* [PATCH] stdlib: Fix data race in __run_exit_handlers @ 2020-09-20 9:57 Vitaly Buka 2020-09-20 12:09 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2020-09-20 9:57 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Read f->func.cxa under the lock. It's incredible rare so I failed to create a test. However we have binary which according to logs add __cxa_atexit with unique arg and then callback is called twice for the same arg. There is a clear data race: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa --- stdlib/exit.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/stdlib/exit.c b/stdlib/exit.c index 7bca1cdc14..93cdec82f0 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -72,44 +72,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered -- 2.28.0.681.g6f77f65b4e-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-20 9:57 [PATCH] stdlib: Fix data race in __run_exit_handlers Vitaly Buka @ 2020-09-20 12:09 ` Vitaly Buka 2020-09-20 20:41 ` Paul Pluzhnikov 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2020-09-20 12:09 UTC (permalink / raw) To: libc-alpha Read f->func.cxa under the lock. There is a clear data race: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa It's incredibly rare so the test without patch fails only about 10%. --- stdlib/Makefile | 4 +- stdlib/exit.c | 20 +++++--- stdlib/test-cxa_atexit-race2.c | 94 ++++++++++++++++++++++++++++++++++ 3 files changed, 111 insertions(+), 7 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index 4615f6dfe7..f622fa9e0b 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -82,7 +82,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -101,6 +102,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-test-dlclose-exit-race = $(shared-thread-library) $(libdl) diff --git a/stdlib/exit.c b/stdlib/exit.c index 7bca1cdc14..93cdec82f0 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -72,44 +72,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..08acafe19f --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,94 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. + exhibited data race while accessing destructor function list (Bug 14333). + + This test spawns large number of threads, and check the same + desctructor is not called more then once. */ + +#include <limits.h> +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> + +extern void *__dso_handle; + +const size_t kNumThreads = 50; +const size_t kStacksize = +#ifdef PTHREAD_STACK_MIN + 0x20000 < PTHREAD_STACK_MIN ? PTHREAD_STACK_MIN : +#endif + 0x20000; + +static atomic_intptr_t added; +static atomic_intptr_t done; +static void *prev; + +static void +atexitcb (void *arg) +{ + if (arg == prev) + abort (); + prev = arg; + ++done; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void * +threadfunc (void *unused) +{ + for (; done < 1e6;) + { + if (added < done + 100) + { + __cxa_atexit (&atexitcb, (void *)(++added), __dso_handle); + } + } + return 0; +} + +static int +do_test (void) +{ + size_t i; + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + /* With default 8MiB Linux stack size, creating 1024 threads can cause + VM exhausiton on 32-bit machines. Reduce stack size of each thread to + 128KiB for a maximum required VM size of 128MiB. */ + xpthread_attr_setstacksize (&attr, kStacksize); + + for (i = 0; i < kNumThreads; ++i) + { + xpthread_create (&attr, threadfunc, NULL); + } + xpthread_attr_destroy (&attr); + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.28.0.681.g6f77f65b4e-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-20 12:09 ` Vitaly Buka @ 2020-09-20 20:41 ` Paul Pluzhnikov 2020-09-20 21:26 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Paul Pluzhnikov @ 2020-09-20 20:41 UTC (permalink / raw) To: Vitaly Buka; +Cc: GLIBC Devel On Sun, Sep 20, 2020 at 5:10 AM Vitaly Buka via Libc-alpha <libc-alpha@sourceware.org> wrote: > +static void * > +threadfunc (void *unused) > +{ > + for (; done < 1e6;) > + { > + if (added < done + 100) > + { > + __cxa_atexit (&atexitcb, (void *)(++added), __dso_handle); Isn't there a data race on "added" here (in addition to a data race on "done")? What prevents two threads from observing "added == 100" at the same time and adding two calls with value of 101, which would later trigger abort() in exitcb()? > + /* With default 8MiB Linux stack size, creating 1024 threads can cause > + VM exhausiton on 32-bit machines. Reduce stack size of each thread to > + 128KiB for a maximum required VM size of 128MiB. */ This comment is far removed from the computation of kStacksize (and the name violates the naming conventions used here). I suggest: size_t stack_size = 128 << 10; /* 128KiB */ if (stack_size < PTHREAD_STACK_MIN) stack_size = PTHREAD_STACK_MIN; Also, I suspect that 32KiB would be more than enough for stack size here. > + for (i = 0; i < kNumThreads; ++i) Since kNumThreads isn't used anywhere else, I suggest making it a local: const int num_threads = 50; -- Paul Pluzhnikov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-20 20:41 ` Paul Pluzhnikov @ 2020-09-20 21:26 ` Vitaly Buka 2020-09-20 23:36 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2020-09-20 21:26 UTC (permalink / raw) To: Paul Pluzhnikov; +Cc: GLIBC Devel On Sun, 20 Sep 2020 at 13:42, Paul Pluzhnikov <ppluzhnikov@google.com> wrote: > On Sun, Sep 20, 2020 at 5:10 AM Vitaly Buka via Libc-alpha > <libc-alpha@sourceware.org> wrote: > > > +static void * > > +threadfunc (void *unused) > > +{ > > + for (; done < 1e6;) > > + { > > + if (added < done + 100) > > + { > > + __cxa_atexit (&atexitcb, (void *)(++added), __dso_handle); > > Isn't there a data race on "added" here (in addition to a data race on > "done")? > What prevents two threads from observing "added == 100" at the same > time and adding two calls with value of 101, which would later trigger > abort() in exitcb()? > They are atomic. Isn't (++added) guarantee to return different values in all threads? > > > + /* With default 8MiB Linux stack size, creating 1024 threads can cause > > + VM exhausiton on 32-bit machines. Reduce stack size of each > thread to > > + 128KiB for a maximum required VM size of 128MiB. */ > > This comment is far removed from the computation of kStacksize (and > the name violates the naming conventions used here). > > I suggest: > > size_t stack_size = 128 << 10; /* 128KiB */ > if (stack_size < PTHREAD_STACK_MIN) stack_size = PTHREAD_STACK_MIN; > > Also, I suspect that 32KiB would be more than enough for stack size here. > > > + for (i = 0; i < kNumThreads; ++i) > > Since kNumThreads isn't used anywhere else, I suggest making it a local: > > const int num_threads = 50; > > -- > Paul Pluzhnikov > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-20 21:26 ` Vitaly Buka @ 2020-09-20 23:36 ` Vitaly Buka 2020-09-20 23:37 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2020-09-20 23:36 UTC (permalink / raw) To: Paul Pluzhnikov; +Cc: GLIBC Devel Oh, this atomics are not what I thought. So the test reproduced bugs in the test. I tried different approaches and I failed to reproduce the data race. On Sun, 20 Sep 2020 at 14:26, Vitaly Buka <vitalybuka@google.com> wrote: > > > On Sun, 20 Sep 2020 at 13:42, Paul Pluzhnikov <ppluzhnikov@google.com> > wrote: > >> On Sun, Sep 20, 2020 at 5:10 AM Vitaly Buka via Libc-alpha >> <libc-alpha@sourceware.org> wrote: >> >> > +static void * >> > +threadfunc (void *unused) >> > +{ >> > + for (; done < 1e6;) >> > + { >> > + if (added < done + 100) >> > + { >> > + __cxa_atexit (&atexitcb, (void *)(++added), __dso_handle); >> >> Isn't there a data race on "added" here (in addition to a data race on >> "done")? >> What prevents two threads from observing "added == 100" at the same >> time and adding two calls with value of 101, which would later trigger >> abort() in exitcb()? >> > > They are atomic. Isn't (++added) guarantee to return different values in > all threads? > > >> >> > + /* With default 8MiB Linux stack size, creating 1024 threads can >> cause >> > + VM exhausiton on 32-bit machines. Reduce stack size of each >> thread to >> > + 128KiB for a maximum required VM size of 128MiB. */ >> >> This comment is far removed from the computation of kStacksize (and >> the name violates the naming conventions used here). >> >> I suggest: >> >> size_t stack_size = 128 << 10; /* 128KiB */ >> if (stack_size < PTHREAD_STACK_MIN) stack_size = PTHREAD_STACK_MIN; >> >> Also, I suspect that 32KiB would be more than enough for stack size here. >> >> > + for (i = 0; i < kNumThreads; ++i) >> >> Since kNumThreads isn't used anywhere else, I suggest making it a local: >> >> const int num_threads = 50; >> >> -- >> Paul Pluzhnikov >> > ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-20 23:36 ` Vitaly Buka @ 2020-09-20 23:37 ` Vitaly Buka 2020-09-21 8:31 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2020-09-20 23:37 UTC (permalink / raw) To: libc-alpha Read f->func.cxa under the lock. There is a clear data race: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa It's incredibly rare so I can't create reasonable test. --- stdlib/exit.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/stdlib/exit.c b/stdlib/exit.c index 7bca1cdc14..9c79aa4a62 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -72,44 +72,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered -- 2.28.0.681.g6f77f65b4e-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-20 23:37 ` Vitaly Buka @ 2020-09-21 8:31 ` Vitaly Buka 2020-09-30 16:01 ` Joseph Myers 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2020-09-21 8:31 UTC (permalink / raw) To: libc-alpha Read f->func.cxa under the lock. There is a clear data race: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa Without patch abd with NDEBUG the test fails about 30% of time. But it fails very rarely with asserts enabled. --- stdlib/Makefile | 4 +- stdlib/exit.c | 20 ++++++--- stdlib/test-cxa_atexit-race2.c | 76 ++++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+), 7 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index 4615f6dfe7..f622fa9e0b 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -82,7 +82,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -101,6 +102,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-test-dlclose-exit-race = $(shared-thread-library) $(libdl) diff --git a/stdlib/exit.c b/stdlib/exit.c index 7bca1cdc14..9c79aa4a62 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -72,44 +72,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..9eb72471da --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,76 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. + exhibited data race while calling destructors. + + This test spawns multiple threads, and check the same desctructor is + not called more then once. */ + +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> + +static const int thread_num = 4; + +static void +atexitcb (void *arg) +{ + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void * +threadfunc (void *arg) +{ + for (int i = 0; i < 100; ++i) + { + for (int j = 0; j < 4000; ++j) + __cxa_atexit (&atexitcb, arg += thread_num, 0); + pthread_yield (); + } + return 0; +} + +static int +do_test (void) +{ + size_t i; + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + for (i = 0; i < thread_num; ++i) + xpthread_create (&attr, threadfunc, (void *)i); + xpthread_attr_destroy (&attr); + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.28.0.681.g6f77f65b4e-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-21 8:31 ` Vitaly Buka @ 2020-09-30 16:01 ` Joseph Myers 2021-04-17 16:16 ` Vitaly Buka 2021-04-17 17:36 ` Paul Pluzhnikov 0 siblings, 2 replies; 24+ messages in thread From: Joseph Myers @ 2020-09-30 16:01 UTC (permalink / raw) To: Vitaly Buka; +Cc: libc-alpha Is there a bug report for this in Bugzilla? (Any bug being fixed that was user-visible in a release should have a bug report filed. Then once the fix is in, the bug report should be marked RESOLVED/FIXED with the target milestone set to the first release that will have the fix; that's how we generate the list of fixed bugs for the NEWS file.) -- Joseph S. Myers joseph@codesourcery.com ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-30 16:01 ` Joseph Myers @ 2021-04-17 16:16 ` Vitaly Buka 2021-04-17 17:11 ` Vitaly Buka 2021-04-17 17:36 ` Paul Pluzhnikov 1 sibling, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-17 16:16 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL). The test needs multiple iterations to consistently fail without the fix. --- stdlib/Makefile | 4 +- stdlib/exit.c | 28 +++++--- stdlib/test-cxa_atexit-race2.c | 114 +++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 11 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index a9ad849531..c11a794d2a 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -82,7 +82,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 @@ -97,6 +98,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-test-dlclose-exit-race = $(shared-thread-library) $(libdl) diff --git a/stdlib/exit.c b/stdlib/exit.c index 0a4944fa05..9c669fd1a8 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, if (run_dtors) __call_tls_dtors (); + __libc_lock_lock (__exit_funcs_lock); + /* We do it this way to handle recursive calls to exit () made by the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, { struct exit_function_list *cur; - __libc_lock_lock (__exit_funcs_lock); - restart: cur = *listp; @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Exit processing complete. We will not allow any more atexit/on_exit registrations. */ __exit_funcs_done = true; - __libc_lock_unlock (__exit_funcs_lock); break; } @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, allocate element. */ free (cur); - __libc_lock_unlock (__exit_funcs_lock); } + __libc_lock_unlock (__exit_funcs_lock); + if (run_list_atexit) RUN_HOOK (__libc_atexit, ()); diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..04656d261c --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,114 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. + exhibited data race while calling destructors. + + This test spawns multiple threads, and check the same desctructor is + not called more then once. */ + +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> +#include <sys/wait.h> +#include <unistd.h> + +static atomic_int registered; +static atomic_int todo = 100000; + +static void +atexit_cb (void *arg) +{ + --registered; + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; + + while (todo > 0 && registered < 100) + ; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void *cb_arg = NULL; +static void +add_handlers (void) +{ + int n = 10; + for (int i = 0; i < n; ++i) + __cxa_atexit (&atexit_cb, ++cb_arg, 0); + registered += n; + todo -= n; +} + +static void * +thread_func (void *arg) +{ + while (todo > 0) + if (registered < 10000) + add_handlers (); + return 0; +} + +static void +test_and_exit (void) +{ + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + xpthread_create (&attr, thread_func, NULL); + xpthread_attr_destroy (&attr); + while (!registered) + ; + exit (0); +} + +static int +do_test (void) +{ + for (int i = 0; i < 20; ++i) + { + for (int i = 0; i < 10; ++i) + if (fork () == 0) + test_and_exit (); + + int status; + while (wait (&status) > 0) + { + if (!WIFEXITED (status)) + { + printf ("Failed interation %d\n", i); + abort (); + } + } + } + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.31.1.368.gbe11c130af-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-17 16:16 ` Vitaly Buka @ 2021-04-17 17:11 ` Vitaly Buka 2021-04-17 17:13 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-17 17:11 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL). The test needs multiple iterations to consistently fail without the fix. --- stdlib/Makefile | 4 +- stdlib/exit.c | 28 +++++--- stdlib/test-cxa_atexit-race2.c | 114 +++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 11 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index b3b30ab73e..f5755a1654 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -100,6 +101,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-tst-canon-bz26341 = $(shared-thread-library) diff --git a/stdlib/exit.c b/stdlib/exit.c index bed82733ad..f095b38ab3 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, if (run_dtors) __call_tls_dtors (); + __libc_lock_lock (__exit_funcs_lock); + /* We do it this way to handle recursive calls to exit () made by the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, { struct exit_function_list *cur; - __libc_lock_lock (__exit_funcs_lock); - restart: cur = *listp; @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Exit processing complete. We will not allow any more atexit/on_exit registrations. */ __exit_funcs_done = true; - __libc_lock_unlock (__exit_funcs_lock); break; } @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, allocate element. */ free (cur); - __libc_lock_unlock (__exit_funcs_lock); } + __libc_lock_unlock (__exit_funcs_lock); + if (run_list_atexit) RUN_HOOK (__libc_atexit, ()); diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..04656d261c --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,114 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. + exhibited data race while calling destructors. + + This test spawns multiple threads, and check the same desctructor is + not called more then once. */ + +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> +#include <sys/wait.h> +#include <unistd.h> + +static atomic_int registered; +static atomic_int todo = 100000; + +static void +atexit_cb (void *arg) +{ + --registered; + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; + + while (todo > 0 && registered < 100) + ; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void *cb_arg = NULL; +static void +add_handlers (void) +{ + int n = 10; + for (int i = 0; i < n; ++i) + __cxa_atexit (&atexit_cb, ++cb_arg, 0); + registered += n; + todo -= n; +} + +static void * +thread_func (void *arg) +{ + while (todo > 0) + if (registered < 10000) + add_handlers (); + return 0; +} + +static void +test_and_exit (void) +{ + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + xpthread_create (&attr, thread_func, NULL); + xpthread_attr_destroy (&attr); + while (!registered) + ; + exit (0); +} + +static int +do_test (void) +{ + for (int i = 0; i < 20; ++i) + { + for (int i = 0; i < 10; ++i) + if (fork () == 0) + test_and_exit (); + + int status; + while (wait (&status) > 0) + { + if (!WIFEXITED (status)) + { + printf ("Failed interation %d\n", i); + abort (); + } + } + } + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.31.1.368.gbe11c130af-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-17 17:11 ` Vitaly Buka @ 2021-04-17 17:13 ` Vitaly Buka 2021-04-17 17:22 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-17 17:13 UTC (permalink / raw) To: GLIBC Devel In the last patch I've fixed atomic usage in the test. Here is the bug https://sourceware.org/bugzilla/show_bug.cgi?id=27749 On Sat, 17 Apr 2021 at 10:11, Vitaly Buka <vitalybuka@google.com> wrote: > Keep __exit_funcs_lock almost all the time and unlock it only to execute > callbacks. This fixed two issues. > > 1. f->func.cxa was modified outside the lock with rare data race like: > thread 0: __run_exit_handlers unlock __exit_funcs_lock > thread 1: __internal_atexit locks __exit_funcs_lock > thread 0: f->flavor = ef_free; > thread 1: sees ef_free and use it as new > thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; > thread 1: new->func.cxa.arg = arg; > thread 1: new->flavor = ef_cxa; > thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! > thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! > thread 0: goto restart; > thread 0: call the same exit_function again as it's ef_cxa > > 2. Don't unlock in main while loop after *listp = cur->next. If *listp > is NULL and __exit_funcs_done is false another thread may fail in > __new_exitfn on assert (l != NULL). > > The test needs multiple iterations to consistently fail without the fix. > --- > stdlib/Makefile | 4 +- > stdlib/exit.c | 28 +++++--- > stdlib/test-cxa_atexit-race2.c | 114 +++++++++++++++++++++++++++++++++ > 3 files changed, 135 insertions(+), 11 deletions(-) > create mode 100644 stdlib/test-cxa_atexit-race2.c > > diff --git a/stdlib/Makefile b/stdlib/Makefile > index b3b30ab73e..f5755a1654 100644 > --- a/stdlib/Makefile > +++ b/stdlib/Makefile > @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand > testsort testdiv \ > tst-width-stdint tst-strfrom tst-strfrom-locale > \ > tst-getrandom tst-atexit tst-at_quick_exit > \ > tst-cxa_atexit tst-on_exit test-atexit-race > \ > - test-at_quick_exit-race test-cxa_atexit-race > \ > + test-at_quick_exit-race test-cxa_atexit-race > \ > + test-cxa_atexit-race2 > \ > test-on_exit-race test-dlclose-exit-race > \ > tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ > tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ > @@ -100,6 +101,7 @@ endif > LDLIBS-test-atexit-race = $(shared-thread-library) > LDLIBS-test-at_quick_exit-race = $(shared-thread-library) > LDLIBS-test-cxa_atexit-race = $(shared-thread-library) > +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) > LDLIBS-test-on_exit-race = $(shared-thread-library) > LDLIBS-tst-canon-bz26341 = $(shared-thread-library) > > diff --git a/stdlib/exit.c b/stdlib/exit.c > index bed82733ad..f095b38ab3 100644 > --- a/stdlib/exit.c > +++ b/stdlib/exit.c > @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > if (run_dtors) > __call_tls_dtors (); > > + __libc_lock_lock (__exit_funcs_lock); > + > /* We do it this way to handle recursive calls to exit () made by > the functions registered with `atexit' and `on_exit'. We call > everyone on the list and use the status value in the last > @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > { > struct exit_function_list *cur; > > - __libc_lock_lock (__exit_funcs_lock); > - > restart: > cur = *listp; > > @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > /* Exit processing complete. We will not allow any more > atexit/on_exit registrations. */ > __exit_funcs_done = true; > - __libc_lock_unlock (__exit_funcs_lock); > break; > } > > @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > struct exit_function *const f = &cur->fns[--cur->idx]; > const uint64_t new_exitfn_called = __new_exitfn_called; > > - /* Unlock the list while we call a foreign function. */ > - __libc_lock_unlock (__exit_funcs_lock); > switch (f->flavor) > { > void (*atfct) (void); > void (*onfct) (int status, void *arg); > void (*cxafct) (void *arg, int status); > + void *arg; > > case ef_free: > case ef_us: > break; > case ef_on: > onfct = f->func.on.fn; > + arg = f->func.on.arg; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (onfct); > #endif > - onfct (status, f->func.on.arg); > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > + onfct (status, arg); > + __libc_lock_lock (__exit_funcs_lock); > break; > case ef_at: > atfct = f->func.at; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (atfct); > #endif > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > atfct (); > + __libc_lock_lock (__exit_funcs_lock); > break; > case ef_cxa: > /* To avoid dlclose/exit race calling cxafct twice (BZ > 22180), > we must mark this function as ef_free. */ > f->flavor = ef_free; > cxafct = f->func.cxa.fn; > + arg = f->func.cxa.arg; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (cxafct); > #endif > - cxafct (f->func.cxa.arg, status); > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > + cxafct (arg, status); > + __libc_lock_lock (__exit_funcs_lock); > break; > } > - /* Re-lock again before looking at global state. */ > - __libc_lock_lock (__exit_funcs_lock); > > if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) > /* The last exit function, or another thread, has registered > @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > allocate element. */ > free (cur); > > - __libc_lock_unlock (__exit_funcs_lock); > } > > + __libc_lock_unlock (__exit_funcs_lock); > + > if (run_list_atexit) > RUN_HOOK (__libc_atexit, ()); > > diff --git a/stdlib/test-cxa_atexit-race2.c > b/stdlib/test-cxa_atexit-race2.c > new file mode 100644 > index 0000000000..04656d261c > --- /dev/null > +++ b/stdlib/test-cxa_atexit-race2.c > @@ -0,0 +1,114 @@ > +/* Support file for atexit/exit, etc. race tests. > + Copyright (C) 2017-2021 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + <https://www.gnu.org/licenses/>. */ > + > +/* This file must be run from within a directory called "stdlib". */ > + > +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. > + exhibited data race while calling destructors. > + > + This test spawns multiple threads, and check the same desctructor is > + not called more then once. */ > + > +#include <stdatomic.h> > +#include <stdio.h> > +#include <stdlib.h> > +#include <support/xthread.h> > +#include <sys/wait.h> > +#include <unistd.h> > + > +static atomic_int registered; > +static atomic_int todo = 100000; > + > +static void > +atexit_cb (void *arg) > +{ > + --registered; > + static void *prev; > + if (arg == prev) > + { > + printf ("%p\n", arg); > + abort (); > + } > + prev = arg; > + > + while (todo > 0 && registered < 100) > + ; > +} > + > +int __cxa_atexit (void (*func) (void *), void *arg, void *d); > + > +static void *cb_arg = NULL; > +static void > +add_handlers (void) > +{ > + int n = 10; > + for (int i = 0; i < n; ++i) > + __cxa_atexit (&atexit_cb, ++cb_arg, 0); > + registered += n; > + todo -= n; > +} > + > +static void * > +thread_func (void *arg) > +{ > + while (todo > 0) > + if (registered < 10000) > + add_handlers (); > + return 0; > +} > + > +static void > +test_and_exit (void) > +{ > + pthread_attr_t attr; > + > + xpthread_attr_init (&attr); > + xpthread_attr_setdetachstate (&attr, 1); > + > + xpthread_create (&attr, thread_func, NULL); > + xpthread_attr_destroy (&attr); > + while (!registered) > + ; > + exit (0); > +} > + > +static int > +do_test (void) > +{ > + for (int i = 0; i < 20; ++i) > + { > + for (int i = 0; i < 10; ++i) > + if (fork () == 0) > + test_and_exit (); > + > + int status; > + while (wait (&status) > 0) > + { > + if (!WIFEXITED (status)) > + { > + printf ("Failed interation %d\n", i); > + abort (); > + } > + } > + } > + > + exit (0); > +} > + > +#define TEST_FUNCTION do_test > +#include <support/test-driver.c> > -- > 2.31.1.368.gbe11c130af-goog > > ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-17 17:13 ` Vitaly Buka @ 2021-04-17 17:22 ` Vitaly Buka 2021-04-17 18:01 ` Paul Pluzhnikov 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-17 17:22 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL). The test needs multiple iterations to consistently fail without the fix. --- stdlib/Makefile | 4 +- stdlib/exit.c | 28 +++++--- stdlib/test-cxa_atexit-race2.c | 114 +++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 11 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index b3b30ab73e..f5755a1654 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -100,6 +101,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-tst-canon-bz26341 = $(shared-thread-library) diff --git a/stdlib/exit.c b/stdlib/exit.c index bed82733ad..f095b38ab3 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, if (run_dtors) __call_tls_dtors (); + __libc_lock_lock (__exit_funcs_lock); + /* We do it this way to handle recursive calls to exit () made by the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, { struct exit_function_list *cur; - __libc_lock_lock (__exit_funcs_lock); - restart: cur = *listp; @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Exit processing complete. We will not allow any more atexit/on_exit registrations. */ __exit_funcs_done = true; - __libc_lock_unlock (__exit_funcs_lock); break; } @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, allocate element. */ free (cur); - __libc_lock_unlock (__exit_funcs_lock); } + __libc_lock_unlock (__exit_funcs_lock); + if (run_list_atexit) RUN_HOOK (__libc_atexit, ()); diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..0aed0e7eae --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,114 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. + exhibited data race while calling destructors. + + This test spawns multiple threads, and check the same desctructor is + not called more then once. */ + +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> +#include <sys/wait.h> +#include <unistd.h> + +static atomic_int registered; +static atomic_int todo = 100000; + +static void +atexit_cb (void *arg) +{ + atomic_fetch_sub (®istered, 1); + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; + + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) + ; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void *cb_arg = NULL; +static void +add_handlers (void) +{ + int n = 10; + for (int i = 0; i < n; ++i) + __cxa_atexit (&atexit_cb, ++cb_arg, 0); + atomic_fetch_add (®istered, n); + atomic_fetch_sub (&todo, n); +} + +static void * +thread_func (void *arg) +{ + while (atomic_load (&todo) > 0) + if (atomic_load (®istered) < 10000) + add_handlers (); + return 0; +} + +static void +test_and_exit (void) +{ + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + xpthread_create (&attr, thread_func, NULL); + xpthread_attr_destroy (&attr); + while (!atomic_load (®istered)) + ; + exit (0); +} + +static int +do_test (void) +{ + for (int i = 0; i < 20; ++i) + { + for (int i = 0; i < 10; ++i) + if (fork () == 0) + test_and_exit (); + + int status; + while (wait (&status) > 0) + { + if (!WIFEXITED (status)) + { + printf ("Failed interation %d\n", i); + abort (); + } + } + } + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.31.1.368.gbe11c130af-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-17 17:22 ` Vitaly Buka @ 2021-04-17 18:01 ` Paul Pluzhnikov 2021-04-20 22:51 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Paul Pluzhnikov @ 2021-04-17 18:01 UTC (permalink / raw) To: Vitaly Buka; +Cc: GLIBC Devel On Sat, Apr 17, 2021 at 10:23 AM Vitaly Buka via Libc-alpha <libc-alpha@sourceware.org> wrote: > diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c > + This test spawns multiple threads, and check the same desctructor is Typo. Suggest: This test spawns multiple threads, and checks that the same destructor is > + not called more then once. */ s/then/than/ > +static void *cb_arg = NULL; > +static void > +add_handlers (void) > +{ > + int n = 10; > + for (int i = 0; i < n; ++i) > + __cxa_atexit (&atexit_cb, ++cb_arg, 0); add_handlers() is called from many threads. This code appears to race on cb_arg. -- Paul Pluzhnikov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-17 18:01 ` Paul Pluzhnikov @ 2021-04-20 22:51 ` Vitaly Buka 2021-04-20 23:40 ` Paul Pluzhnikov 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-20 22:51 UTC (permalink / raw) To: Paul Pluzhnikov; +Cc: GLIBC Devel I guess I forgot to reply to these comments. On Sat, 17 Apr 2021 at 11:02, Paul Pluzhnikov <ppluzhnikov@google.com> wrote: > On Sat, Apr 17, 2021 at 10:23 AM Vitaly Buka via Libc-alpha > <libc-alpha@sourceware.org> wrote: > > > diff --git a/stdlib/test-cxa_atexit-race2.c > b/stdlib/test-cxa_atexit-race2.c > > > + This test spawns multiple threads, and check the same desctructor is > > Typo. Suggest: > > This test spawns multiple threads, and checks that the same destructor is > Done in the last patch. > > > + not called more then once. */ > > s/then/than/ > Done in the last patch. > > > +static void *cb_arg = NULL; > > +static void > > +add_handlers (void) > > +{ > > + int n = 10; > > + for (int i = 0; i < n; ++i) > > + __cxa_atexit (&atexit_cb, ++cb_arg, 0); > > add_handlers() is called from many threads. This code appears to race on > cb_arg. > We don't have a data race as add_handlers is called from a single background thread. Previous patches had more threads but they didn't help to reproduce the issues. > > > -- > Paul Pluzhnikov > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-20 22:51 ` Vitaly Buka @ 2021-04-20 23:40 ` Paul Pluzhnikov 2021-04-26 19:20 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Paul Pluzhnikov @ 2021-04-20 23:40 UTC (permalink / raw) To: Vitaly Buka; +Cc: GLIBC Devel On Tue, Apr 20, 2021 at 3:51 PM Vitaly Buka <vitalybuka@google.com> wrote: >> > +static void *cb_arg = NULL; >> > +static void >> > +add_handlers (void) >> > +{ >> > + int n = 10; >> > + for (int i = 0; i < n; ++i) >> > + __cxa_atexit (&atexit_cb, ++cb_arg, 0); >> >> add_handlers() is called from many threads. This code appears to race on cb_arg. > > > We don't have a data race as add_handlers is called from a single background thread. > Previous patches had more threads but they didn't help to reproduce the issues. Thanks. I think cb_arg can be moved into add_handlers() and doesn't have to be static anymore (if it were a local, there wouldn't be a question of a race in the first place). I've looked at the code and the first data race description at the start of this thread. I agree that this is the right fix for it. I have not yet understood the second interaction (between __run_exit_handlers and __new_exitfn), but I am not sure I really need to: the patch seems correct. One other change I would make is to move the unlock before PTR_DEMANGLE (since it doesn't use any of the data guarded by this lock). -- Paul Pluzhnikov ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-20 23:40 ` Paul Pluzhnikov @ 2021-04-26 19:20 ` Vitaly Buka 2021-04-26 19:23 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-26 19:20 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL): thread 0: *listp = cur->next; // It can be the last: *listp = NULL. thread 0: __libc_lock_unlock thread 1: __libc_lock_lock in __on_exit thread 1: __new_exitfn thread 1: if (__exit_funcs_done) // false: thread 0 isn't there yet. thread 1: l = *listp thread 1: moves one and crashes on assert (l != NULL); The test needs multiple iterations to consistently fail without the fix. --- stdlib/Makefile | 4 +- stdlib/exit.c | 28 ++++++--- stdlib/test-cxa_atexit-race2.c | 109 +++++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+), 11 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index b3b30ab73e..f5755a1654 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -100,6 +101,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-tst-canon-bz26341 = $(shared-thread-library) diff --git a/stdlib/exit.c b/stdlib/exit.c index bed82733ad..f095b38ab3 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, if (run_dtors) __call_tls_dtors (); + __libc_lock_lock (__exit_funcs_lock); + /* We do it this way to handle recursive calls to exit () made by the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, { struct exit_function_list *cur; - __libc_lock_lock (__exit_funcs_lock); - restart: cur = *listp; @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Exit processing complete. We will not allow any more atexit/on_exit registrations. */ __exit_funcs_done = true; - __libc_lock_unlock (__exit_funcs_lock); break; } @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, allocate element. */ free (cur); - __libc_lock_unlock (__exit_funcs_lock); } + __libc_lock_unlock (__exit_funcs_lock); + if (run_list_atexit) RUN_HOOK (__libc_atexit, ()); diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..9ab110ebaf --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,109 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. exhibited + data race while calling destructors. + + This test registers destructors from the background thread, and checks that + the same destructor is not called more than once. */ + +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> +#include <sys/wait.h> +#include <unistd.h> + +static atomic_int registered; +static atomic_int todo = 100000; + +static void +atexit_cb (void *arg) +{ + atomic_fetch_sub (®istered, 1); + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; + + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) + ; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + + +static void * +thread_func (void *arg) +{ + void *cb_arg = NULL; + while (atomic_load (&todo) > 0) + if (atomic_load(®istered) < 10000) { + int n = 10; + for (int i = 0; i < n; ++i) __cxa_atexit(&atexit_cb, ++cb_arg, 0); + atomic_fetch_add(®istered, n); + atomic_fetch_sub(&todo, n); + } + return 0; +} + +static void +test_and_exit (void) +{ + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + xpthread_create (&attr, thread_func, NULL); + xpthread_attr_destroy (&attr); + while (!atomic_load (®istered)) + ; + exit (0); +} + +static int +do_test (void) +{ + for (int i = 0; i < 20; ++i) + { + for (int i = 0; i < 10; ++i) + if (fork () == 0) + test_and_exit (); + + int status; + while (wait (&status) > 0) + { + if (!WIFEXITED (status)) + { + printf ("Failed interation %d\n", i); + abort (); + } + } + } + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.31.1.498.g6c1eba8ee3d-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-26 19:20 ` Vitaly Buka @ 2021-04-26 19:23 ` Vitaly Buka 2021-04-26 19:27 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-26 19:23 UTC (permalink / raw) To: GLIBC Devel The last patch removes static cb_arg and improves description of race case 2. On Mon, 26 Apr 2021 at 12:20, Vitaly Buka <vitalybuka@google.com> wrote: > Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 > > Keep __exit_funcs_lock almost all the time and unlock it only to execute > callbacks. This fixed two issues. > > 1. f->func.cxa was modified outside the lock with rare data race like: > thread 0: __run_exit_handlers unlock __exit_funcs_lock > thread 1: __internal_atexit locks __exit_funcs_lock > thread 0: f->flavor = ef_free; > thread 1: sees ef_free and use it as new > thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; > thread 1: new->func.cxa.arg = arg; > thread 1: new->flavor = ef_cxa; > thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! > thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! > thread 0: goto restart; > thread 0: call the same exit_function again as it's ef_cxa > > 2. Don't unlock in main while loop after *listp = cur->next. If *listp > is NULL and __exit_funcs_done is false another thread may fail in > __new_exitfn on assert (l != NULL): > thread 0: *listp = cur->next; // It can be the last: *listp = > NULL. > thread 0: __libc_lock_unlock > thread 1: __libc_lock_lock in __on_exit > thread 1: __new_exitfn > thread 1: if (__exit_funcs_done) // false: thread 0 isn't there > yet. > thread 1: l = *listp > thread 1: moves one and crashes on assert (l != NULL); > > The test needs multiple iterations to consistently fail without the fix. > --- > stdlib/Makefile | 4 +- > stdlib/exit.c | 28 ++++++--- > stdlib/test-cxa_atexit-race2.c | 109 +++++++++++++++++++++++++++++++++ > 3 files changed, 130 insertions(+), 11 deletions(-) > create mode 100644 stdlib/test-cxa_atexit-race2.c > > diff --git a/stdlib/Makefile b/stdlib/Makefile > index b3b30ab73e..f5755a1654 100644 > --- a/stdlib/Makefile > +++ b/stdlib/Makefile > @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand > testsort testdiv \ > tst-width-stdint tst-strfrom tst-strfrom-locale > \ > tst-getrandom tst-atexit tst-at_quick_exit > \ > tst-cxa_atexit tst-on_exit test-atexit-race > \ > - test-at_quick_exit-race test-cxa_atexit-race > \ > + test-at_quick_exit-race test-cxa_atexit-race > \ > + test-cxa_atexit-race2 > \ > test-on_exit-race test-dlclose-exit-race > \ > tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ > tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ > @@ -100,6 +101,7 @@ endif > LDLIBS-test-atexit-race = $(shared-thread-library) > LDLIBS-test-at_quick_exit-race = $(shared-thread-library) > LDLIBS-test-cxa_atexit-race = $(shared-thread-library) > +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) > LDLIBS-test-on_exit-race = $(shared-thread-library) > LDLIBS-tst-canon-bz26341 = $(shared-thread-library) > > diff --git a/stdlib/exit.c b/stdlib/exit.c > index bed82733ad..f095b38ab3 100644 > --- a/stdlib/exit.c > +++ b/stdlib/exit.c > @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > if (run_dtors) > __call_tls_dtors (); > > + __libc_lock_lock (__exit_funcs_lock); > + > /* We do it this way to handle recursive calls to exit () made by > the functions registered with `atexit' and `on_exit'. We call > everyone on the list and use the status value in the last > @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > { > struct exit_function_list *cur; > > - __libc_lock_lock (__exit_funcs_lock); > - > restart: > cur = *listp; > > @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > /* Exit processing complete. We will not allow any more > atexit/on_exit registrations. */ > __exit_funcs_done = true; > - __libc_lock_unlock (__exit_funcs_lock); > break; > } > > @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > struct exit_function *const f = &cur->fns[--cur->idx]; > const uint64_t new_exitfn_called = __new_exitfn_called; > > - /* Unlock the list while we call a foreign function. */ > - __libc_lock_unlock (__exit_funcs_lock); > switch (f->flavor) > { > void (*atfct) (void); > void (*onfct) (int status, void *arg); > void (*cxafct) (void *arg, int status); > + void *arg; > > case ef_free: > case ef_us: > break; > case ef_on: > onfct = f->func.on.fn; > + arg = f->func.on.arg; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (onfct); > #endif > - onfct (status, f->func.on.arg); > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > + onfct (status, arg); > + __libc_lock_lock (__exit_funcs_lock); > break; > case ef_at: > atfct = f->func.at; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (atfct); > #endif > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > atfct (); > + __libc_lock_lock (__exit_funcs_lock); > break; > case ef_cxa: > /* To avoid dlclose/exit race calling cxafct twice (BZ > 22180), > we must mark this function as ef_free. */ > f->flavor = ef_free; > cxafct = f->func.cxa.fn; > + arg = f->func.cxa.arg; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (cxafct); > #endif > - cxafct (f->func.cxa.arg, status); > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > + cxafct (arg, status); > + __libc_lock_lock (__exit_funcs_lock); > break; > } > - /* Re-lock again before looking at global state. */ > - __libc_lock_lock (__exit_funcs_lock); > > if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) > /* The last exit function, or another thread, has registered > @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > allocate element. */ > free (cur); > > - __libc_lock_unlock (__exit_funcs_lock); > } > > + __libc_lock_unlock (__exit_funcs_lock); > + > if (run_list_atexit) > RUN_HOOK (__libc_atexit, ()); > > diff --git a/stdlib/test-cxa_atexit-race2.c > b/stdlib/test-cxa_atexit-race2.c > new file mode 100644 > index 0000000000..9ab110ebaf > --- /dev/null > +++ b/stdlib/test-cxa_atexit-race2.c > @@ -0,0 +1,109 @@ > +/* Support file for atexit/exit, etc. race tests. > + Copyright (C) 2017-2021 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + <https://www.gnu.org/licenses/>. */ > + > +/* This file must be run from within a directory called "stdlib". */ > + > +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. > exhibited > + data race while calling destructors. > + > + This test registers destructors from the background thread, and checks > that > + the same destructor is not called more than once. */ > + > +#include <stdatomic.h> > +#include <stdio.h> > +#include <stdlib.h> > +#include <support/xthread.h> > +#include <sys/wait.h> > +#include <unistd.h> > + > +static atomic_int registered; > +static atomic_int todo = 100000; > + > +static void > +atexit_cb (void *arg) > +{ > + atomic_fetch_sub (®istered, 1); > + static void *prev; > + if (arg == prev) > + { > + printf ("%p\n", arg); > + abort (); > + } > + prev = arg; > + > + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) > + ; > +} > + > +int __cxa_atexit (void (*func) (void *), void *arg, void *d); > + > + > +static void * > +thread_func (void *arg) > +{ > + void *cb_arg = NULL; > + while (atomic_load (&todo) > 0) > + if (atomic_load(®istered) < 10000) { > + int n = 10; > + for (int i = 0; i < n; ++i) __cxa_atexit(&atexit_cb, ++cb_arg, 0); > + atomic_fetch_add(®istered, n); > + atomic_fetch_sub(&todo, n); > + } > + return 0; > +} > + > +static void > +test_and_exit (void) > +{ > + pthread_attr_t attr; > + > + xpthread_attr_init (&attr); > + xpthread_attr_setdetachstate (&attr, 1); > + > + xpthread_create (&attr, thread_func, NULL); > + xpthread_attr_destroy (&attr); > + while (!atomic_load (®istered)) > + ; > + exit (0); > +} > + > +static int > +do_test (void) > +{ > + for (int i = 0; i < 20; ++i) > + { > + for (int i = 0; i < 10; ++i) > + if (fork () == 0) > + test_and_exit (); > + > + int status; > + while (wait (&status) > 0) > + { > + if (!WIFEXITED (status)) > + { > + printf ("Failed interation %d\n", i); > + abort (); > + } > + } > + } > + > + exit (0); > +} > + > +#define TEST_FUNCTION do_test > +#include <support/test-driver.c> > -- > 2.31.1.498.g6c1eba8ee3d-goog > > ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-26 19:23 ` Vitaly Buka @ 2021-04-26 19:27 ` Vitaly Buka 2021-05-13 13:15 ` Adhemerval Zanella 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-26 19:27 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL): thread 0: *listp = cur->next; // It can be the last: *listp = NULL. thread 0: __libc_lock_unlock thread 1: __libc_lock_lock in __on_exit thread 1: __new_exitfn thread 1: if (__exit_funcs_done) // false: thread 0 isn't there yet. thread 1: l = *listp thread 1: moves one and crashes on assert (l != NULL); The test needs multiple iterations to consistently fail without the fix. --- stdlib/Makefile | 4 +- stdlib/exit.c | 28 ++++++--- stdlib/test-cxa_atexit-race2.c | 110 +++++++++++++++++++++++++++++++++ 3 files changed, 131 insertions(+), 11 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index b3b30ab73e..f5755a1654 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -100,6 +101,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-tst-canon-bz26341 = $(shared-thread-library) diff --git a/stdlib/exit.c b/stdlib/exit.c index bed82733ad..f095b38ab3 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, if (run_dtors) __call_tls_dtors (); + __libc_lock_lock (__exit_funcs_lock); + /* We do it this way to handle recursive calls to exit () made by the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, { struct exit_function_list *cur; - __libc_lock_lock (__exit_funcs_lock); - restart: cur = *listp; @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Exit processing complete. We will not allow any more atexit/on_exit registrations. */ __exit_funcs_done = true; - __libc_lock_unlock (__exit_funcs_lock); break; } @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, allocate element. */ free (cur); - __libc_lock_unlock (__exit_funcs_lock); } + __libc_lock_unlock (__exit_funcs_lock); + if (run_list_atexit) RUN_HOOK (__libc_atexit, ()); diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..d8c3d418e7 --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,110 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. exhibited + data race while calling destructors. + + This test registers destructors from the background thread, and checks that + the same destructor is not called more than once. */ + +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> +#include <sys/wait.h> +#include <unistd.h> + +static atomic_int registered; +static atomic_int todo = 100000; + +static void +atexit_cb (void *arg) +{ + atomic_fetch_sub (®istered, 1); + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; + + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) + ; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void * +thread_func (void *arg) +{ + void *cb_arg = NULL; + while (atomic_load (&todo) > 0) + if (atomic_load (®istered) < 10000) + { + int n = 10; + for (int i = 0; i < n; ++i) + __cxa_atexit (&atexit_cb, ++cb_arg, 0); + atomic_fetch_add (®istered, n); + atomic_fetch_sub (&todo, n); + } + return 0; +} + +static void +test_and_exit (void) +{ + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + xpthread_create (&attr, thread_func, NULL); + xpthread_attr_destroy (&attr); + while (!atomic_load (®istered)) + ; + exit (0); +} + +static int +do_test (void) +{ + for (int i = 0; i < 20; ++i) + { + for (int i = 0; i < 10; ++i) + if (fork () == 0) + test_and_exit (); + + int status; + while (wait (&status) > 0) + { + if (!WIFEXITED (status)) + { + printf ("Failed interation %d\n", i); + abort (); + } + } + } + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.31.1.498.g6c1eba8ee3d-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-26 19:27 ` Vitaly Buka @ 2021-05-13 13:15 ` Adhemerval Zanella 2021-05-14 6:50 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Adhemerval Zanella @ 2021-05-13 13:15 UTC (permalink / raw) To: Vitaly Buka, libc-alpha On 26/04/2021 16:27, Vitaly Buka via Libc-alpha wrote: > Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 > > Keep __exit_funcs_lock almost all the time and unlock it only to execute > callbacks. This fixed two issues. > > 1. f->func.cxa was modified outside the lock with rare data race like: > thread 0: __run_exit_handlers unlock __exit_funcs_lock > thread 1: __internal_atexit locks __exit_funcs_lock > thread 0: f->flavor = ef_free; > thread 1: sees ef_free and use it as new > thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; > thread 1: new->func.cxa.arg = arg; > thread 1: new->flavor = ef_cxa; > thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! > thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! > thread 0: goto restart; > thread 0: call the same exit_function again as it's ef_cxa Ok, the small window between fetching the function pointer and argument from the list is triggering a race condition. > > 2. Don't unlock in main while loop after *listp = cur->next. If *listp > is NULL and __exit_funcs_done is false another thread may fail in > __new_exitfn on assert (l != NULL): > thread 0: *listp = cur->next; // It can be the last: *listp = NULL. > thread 0: __libc_lock_unlock > thread 1: __libc_lock_lock in __on_exit > thread 1: __new_exitfn > thread 1: if (__exit_funcs_done) // false: thread 0 isn't there yet. > thread 1: l = *listp > thread 1: moves one and crashes on assert (l != NULL); Yeah, this is tricky but it does look correct. I guess the lock/unlock during the loop was added to give a chance to concurrent __cxa_atexit / on_exit to have a chance to add a new callback, but it also only complicates things as you noted. We might try to fix it on the __new_exitfn (to avoid the assert), but I see the current approach of locking the list and only unlocking while running the callback is the right approach. The patch look ok in general, I added some comments below. I have adjusted the patch based on my comments [1], if you are ok with them I can push it upstream. [1] https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/azanella/bz27749-atexit-fix > > The test needs multiple iterations to consistently fail without the fix. > --- > stdlib/Makefile | 4 +- > stdlib/exit.c | 28 ++++++--- > stdlib/test-cxa_atexit-race2.c | 110 +++++++++++++++++++++++++++++++++ > 3 files changed, 131 insertions(+), 11 deletions(-) > create mode 100644 stdlib/test-cxa_atexit-race2.c > > diff --git a/stdlib/Makefile b/stdlib/Makefile > index b3b30ab73e..f5755a1654 100644 > --- a/stdlib/Makefile > +++ b/stdlib/Makefile > @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ > tst-width-stdint tst-strfrom tst-strfrom-locale \ > tst-getrandom tst-atexit tst-at_quick_exit \ > tst-cxa_atexit tst-on_exit test-atexit-race \ > - test-at_quick_exit-race test-cxa_atexit-race \ > + test-at_quick_exit-race test-cxa_atexit-race \ > + test-cxa_atexit-race2 \ > test-on_exit-race test-dlclose-exit-race \ > tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ > tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ > @@ -100,6 +101,7 @@ endif > LDLIBS-test-atexit-race = $(shared-thread-library) > LDLIBS-test-at_quick_exit-race = $(shared-thread-library) > LDLIBS-test-cxa_atexit-race = $(shared-thread-library) > +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) > LDLIBS-test-on_exit-race = $(shared-thread-library) > LDLIBS-tst-canon-bz26341 = $(shared-thread-library) > > diff --git a/stdlib/exit.c b/stdlib/exit.c > index bed82733ad..f095b38ab3 100644 > --- a/stdlib/exit.c > +++ b/stdlib/exit.c > @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, > if (run_dtors) > __call_tls_dtors (); > > + __libc_lock_lock (__exit_funcs_lock); > + > /* We do it this way to handle recursive calls to exit () made by > the functions registered with `atexit' and `on_exit'. We call > everyone on the list and use the status value in the last Ok, it avoids the second race condition. > @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, > { > struct exit_function_list *cur; > > - __libc_lock_lock (__exit_funcs_lock); > - > restart: > cur = *listp; > I think there is no need use the goto anymore, since there is no need to unlock the lock within the loop (the goto can be just a continue). > @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, > /* Exit processing complete. We will not allow any more > atexit/on_exit registrations. */ > __exit_funcs_done = true; > - __libc_lock_unlock (__exit_funcs_lock); > break; > } > Ok, there is no need to unlock on break anymore. > @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, > struct exit_function *const f = &cur->fns[--cur->idx]; > const uint64_t new_exitfn_called = __new_exitfn_called; > > - /* Unlock the list while we call a foreign function. */ > - __libc_lock_unlock (__exit_funcs_lock); > switch (f->flavor) > { > void (*atfct) (void); > void (*onfct) (int status, void *arg); > void (*cxafct) (void *arg, int status); > + void *arg; > > case ef_free: > case ef_us: > break; > case ef_on: > onfct = f->func.on.fn; > + arg = f->func.on.arg; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (onfct); > #endif > - onfct (status, f->func.on.arg); > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > + onfct (status, arg); > + __libc_lock_lock (__exit_funcs_lock); > break; > case ef_at: > atfct = f->func.at; Ok. > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (atfct); > #endif > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > atfct (); > + __libc_lock_lock (__exit_funcs_lock); > break; Ok. > case ef_cxa: > /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), > we must mark this function as ef_free. */ > f->flavor = ef_free; > cxafct = f->func.cxa.fn; > + arg = f->func.cxa.arg; > #ifdef PTR_DEMANGLE > PTR_DEMANGLE (cxafct); > #endif > - cxafct (f->func.cxa.arg, status); > + /* Unlock the list while we call a foreign function. */ > + __libc_lock_unlock (__exit_funcs_lock); > + cxafct (arg, status); > + __libc_lock_lock (__exit_funcs_lock); > break; > } > - /* Re-lock again before looking at global state. */ > - __libc_lock_lock (__exit_funcs_lock); > > if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) > /* The last exit function, or another thread, has registered Ok. > @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, > allocate element. */ > free (cur); > > - __libc_lock_unlock (__exit_funcs_lock); Just remove the extra newline below as well. > } > > + __libc_lock_unlock (__exit_funcs_lock); > + > if (run_list_atexit) > RUN_HOOK (__libc_atexit, ()); > Ok. > diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c > new file mode 100644 > index 0000000000..d8c3d418e7 > --- /dev/null > +++ b/stdlib/test-cxa_atexit-race2.c > @@ -0,0 +1,110 @@ > +/* Support file for atexit/exit, etc. race tests. I think it would be good to add a reference to the bug report. > + Copyright (C) 2017-2021 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + <https://www.gnu.org/licenses/>. */ > + > +/* This file must be run from within a directory called "stdlib". */ I don't think this true. > + > +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. exhibited > + data race while calling destructors. > + > + This test registers destructors from the background thread, and checks that > + the same destructor is not called more than once. */ > + > +#include <stdatomic.h> > +#include <stdio.h> > +#include <stdlib.h> > +#include <support/xthread.h> > +#include <sys/wait.h> > +#include <unistd.h> > + > +static atomic_int registered; > +static atomic_int todo = 100000; > + > +static void > +atexit_cb (void *arg) > +{ > + atomic_fetch_sub (®istered, 1); > + static void *prev; > + if (arg == prev) > + { > + printf ("%p\n", arg); > + abort (); Use FAIL_EXIT1 here. > + } > + prev = arg; > + > + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) > + ; > +} > + > +int __cxa_atexit (void (*func) (void *), void *arg, void *d); > + > +static void * > +thread_func (void *arg) > +{ > + void *cb_arg = NULL; > + while (atomic_load (&todo) > 0) Add a open bracket here. > + if (atomic_load (®istered) < 10000) > + { > + int n = 10; > + for (int i = 0; i < n; ++i) > + __cxa_atexit (&atexit_cb, ++cb_arg, 0); > + atomic_fetch_add (®istered, n); > + atomic_fetch_sub (&todo, n); > + } > + return 0; Use NULL here. > +} > + > +static void I would add a _Noreturn here. > +test_and_exit (void) > +{ > + pthread_attr_t attr; > + > + xpthread_attr_init (&attr); > + xpthread_attr_setdetachstate (&attr, 1); > + > + xpthread_create (&attr, thread_func, NULL); > + xpthread_attr_destroy (&attr); > + while (!atomic_load (®istered)) Check for 0 here (unless the return value is a bool the type check should be explicit). > + ; > + exit (0); > +} > + > +static int > +do_test (void) > +{ > + for (int i = 0; i < 20; ++i) > + { > + for (int i = 0; i < 10; ++i) > + if (fork () == 0) Use xfork. > + test_and_exit (); > + > + int status; > + while (wait (&status) > 0) > + { > + if (!WIFEXITED (status)) I prefer if we limit the number of wait call to check for invalid return codes: for (int i = 0; i < 10; ++i) { int status; xwaitpid (0, &status, 0); if (!WIFEXITED (status)) FAIL_EXIT1 ("Failed iterations %d", i); TEST_COMPARE (WEXITSTATUS (status), 0); } > + { > + printf ("Failed interation %d\n", i); > + abort (); Use FAIL_EXIT1 here. > + } > + } > + } > + > + exit (0); There is no need to add an exit here. > +} > + > +#define TEST_FUNCTION do_test > +#include <support/test-driver.c> > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-05-13 13:15 ` Adhemerval Zanella @ 2021-05-14 6:50 ` Vitaly Buka 0 siblings, 0 replies; 24+ messages in thread From: Vitaly Buka @ 2021-05-14 6:50 UTC (permalink / raw) To: Adhemerval Zanella; +Cc: GLIBC Devel Thank you. These improvements look good to me. Please push it. On Thu, 13 May 2021 at 06:15, Adhemerval Zanella < adhemerval.zanella@linaro.org> wrote: > > > On 26/04/2021 16:27, Vitaly Buka via Libc-alpha wrote: > > Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 > > > > Keep __exit_funcs_lock almost all the time and unlock it only to execute > > callbacks. This fixed two issues. > > > > 1. f->func.cxa was modified outside the lock with rare data race like: > > thread 0: __run_exit_handlers unlock __exit_funcs_lock > > thread 1: __internal_atexit locks __exit_funcs_lock > > thread 0: f->flavor = ef_free; > > thread 1: sees ef_free and use it as new > > thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; > > thread 1: new->func.cxa.arg = arg; > > thread 1: new->flavor = ef_cxa; > > thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! > > thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! > > thread 0: goto restart; > > thread 0: call the same exit_function again as it's ef_cxa > > Ok, the small window between fetching the function pointer and argument > from the list is triggering a race condition. > > > > > 2. Don't unlock in main while loop after *listp = cur->next. If *listp > > is NULL and __exit_funcs_done is false another thread may fail in > > __new_exitfn on assert (l != NULL): > > thread 0: *listp = cur->next; // It can be the last: *listp = > NULL. > > thread 0: __libc_lock_unlock > > thread 1: __libc_lock_lock in __on_exit > > thread 1: __new_exitfn > > thread 1: if (__exit_funcs_done) // false: thread 0 isn't there > yet. > > thread 1: l = *listp > > thread 1: moves one and crashes on assert (l != NULL); > > Yeah, this is tricky but it does look correct. I guess the lock/unlock > during the loop was added to give a chance to concurrent > __cxa_atexit / on_exit to have a chance to add a new callback, but it > also only complicates things as you noted. We might try to fix it on the > __new_exitfn (to avoid the assert), but I see the current approach of > locking the list and only unlocking while running the callback is the > right approach. > > The patch look ok in general, I added some comments below. I have > adjusted the patch based on my comments [1], if you are ok with them > I can push it upstream. > > [1] > https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/azanella/bz27749-atexit-fix > > > > > The test needs multiple iterations to consistently fail without the fix. > > --- > > stdlib/Makefile | 4 +- > > stdlib/exit.c | 28 ++++++--- > > stdlib/test-cxa_atexit-race2.c | 110 +++++++++++++++++++++++++++++++++ > > 3 files changed, 131 insertions(+), 11 deletions(-) > > create mode 100644 stdlib/test-cxa_atexit-race2.c > > > > diff --git a/stdlib/Makefile b/stdlib/Makefile > > index b3b30ab73e..f5755a1654 100644 > > --- a/stdlib/Makefile > > +++ b/stdlib/Makefile > > @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb > testrand testsort testdiv \ > > tst-width-stdint tst-strfrom tst-strfrom-locale > \ > > tst-getrandom tst-atexit tst-at_quick_exit > \ > > tst-cxa_atexit tst-on_exit test-atexit-race > \ > > - test-at_quick_exit-race test-cxa_atexit-race > \ > > + test-at_quick_exit-race test-cxa_atexit-race > \ > > + test-cxa_atexit-race2 > \ > > test-on_exit-race test-dlclose-exit-race > \ > > tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ > > tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ > > @@ -100,6 +101,7 @@ endif > > LDLIBS-test-atexit-race = $(shared-thread-library) > > LDLIBS-test-at_quick_exit-race = $(shared-thread-library) > > LDLIBS-test-cxa_atexit-race = $(shared-thread-library) > > +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) > > LDLIBS-test-on_exit-race = $(shared-thread-library) > > LDLIBS-tst-canon-bz26341 = $(shared-thread-library) > > > > diff --git a/stdlib/exit.c b/stdlib/exit.c > > index bed82733ad..f095b38ab3 100644 > > --- a/stdlib/exit.c > > +++ b/stdlib/exit.c > > @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > > if (run_dtors) > > __call_tls_dtors (); > > > > + __libc_lock_lock (__exit_funcs_lock); > > + > > /* We do it this way to handle recursive calls to exit () made by > > the functions registered with `atexit' and `on_exit'. We call > > everyone on the list and use the status value in the last > > Ok, it avoids the second race condition. > > > @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > > { > > struct exit_function_list *cur; > > > > - __libc_lock_lock (__exit_funcs_lock); > > - > > restart: > > cur = *listp; > > > > I think there is no need use the goto anymore, since there is no need > to unlock the lock within the loop (the goto can be just a continue). > > > @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > > /* Exit processing complete. We will not allow any more > > atexit/on_exit registrations. */ > > __exit_funcs_done = true; > > - __libc_lock_unlock (__exit_funcs_lock); > > break; > > } > > > > Ok, there is no need to unlock on break anymore. > > > @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > > struct exit_function *const f = &cur->fns[--cur->idx]; > > const uint64_t new_exitfn_called = __new_exitfn_called; > > > > - /* Unlock the list while we call a foreign function. */ > > - __libc_lock_unlock (__exit_funcs_lock); > > switch (f->flavor) > > { > > void (*atfct) (void); > > void (*onfct) (int status, void *arg); > > void (*cxafct) (void *arg, int status); > > + void *arg; > > > > case ef_free: > > case ef_us: > > break; > > case ef_on: > > onfct = f->func.on.fn; > > + arg = f->func.on.arg; > > #ifdef PTR_DEMANGLE > > PTR_DEMANGLE (onfct); > > #endif > > - onfct (status, f->func.on.arg); > > + /* Unlock the list while we call a foreign function. */ > > + __libc_lock_unlock (__exit_funcs_lock); > > + onfct (status, arg); > > + __libc_lock_lock (__exit_funcs_lock); > > break; > > case ef_at: > > atfct = f->func.at; > > Ok. > > > #ifdef PTR_DEMANGLE > > PTR_DEMANGLE (atfct); > > #endif > > + /* Unlock the list while we call a foreign function. */ > > + __libc_lock_unlock (__exit_funcs_lock); > > atfct (); > > + __libc_lock_lock (__exit_funcs_lock); > > break; > > Ok. > > > case ef_cxa: > > /* To avoid dlclose/exit race calling cxafct twice (BZ > 22180), > > we must mark this function as ef_free. */ > > f->flavor = ef_free; > > cxafct = f->func.cxa.fn; > > + arg = f->func.cxa.arg; > > #ifdef PTR_DEMANGLE > > PTR_DEMANGLE (cxafct); > > #endif > > - cxafct (f->func.cxa.arg, status); > > + /* Unlock the list while we call a foreign function. */ > > + __libc_lock_unlock (__exit_funcs_lock); > > + cxafct (arg, status); > > + __libc_lock_lock (__exit_funcs_lock); > > break; > > } > > - /* Re-lock again before looking at global state. */ > > - __libc_lock_lock (__exit_funcs_lock); > > > > if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) > > /* The last exit function, or another thread, has registered > > Ok. > > > @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct > exit_function_list **listp, > > allocate element. */ > > free (cur); > > > > - __libc_lock_unlock (__exit_funcs_lock); > > Just remove the extra newline below as well. > > > } > > > > + __libc_lock_unlock (__exit_funcs_lock); > > + > > if (run_list_atexit) > > RUN_HOOK (__libc_atexit, ()); > > > > Ok. > > > diff --git a/stdlib/test-cxa_atexit-race2.c > b/stdlib/test-cxa_atexit-race2.c > > new file mode 100644 > > index 0000000000..d8c3d418e7 > > --- /dev/null > > +++ b/stdlib/test-cxa_atexit-race2.c > > @@ -0,0 +1,110 @@ > > +/* Support file for atexit/exit, etc. race tests. > > I think it would be good to add a reference to the bug report. > > > + Copyright (C) 2017-2021 Free Software Foundation, Inc. > > + This file is part of the GNU C Library. > > + > > + The GNU C Library is free software; you can redistribute it and/or > > + modify it under the terms of the GNU Lesser General Public > > + License as published by the Free Software Foundation; either > > + version 2.1 of the License, or (at your option) any later version. > > + > > + The GNU C Library is distributed in the hope that it will be useful, > > + but WITHOUT ANY WARRANTY; without even the implied warranty of > > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > + Lesser General Public License for more details. > > + > > + You should have received a copy of the GNU Lesser General Public > > + License along with the GNU C Library; if not, see > > + <https://www.gnu.org/licenses/>. */ > > + > > +/* This file must be run from within a directory called "stdlib". */ > > I don't think this true. > > > + > > +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. > exhibited > > + data race while calling destructors. > > + > > + This test registers destructors from the background thread, and > checks that > > + the same destructor is not called more than once. */ > > + > > +#include <stdatomic.h> > > +#include <stdio.h> > > +#include <stdlib.h> > > +#include <support/xthread.h> > > +#include <sys/wait.h> > > +#include <unistd.h> > > + > > +static atomic_int registered; > > +static atomic_int todo = 100000; > > + > > +static void > > +atexit_cb (void *arg) > > +{ > > + atomic_fetch_sub (®istered, 1); > > + static void *prev; > > + if (arg == prev) > > + { > > + printf ("%p\n", arg); > > + abort (); > > Use FAIL_EXIT1 here. > > > + } > > + prev = arg; > > + > > + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) > > + ; > > +} > > + > > +int __cxa_atexit (void (*func) (void *), void *arg, void *d); > > + > > +static void * > > +thread_func (void *arg) > > +{ > > + void *cb_arg = NULL; > > + while (atomic_load (&todo) > 0) > > Add a open bracket here. > > > + if (atomic_load (®istered) < 10000) > > + { > > + int n = 10; > > + for (int i = 0; i < n; ++i) > > + __cxa_atexit (&atexit_cb, ++cb_arg, 0); > > + atomic_fetch_add (®istered, n); > > + atomic_fetch_sub (&todo, n); > > + } > > + return 0; > > Use NULL here. > > > +} > > + > > +static void > > I would add a _Noreturn here. > > > +test_and_exit (void) > > +{ > > + pthread_attr_t attr; > > + > > + xpthread_attr_init (&attr); > > + xpthread_attr_setdetachstate (&attr, 1); > > + > > + xpthread_create (&attr, thread_func, NULL); > > + xpthread_attr_destroy (&attr); > > + while (!atomic_load (®istered)) > > Check for 0 here (unless the return value is a bool the type check > should be explicit). > > > + ; > > + exit (0); > > +} > > + > > +static int > > +do_test (void) > > +{ > > + for (int i = 0; i < 20; ++i) > > + { > > + for (int i = 0; i < 10; ++i) > > + if (fork () == 0) > > Use xfork. > > > + test_and_exit (); > > + > > + int status; > > + while (wait (&status) > 0) > > + { > > + if (!WIFEXITED (status)) > > I prefer if we limit the number of wait call to check for invalid > return codes: > > for (int i = 0; i < 10; ++i) > { > int status; > xwaitpid (0, &status, 0); > if (!WIFEXITED (status)) > FAIL_EXIT1 ("Failed iterations %d", i); > TEST_COMPARE (WEXITSTATUS (status), 0); > } > > > + { > > + printf ("Failed interation %d\n", i); > > + abort (); > > Use FAIL_EXIT1 here. > > > + } > > + } > > + } > > + > > + exit (0); > > There is no need to add an exit here. > > > +} > > + > > +#define TEST_FUNCTION do_test > > +#include <support/test-driver.c> > > > ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2020-09-30 16:01 ` Joseph Myers 2021-04-17 16:16 ` Vitaly Buka @ 2021-04-17 17:36 ` Paul Pluzhnikov 2021-04-17 20:19 ` Florian Weimer 1 sibling, 1 reply; 24+ messages in thread From: Paul Pluzhnikov @ 2021-04-17 17:36 UTC (permalink / raw) To: Joseph Myers; +Cc: Vitaly Buka, GLIBC Devel On Wed, Sep 30, 2020 at 9:01 AM Joseph Myers <joseph@codesourcery.com> wrote: > > Is there a bug report for this in Bugzilla? This is really a continuation of BZ#14333, a fix for which was incomplete. Do we want a new bug for this? -- Paul Pluzhnikov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-17 17:36 ` Paul Pluzhnikov @ 2021-04-17 20:19 ` Florian Weimer 2021-04-19 2:48 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Florian Weimer @ 2021-04-17 20:19 UTC (permalink / raw) To: Paul Pluzhnikov via Libc-alpha; +Cc: Joseph Myers, Paul Pluzhnikov, Vitaly Buka * Paul Pluzhnikov via Libc-alpha: > On Wed, Sep 30, 2020 at 9:01 AM Joseph Myers <joseph@codesourcery.com> wrote: >> >> Is there a bug report for this in Bugzilla? > > This is really a continuation of BZ#14333, a fix for which was incomplete. > > Do we want a new bug for this? Yes, please. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-17 20:19 ` Florian Weimer @ 2021-04-19 2:48 ` Vitaly Buka 2021-04-19 2:57 ` Vitaly Buka 0 siblings, 1 reply; 24+ messages in thread From: Vitaly Buka @ 2021-04-19 2:48 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL). The test needs multiple iterations to consistently fail without the fix. --- stdlib/Makefile | 4 +- stdlib/exit.c | 28 +++++--- stdlib/test-cxa_atexit-race2.c | 114 +++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 11 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index b3b30ab73e..f5755a1654 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -100,6 +101,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-tst-canon-bz26341 = $(shared-thread-library) diff --git a/stdlib/exit.c b/stdlib/exit.c index bed82733ad..f095b38ab3 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, if (run_dtors) __call_tls_dtors (); + __libc_lock_lock (__exit_funcs_lock); + /* We do it this way to handle recursive calls to exit () made by the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, { struct exit_function_list *cur; - __libc_lock_lock (__exit_funcs_lock); - restart: cur = *listp; @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Exit processing complete. We will not allow any more atexit/on_exit registrations. */ __exit_funcs_done = true; - __libc_lock_unlock (__exit_funcs_lock); break; } @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, allocate element. */ free (cur); - __libc_lock_unlock (__exit_funcs_lock); } + __libc_lock_unlock (__exit_funcs_lock); + if (run_list_atexit) RUN_HOOK (__libc_atexit, ()); diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..8f97ad2031 --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,114 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. exhibited + data race while calling destructors. + + This test registers destructors from the background thread, and checks that + the same destructor is not called more then once. */ + +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> +#include <sys/wait.h> +#include <unistd.h> + +static atomic_int registered; +static atomic_int todo = 100000; + +static void +atexit_cb (void *arg) +{ + atomic_fetch_sub (®istered, 1); + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; + + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) + ; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void *cb_arg = NULL; +static void +add_handlers (void) +{ + int n = 10; + for (int i = 0; i < n; ++i) + __cxa_atexit (&atexit_cb, ++cb_arg, 0); + atomic_fetch_add (®istered, n); + atomic_fetch_sub (&todo, n); +} + +static void * +thread_func (void *arg) +{ + while (atomic_load (&todo) > 0) + if (atomic_load (®istered) < 10000) + add_handlers (); + return 0; +} + +static void +test_and_exit (void) +{ + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + xpthread_create (&attr, thread_func, NULL); + xpthread_attr_destroy (&attr); + while (!atomic_load (®istered)) + ; + exit (0); +} + +static int +do_test (void) +{ + for (int i = 0; i < 20; ++i) + { + for (int i = 0; i < 10; ++i) + if (fork () == 0) + test_and_exit (); + + int status; + while (wait (&status) > 0) + { + if (!WIFEXITED (status)) + { + printf ("Failed interation %d\n", i); + abort (); + } + } + } + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.31.1.368.gbe11c130af-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH] stdlib: Fix data race in __run_exit_handlers 2021-04-19 2:48 ` Vitaly Buka @ 2021-04-19 2:57 ` Vitaly Buka 0 siblings, 0 replies; 24+ messages in thread From: Vitaly Buka @ 2021-04-19 2:57 UTC (permalink / raw) To: libc-alpha; +Cc: Vitaly Buka Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749 Keep __exit_funcs_lock almost all the time and unlock it only to execute callbacks. This fixed two issues. 1. f->func.cxa was modified outside the lock with rare data race like: thread 0: __run_exit_handlers unlock __exit_funcs_lock thread 1: __internal_atexit locks __exit_funcs_lock thread 0: f->flavor = ef_free; thread 1: sees ef_free and use it as new thread 1: new->func.cxa.fn = (void (*) (void *, int)) func; thread 1: new->func.cxa.arg = arg; thread 1: new->flavor = ef_cxa; thread 0: cxafct = f->func.cxa.fn; // it's wrong fn! thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg! thread 0: goto restart; thread 0: call the same exit_function again as it's ef_cxa 2. Don't unlock in main while loop after *listp = cur->next. If *listp is NULL and __exit_funcs_done is false another thread may fail in __new_exitfn on assert (l != NULL). The test needs multiple iterations to consistently fail without the fix. --- stdlib/Makefile | 4 +- stdlib/exit.c | 28 +++++--- stdlib/test-cxa_atexit-race2.c | 114 +++++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+), 11 deletions(-) create mode 100644 stdlib/test-cxa_atexit-race2.c diff --git a/stdlib/Makefile b/stdlib/Makefile index b3b30ab73e..f5755a1654 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -81,7 +81,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ tst-cxa_atexit tst-on_exit test-atexit-race \ - test-at_quick_exit-race test-cxa_atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-cxa_atexit-race2 \ test-on_exit-race test-dlclose-exit-race \ tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ @@ -100,6 +101,7 @@ endif LDLIBS-test-atexit-race = $(shared-thread-library) LDLIBS-test-at_quick_exit-race = $(shared-thread-library) LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race2 = $(shared-thread-library) LDLIBS-test-on_exit-race = $(shared-thread-library) LDLIBS-tst-canon-bz26341 = $(shared-thread-library) diff --git a/stdlib/exit.c b/stdlib/exit.c index bed82733ad..f095b38ab3 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -45,6 +45,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, if (run_dtors) __call_tls_dtors (); + __libc_lock_lock (__exit_funcs_lock); + /* We do it this way to handle recursive calls to exit () made by the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last @@ -53,8 +55,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, { struct exit_function_list *cur; - __libc_lock_lock (__exit_funcs_lock); - restart: cur = *listp; @@ -63,7 +63,6 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Exit processing complete. We will not allow any more atexit/on_exit registrations. */ __exit_funcs_done = true; - __libc_lock_unlock (__exit_funcs_lock); break; } @@ -72,44 +71,52 @@ __run_exit_handlers (int status, struct exit_function_list **listp, struct exit_function *const f = &cur->fns[--cur->idx]; const uint64_t new_exitfn_called = __new_exitfn_called; - /* Unlock the list while we call a foreign function. */ - __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); void (*onfct) (int status, void *arg); void (*cxafct) (void *arg, int status); + void *arg; case ef_free: case ef_us: break; case ef_on: onfct = f->func.on.fn; + arg = f->func.on.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (onfct); #endif - onfct (status, f->func.on.arg); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + onfct (status, arg); + __libc_lock_lock (__exit_funcs_lock); break; case ef_at: atfct = f->func.at; #ifdef PTR_DEMANGLE PTR_DEMANGLE (atfct); #endif + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); atfct (); + __libc_lock_lock (__exit_funcs_lock); break; case ef_cxa: /* To avoid dlclose/exit race calling cxafct twice (BZ 22180), we must mark this function as ef_free. */ f->flavor = ef_free; cxafct = f->func.cxa.fn; + arg = f->func.cxa.arg; #ifdef PTR_DEMANGLE PTR_DEMANGLE (cxafct); #endif - cxafct (f->func.cxa.arg, status); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafct (arg, status); + __libc_lock_lock (__exit_funcs_lock); break; } - /* Re-lock again before looking at global state. */ - __libc_lock_lock (__exit_funcs_lock); if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) /* The last exit function, or another thread, has registered @@ -123,9 +130,10 @@ __run_exit_handlers (int status, struct exit_function_list **listp, allocate element. */ free (cur); - __libc_lock_unlock (__exit_funcs_lock); } + __libc_lock_unlock (__exit_funcs_lock); + if (run_list_atexit) RUN_HOOK (__libc_atexit, ()); diff --git a/stdlib/test-cxa_atexit-race2.c b/stdlib/test-cxa_atexit-race2.c new file mode 100644 index 0000000000..27f142c6a3 --- /dev/null +++ b/stdlib/test-cxa_atexit-race2.c @@ -0,0 +1,114 @@ +/* Support file for atexit/exit, etc. race tests. + Copyright (C) 2017-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. exhibited + data race while calling destructors. + + This test registers destructors from the background thread, and checks that + the same destructor is not called more than once. */ + +#include <stdatomic.h> +#include <stdio.h> +#include <stdlib.h> +#include <support/xthread.h> +#include <sys/wait.h> +#include <unistd.h> + +static atomic_int registered; +static atomic_int todo = 100000; + +static void +atexit_cb (void *arg) +{ + atomic_fetch_sub (®istered, 1); + static void *prev; + if (arg == prev) + { + printf ("%p\n", arg); + abort (); + } + prev = arg; + + while (atomic_load (&todo) > 0 && atomic_load (®istered) < 100) + ; +} + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void *cb_arg = NULL; +static void +add_handlers (void) +{ + int n = 10; + for (int i = 0; i < n; ++i) + __cxa_atexit (&atexit_cb, ++cb_arg, 0); + atomic_fetch_add (®istered, n); + atomic_fetch_sub (&todo, n); +} + +static void * +thread_func (void *arg) +{ + while (atomic_load (&todo) > 0) + if (atomic_load (®istered) < 10000) + add_handlers (); + return 0; +} + +static void +test_and_exit (void) +{ + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + xpthread_create (&attr, thread_func, NULL); + xpthread_attr_destroy (&attr); + while (!atomic_load (®istered)) + ; + exit (0); +} + +static int +do_test (void) +{ + for (int i = 0; i < 20; ++i) + { + for (int i = 0; i < 10; ++i) + if (fork () == 0) + test_and_exit (); + + int status; + while (wait (&status) > 0) + { + if (!WIFEXITED (status)) + { + printf ("Failed interation %d\n", i); + abort (); + } + } + } + + exit (0); +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c> -- 2.31.1.368.gbe11c130af-goog ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2021-05-14 6:51 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-09-20 9:57 [PATCH] stdlib: Fix data race in __run_exit_handlers Vitaly Buka 2020-09-20 12:09 ` Vitaly Buka 2020-09-20 20:41 ` Paul Pluzhnikov 2020-09-20 21:26 ` Vitaly Buka 2020-09-20 23:36 ` Vitaly Buka 2020-09-20 23:37 ` Vitaly Buka 2020-09-21 8:31 ` Vitaly Buka 2020-09-30 16:01 ` Joseph Myers 2021-04-17 16:16 ` Vitaly Buka 2021-04-17 17:11 ` Vitaly Buka 2021-04-17 17:13 ` Vitaly Buka 2021-04-17 17:22 ` Vitaly Buka 2021-04-17 18:01 ` Paul Pluzhnikov 2021-04-20 22:51 ` Vitaly Buka 2021-04-20 23:40 ` Paul Pluzhnikov 2021-04-26 19:20 ` Vitaly Buka 2021-04-26 19:23 ` Vitaly Buka 2021-04-26 19:27 ` Vitaly Buka 2021-05-13 13:15 ` Adhemerval Zanella 2021-05-14 6:50 ` Vitaly Buka 2021-04-17 17:36 ` Paul Pluzhnikov 2021-04-17 20:19 ` Florian Weimer 2021-04-19 2:48 ` Vitaly Buka 2021-04-19 2:57 ` Vitaly Buka
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).