that works with any version.

----

We have an application which makes heavy allocation and de-allocation demands
from multiple threads. We run this application continuously on many servers,
and once every several CPU months or years, we were getting a crash in
_int_free that did not look like vanilla heap corruption. I believe I have
narrowed it down to a race condition in _int_free due to the ATOMIC_FASTBINS
feature. Basically, in the lockless FASTBIN _int_free path, a chunk is pulled
into a local variable with the intent to add it to the fastbins list. However,
the heap consolidation/trim code can race with this, and can coalesce the
entire block and/or give it back to the OS before _int_free has a chance to try
and store it into the fastbins list.

The problem is very challenging to reproduce in situ, but using gdb I have a
recipe which demonstrates the crash 100% of the time on my 12.04 x64 system
running eglibc 2.15. It relies on malloc_trim, although in our in situ data,
the consolidation is triggered as a result of a normal free. malloc_trim is
just easier to control.

While I am not a glibc developer, I could not see any easy ways to fix the
situation shy of disabling ATOMIC_FASTBINS.

I am attaching the reproduction source. Other pertinent information follows:

> jpieper@calculon:~/downloads$ lsb_release -rd
> Description:	Ubuntu 12.04 LTS
> Release:	12.04

> jpieper@calculon:~/downloads$ apt-cache policy libc6
> libc6:
> Installed: 2.15-0ubuntu10
> Candidate: 2.15-0ubuntu10
> Version table:
> *** 2.15-0ubuntu10 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
> 100 /var/lib/dpkg/status

What I expect: I expect the attached application, when run using the gdb script
in the comments, to complete with no failures.
What happened: A SIGSEGV after the final continue.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 25+ messages in thread

end of thread, other threads:[~2014-06-13 10:11 UTC | newest]

Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-01-28 16:18 [Bug malloc/15073] New: Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption jpieper at jaybridge dot com
2013-01-28 16:44 ` [Bug malloc/15073] " ngallaher+sources at deepthought dot org
2013-04-16 14:30 ` siddhesh at redhat dot com
2013-04-16 15:56 ` sources at fatlxception dot no-ip.org
2013-05-13  9:23 ` siddhesh at redhat dot com
2013-10-22 19:31 ` nate+sourceware at jaybridge dot com
2013-10-22 21:11 ` nate+sourceware at jaybridge dot com
2013-12-20 22:11 ` carlos at redhat dot com
2013-12-21  0:39 ` neleai at seznam dot cz
2013-12-22 23:38 ` maxim.kuvyrkov at gmail dot com
2013-12-22 23:41 ` maxim.kuvyrkov at gmail dot com
2013-12-23 21:07 ` cvs-commit at gcc dot gnu.org
2013-12-23 21:12 ` maxim.kuvyrkov at gmail dot com
2013-12-27 23:11 ` maxim.kuvyrkov at gmail dot com
2014-01-05  2:05 ` cvs-commit at gcc dot gnu.org
2014-01-05  2:06 ` cvs-commit at gcc dot gnu.org
2014-01-05  2:16 ` cvs-commit at gcc dot gnu.org
2014-01-05  2:17 ` maxim.kuvyrkov at gmail dot com
2014-01-05  2:18 ` maxim.kuvyrkov at gmail dot com
2014-01-05  2:18 ` cvs-commit at gcc dot gnu.org
2014-01-05  2:18 ` cvs-commit at gcc dot gnu.org
2014-01-05  2:19 ` cvs-commit at gcc dot gnu.org
2014-01-05  2:19 ` maxim.kuvyrkov at gmail dot com
2014-01-05  2:20 ` maxim.kuvyrkov at gmail dot com
2014-06-13 10:11 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).