From owner-freebsd-threads@freebsd.org Thu Apr 11 09:12:11 2019 Return-Path: Delivered-To: freebsd-threads@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0091F157EC5C for ; Thu, 11 Apr 2019 09:12:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 8716885D9D for ; Thu, 11 Apr 2019 09:12:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 4BCA9157EC5A; Thu, 11 Apr 2019 09:12:10 +0000 (UTC) Delivered-To: threads@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FAF4157EC59 for ; Thu, 11 Apr 2019 09:12:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8719185D90 for ; Thu, 11 Apr 2019 09:12:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id C0BEBE60A for ; Thu, 11 Apr 2019 09:12:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x3B9C8hQ059806 for ; Thu, 11 Apr 2019 09:12:08 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x3B9C8Qc059798 for threads@FreeBSD.org; Thu, 11 Apr 2019 09:12:08 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: threads@FreeBSD.org Subject: [Bug 237195] pthread_mutex_unlock crash as unlocked mutex destroyed by signaled thread Date: Thu, 11 Apr 2019 09:12:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 12.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: freebsd@hurrikhan.eu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: threads@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.mimetype attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-threads@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Threading on FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 09:12:11 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237195 Bug ID: 237195 Summary: pthread_mutex_unlock crash as unlocked mutex destroyed by signaled thread Product: Base System Version: 12.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: threads Assignee: threads@FreeBSD.org Reporter: freebsd@hurrikhan.eu Attachment #203579 text/plain mime type: Created attachment 203579 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D203579&action= =3Dedit A simple program to reproduce the issue. I have this program where N threads are communicating with one thread throu= gh messages. Some of theses messages are used to ensure synchronisation (e.g.: flush). Each messsage contain a mutex and a condition. When testing on FreeBSD 12.0, the program randomly crashed. Every clue was saying the mutex was destroyed while being unlocked. Given said program is pretty huge, I've written a small, simplified, code w= ith similar behaviour and it crashed the same way. #0 0x000000080065c93a in ?? () from /lib/libthr.so.3 #1 0x0000000000401dd8 in mcv_progress (mcv=3D0x801c1ac00) at mutex_test.c:= 365 (calling pthread_mutex_unlock) #2 0x0000000000401f46 in read_thread (arg=3D0x7fffffffdac0) at mutex_test.= c:412 #3 0x0000000800654776 in ?? () from /lib/libthr.so.3 I suspect what happens looks something like this: client/writer server/reader 1) queues message=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 2) locks message.mutex 1) dequeues message 2) process message 3) waits for message.condition 3) locks message.mutex 4) signals message.condition 4) unlocks message.mutex 5) unlocks message.mutex 5) destroy message memory 6) somehow, still in pthread_mutex_unlock af= ter the client got the hand back, maybe acces= ses 6) frees message memory mutex content and crashes as it has been trashed The same program works fine under any load and parameters on several Linux versions and OSX 10.14.4. If this hypothesis verifies, I suppose it only affects programs rapidly creating and destroying mutexes(+conditions?). Please find attached the test program. To reproduce the issue, I ctrl-C the program after 5 seconds if it didn't c= rash and restart it immediately. Four or five tries of this are usually enough. --=20 You are receiving this mail because: You are the assignee for the bug.=