[Bug dynamic-link/17090] New: Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[Bug dynamic-link/17090] New: Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[tudorb at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

            Bug ID: 17090
           Summary: Assertion failure (map->l_tls_modid == cnt) when
                    dlopen()ing initial-exec TLS shared objects under
                    certain circumstances
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: tudorb at gmail dot com

Created attachment 7658
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7658&action=edit
test case

When loading an initial-exec TLS object after the initial segment of
dl_tls_dtv_slotinfo_list has been exhausted, the next call to
_dl_allocate_tls_init (say, when creating the next thread) will fail with:

Inconsistency detected by ld.so: dl-tls.c: 422: _dl_allocate_tls_init:
Assertion `map->l_tls_modid == cnt' failed!

glibc has a few data structures regarding thread-local storage handling. A
segmented array with all loaded shared objects that need TLS
(dl_tls_dtv_slotinfo_list) and a fixed size array (dtv, part of the TCB).

However, glibc has an incorrect assertion if an initial-exec shared object has
been successfully loaded, but is assigned a slot outside of the initial segment
of dl_tls_dtv_slotinfo_list. "cnt" is the index in the current segment, whereas
map->l_tls_modid is the index in the dtv (which includes all segments).

Changing the assertion from

          assert (map->l_tls_modid == cnt);

to

          assert (map->l_tls_modid == total + cnt);

appears to fix the problem, which confirms my hypothesis, but I'm not
well-versed in rtld internals, so there might be something I'm missing here.

I'm attaching a small test program which creates a lot of shared libraries with
initial-exec, dlopen()s them, and then creates a new thread; the call to
_dl_allocate_tls_init from within pthread_create triggers the assertion.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[tudorb at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

Tudor Bosman <tudorb at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tudorb at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[tudorb at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

--- Comment #1 from Tudor Bosman <tudorb at gmail dot com> ---
I tested and the bug exists in glibc 2.17 and 2.19.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[aoliva at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

Alexandre Oliva <aoliva at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |aoliva at sourceware dot org
           Assignee|unassigned at sourceware dot org   |aoliva at sourceware dot org

--- Comment #2 from Alexandre Oliva <aoliva at sourceware dot org> ---
Mine

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[david.abdurachmanov at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

David Abdurachmanov <david.abdurachmanov at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |david.abdurachmanov at gmail dot c
                   |                            |om

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  f8aeae347377f3dfa8cbadde057adf1827fb1d44 (commit)
      from  b97eb2bdb1ed72982a7821c3078be591051cef59 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f8aeae347377f3dfa8cbadde057adf1827fb1d44

commit f8aeae347377f3dfa8cbadde057adf1827fb1d44
Author: Alexandre Oliva <aoliva@redhat.com>
Date:   Tue Mar 17 01:14:11 2015 -0300

    Fix DTV race, assert, DTV_SURPLUS Static TLS limit, and nptl_db garbage

    for  ChangeLog

        [BZ #17090]
        [BZ #17620]
        [BZ #17621]
        [BZ #17628]
        * NEWS: Update.
        * elf/dl-tls.c (_dl_update_slotinfo): Clean up outdated DTV
        entries with Static TLS too.  Skip entries past the end of the
        allocated DTV, from Alan Modra.
        (tls_get_addr_tail): Update to glibc_likely/unlikely.  Move
        Static TLS DTV entry set up from...
         (_dl_allocate_tls_init): ... here (fix modid assertion), ...
        * elf/dl-reloc.c (_dl_nothread_init_static_tls): ... here...
        * nptl/allocatestack.c (init_one_static_tls): ... and here...
        * elf/dlopen.c (dl_open_worker): Drop l_tls_modid upper bound
        for Static TLS.
        * elf/tlsdeschtab.h (map_generation): Return size_t.  Check
        that the slot we find is associated with the given map before
        using its generation count.
        * nptl_db/db_info.c: Include ldsodefs.h.
        (rtld_global, dtv_slotinfo_list, dtv_slotinfo): New typedefs.
        * nptl_db/structs.def (DB_RTLD_VARIABLE): New macro.
        (DB_MAIN_VARIABLE, DB_RTLD_GLOBAL_FIELD): Likewise.
        (link_map::l_tls_offset): New struct field.
        (dtv_t::counter): Likewise.
        (rtld_global): New struct.
        (_rtld_global): New rtld variable.
        (dl_tls_dtv_slotinfo_list): New rtld global field.
        (dtv_slotinfo_list): New struct.
        (dtv_slotinfo): Likewise.
        * nptl_db/td_symbol_list.c: Drop gnu/lib-names.h include.
        (td_lookup): Rename to...
        (td_mod_lookup): ... this.  Use new mod parameter instead of
        LIBPTHREAD_SO.
        * nptl_db/td_thr_tlsbase.c: Include link.h.
        (dtv_slotinfo_list, dtv_slotinfo): New functions.
        (td_thr_tlsbase): Check DTV generation.  Compute Static TLS
        addresses even if the DTV is out of date or missing them.
        * nptl_db/fetch-value.c (_td_locate_field): Do not refuse to
        index zero-length arrays.
        * nptl_db/thread_dbP.h: Include gnu/lib-names.h.
        (td_lookup): Make it a macro implemented in terms of...
        (td_mod_lookup): ... this declaration.
        * nptl_db/db-symbols.awk (DB_RTLD_VARIABLE): Override.
        (DB_MAIN_VARIABLE): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                |   47 +++++++++++++
 NEWS                     |   11 ++--
 elf/dl-open.c            |   12 +---
 elf/dl-reloc.c           |    6 --
 elf/dl-tls.c             |   63 +++++++++--------
 elf/tlsdeschtab.h        |    4 +-
 nptl/allocatestack.c     |    9 +--
 nptl_db/db-symbols.awk   |    2 +
 nptl_db/db_info.c        |    4 +
 nptl_db/fetch-value.c    |    3 +-
 nptl_db/structs.def      |   39 +++++++++++
 nptl_db/td_symbol_list.c |    7 +-
 nptl_db/td_thr_tlsbase.c |  172 +++++++++++++++++++++++++++++++++++++++++++++-
 nptl_db/thread_dbP.h     |   11 ++--
 14 files changed, 317 insertions(+), 73 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[aoliva at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

Alexandre Oliva <aoliva at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Alexandre Oliva <aoliva at sourceware dot org> ---
Fixed

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |18457


Referenced Bugs:

https://sourceware.org/bugzilla/show_bug.cgi?id=18457
[Bug 18457] pthread_join deadlock in library destructor
-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/17090] Assertion failure (map->l_tls_modid == cnt) when dlopen()ing initial-exec TLS shared objects under certain circumstances

[siddhesh at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17090
Bug 17090 depends on bug 18457, which changed state.

Bug 18457 Summary: pthread_join deadlock in library destructor
https://sourceware.org/bugzilla/show_bug.cgi?id=18457

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are on the CC list for the bug.