public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18429] New: spurious timer wakeup caused by ABA problem in timers handling logic
@ 2015-05-19 10:48 up7 at frtk dot ru
  2015-05-19 10:51 ` [Bug libc/18429] " up7 at frtk dot ru
  2015-08-27 22:27 ` [Bug librt/18429] " jsm28 at gcc dot gnu.org
  0 siblings, 2 replies; 3+ messages in thread
From: up7 at frtk dot ru @ 2015-05-19 10:48 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18429

            Bug ID: 18429
           Summary: spurious timer wakeup caused by ABA problem in timers
                    handling logic
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: up7 at frtk dot ru
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Suppose a timer uses signal delivery to the helper thread.  The following
sequence of events happens:

1. Timer A created, suppose it's address is a_ptr. It is added to
__active_timer_sigev_thread list:

      /* Add to the queue of active timers with thread
         delivery.  */
      pthread_mutex_lock (&__active_timer_sigev_thread_lock);
      newp->next = __active_timer_sigev_thread;
      __active_timer_sigev_thread = newp;
      pthread_mutex_unlock (&__active_timer_sigev_thread_lock);

2. timer_helper_thread receives A signal. rt_sigtimedwait returns success:

      /* XXX The size argument hopefully will have to be changed to the
         real size of the user-level sigset_t.  */
      int result = INLINE_SYSCALL (rt_sigtimedwait, 4, &ss, &si, NULL,
                                   _NSIG / 8);

But right after that timer_helper_thread is preemted.

3. High prio thread deletes timer A. It's address is deleted from
__active_timer_sigev_thread list. And then creates timer B. Suppose it's
address is also a_ptr. This address is again inserted in
__active_timer_sigev_thread list.

4. timer_helper_thread continue execution. It checks presence of a_ptr in
_active_timer_sigev_thread list and executes it.

              struct timer *tk = (struct timer *) si.si_ptr;

              /* Check the timer is still used and will not go away
                 while we are reading the values here.  */
              pthread_mutex_lock (&__active_timer_sigev_thread_lock);

              struct timer *runp = __active_timer_sigev_thread;
              while (runp != NULL)
                if (runp == tk)
                  break;
                else
                  runp = runp->next;

              if (runp != NULL)
                {
                  struct thread_start_data *td = malloc (sizeof (*td));

                  /* There is not much we can do if the allocation fails.  */
                  if (td != NULL)
                    {
                      /* This is the signal we are waiting for.  */
                      td->thrfunc = tk->thrfunc;
                      td->sival = tk->sival;

                      pthread_t th;
                      (void) pthread_create (&th, &tk->attr,
                                             timer_sigev_thread, td);
                    }
                }

              pthread_mutex_unlock (&__active_timer_sigev_thread_lock);

So in this case timer B receives spurious wake up.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Bug libc/18429] spurious timer wakeup caused by ABA problem in timers handling logic
  2015-05-19 10:48 [Bug libc/18429] New: spurious timer wakeup caused by ABA problem in timers handling logic up7 at frtk dot ru
@ 2015-05-19 10:51 ` up7 at frtk dot ru
  2015-08-27 22:27 ` [Bug librt/18429] " jsm28 at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: up7 at frtk dot ru @ 2015-05-19 10:51 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18429

Dmitry Mikhin <up7 at frtk dot ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |up7 at frtk dot ru

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Bug librt/18429] spurious timer wakeup caused by ABA problem in timers handling logic
  2015-05-19 10:48 [Bug libc/18429] New: spurious timer wakeup caused by ABA problem in timers handling logic up7 at frtk dot ru
  2015-05-19 10:51 ` [Bug libc/18429] " up7 at frtk dot ru
@ 2015-08-27 22:27 ` jsm28 at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-08-27 22:27 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18429

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |librt

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-08-27 22:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-19 10:48 [Bug libc/18429] New: spurious timer wakeup caused by ABA problem in timers handling logic up7 at frtk dot ru
2015-05-19 10:51 ` [Bug libc/18429] " up7 at frtk dot ru
2015-08-27 22:27 ` [Bug librt/18429] " jsm28 at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).