Re: RFC: jemalloc: qdbus sigsegv in malloc_init

From: Konstantin Belousov <kostikbel_at_gmail.com> Date: Sun, 20 May 2012 20:24:19 +0300 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:27 UTC

On Sun, May 20, 2012 at 06:42:35PM +0200, Alberto Villa wrote:
> On Sun, May 20, 2012 at 8:03 AM, David Xu <listlog2011_at_gmail.com> wrote:
> > qdbus segfaults on my machine too, I tracked it down, and found the problem
> > is in QT,
> > it deleted current_thread_data_key,  but it still uses it in some cxa hooks,
> >  I  applied the
> > following patch,  and it works fine.
> 
> Thanks for the analysis David!
> 
> > I think the bug depends on linking order in QT library ? if the
> > qthread_unix.cpp is linked
> > as lastest module, the key will be deleted after all cxa hooks run, then it
> > will be fine,
> > otherwise, it would crash.
> 
> Is this really possible?
No, I do not think it is possible.

The only possibility for something weird happen is for atexit/__cxa_atexit
functions to be registered from another atexit function, and then we
indeed could call the newly registered function too late.

I wonder if the following hack makes any change in the observed behaviour.

diff --git a/lib/libc/stdlib/atexit.c b/lib/libc/stdlib/atexit.c
index 511172a..bab850c 100644
--- a/lib/libc/stdlib/atexit.c
+++ b/lib/libc/stdlib/atexit.c
_at__at_ -72,6 +72,7 _at__at_ struct atexit {
 };

 static struct atexit *__atexit;		/* points to head of LIFO stack */
+static int atexit_gen;

 /*
  * Register the function described by 'fptr' to be called at application
_at__at_ -107,6 +108,7 _at__at_ atexit_register(struct atexit_fn *fptr)
 		__atexit = p;
 	}
 	p->fns[p->ind++] = *fptr;
+	atexit_gen++;
 	_MUTEX_UNLOCK(&atexit_mutex);
 	return 0;
 }
_at__at_ -162,7 +164,7 _at__at_ __cxa_finalize(void *dso)
 	struct dl_phdr_info phdr_info;
 	struct atexit *p;
 	struct atexit_fn fn;
-	int n, has_phdr;
+	int atexit_gen_prev, n, has_phdr;

 	if (dso != NULL)
 		has_phdr = _rtld_addr_phdr(dso, &phdr_info);
_at__at_ -170,6 +172,8 _at__at_ __cxa_finalize(void *dso)
 		has_phdr = 0;

 	_MUTEX_LOCK(&atexit_mutex);
+retry:
+	atexit_gen_prev = atexit_gen;
 	for (p = __atexit; p; p = p->next) {
 		for (n = p->ind; --n >= 0;) {
 			if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
_at__at_ -196,6 +200,8 _at__at_ __cxa_finalize(void *dso)
 			_MUTEX_LOCK(&atexit_mutex);
 		}
 	}
+	if (atexit_gen_prev != atexit_gen)
+		goto retry;
 	_MUTEX_UNLOCK(&atexit_mutex);
 	if (dso == NULL)
 		_MUTEX_DESTROY(&atexit_mutex);