public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug dynamic-link/31285] New: Segfault when returning from main while a thread calls dlclose
@ 2024-01-24 3:19 jimb@red-bean.com
2024-01-24 3:20 ` [Bug dynamic-link/31285] " jimb@red-bean.com
0 siblings, 1 reply; 2+ messages in thread
From: jimb@red-bean.com @ 2024-01-24 3:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31285
Bug ID: 31285
Summary: Segfault when returning from main while a thread calls
dlclose
Product: glibc
Version: 2.38
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: jimb@red-bean.com
Target Milestone: ---
If the program's main thread returns while another thread calls dlclose on a
shared library that has a static variable with a destructor, dlclose may unmap
the shared library's code while the main thread is still executing the
destructor, causing a crash.
This can manifest as intermittent crashes at exit, as in this issue:
https://github.com/gfx-rs/wgpu/issues/5084
The bug is that if the main thread calls `__run_exit_handlers` and finds the
shared library's destructor's entry in __exit_funcs` first, changes its flavor
to `ef_free`, releases `__exit_funcs_lock`, and then calls the entry's
function, that function is arbitrary code which may take a long time to run.
While it does so, another thread may `dlclose` the shared library, skip past
the entry in `__exit_funcs` since it is marked as `ef_free`, and proceed to
unmap the shared library's code while the main thread is still working.
The attached test case reproduces the bug reliably. To reproduce, download the
attached test case as `dlclose-crash.tar.gz`, and then:
```
$ tar xf dlclose-crash.tar.gz
$ cd dlclose-crash/
$ make
g++ -g -export-dynamic main.cpp -o main
g++ -g -shared -fPIC solib.cpp -o solib.so
$ ./main
Segmentation fault (core dumped)
$
```
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug dynamic-link/31285] Segfault when returning from main while a thread calls dlclose
2024-01-24 3:19 [Bug dynamic-link/31285] New: Segfault when returning from main while a thread calls dlclose jimb@red-bean.com
@ 2024-01-24 3:20 ` jimb@red-bean.com
0 siblings, 0 replies; 2+ messages in thread
From: jimb@red-bean.com @ 2024-01-24 3:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31285
--- Comment #1 from Jim Blandy <jimb@red-bean.com> ---
Created attachment 15327
--> https://sourceware.org/bugzilla/attachment.cgi?id=15327&action=edit
Test case source code.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-01-24 3:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-24 3:19 [Bug dynamic-link/31285] New: Segfault when returning from main while a thread calls dlclose jimb@red-bean.com
2024-01-24 3:20 ` [Bug dynamic-link/31285] " jimb@red-bean.com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).