Date: Thu, 11 Apr 2019 09:12:08 +0000 From: bugzilla-noreply@freebsd.org To: threads@FreeBSD.org Subject: [Bug 237195] pthread_mutex_unlock crash as unlocked mutex destroyed by signaled thread Message-ID: <bug-237195-13406@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237195 Bug ID: 237195 Summary: pthread_mutex_unlock crash as unlocked mutex destroyed by signaled thread Product: Base System Version: 12.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: threads Assignee: threads@FreeBSD.org Reporter: freebsd@hurrikhan.eu Attachment #203579 text/plain mime type: Created attachment 203579 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D203579&action= =3Dedit A simple program to reproduce the issue. I have this program where N threads are communicating with one thread throu= gh messages. Some of theses messages are used to ensure synchronisation (e.g.: flush). Each messsage contain a mutex and a condition. When testing on FreeBSD 12.0, the program randomly crashed. Every clue was saying the mutex was destroyed while being unlocked. Given said program is pretty huge, I've written a small, simplified, code w= ith similar behaviour and it crashed the same way. #0 0x000000080065c93a in ?? () from /lib/libthr.so.3 #1 0x0000000000401dd8 in mcv_progress (mcv=3D0x801c1ac00) at mutex_test.c:= 365 (calling pthread_mutex_unlock) #2 0x0000000000401f46 in read_thread (arg=3D0x7fffffffdac0) at mutex_test.= c:412 #3 0x0000000800654776 in ?? () from /lib/libthr.so.3 I suspect what happens looks something like this: client/writer server/reader 1) queues message=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 2) locks message.mutex 1) dequeues message 2) process message 3) waits for message.condition 3) locks message.mutex 4) signals message.condition 4) unlocks message.mutex 5) unlocks message.mutex 5) destroy message memory 6) somehow, still in pthread_mutex_unlock af= ter the client got the hand back, maybe acces= ses 6) frees message memory mutex content and crashes as it has been trashed The same program works fine under any load and parameters on several Linux versions and OSX 10.14.4. If this hypothesis verifies, I suppose it only affects programs rapidly creating and destroying mutexes(+conditions?). Please find attached the test program. To reproduce the issue, I ctrl-C the program after 5 seconds if it didn't c= rash and restart it immediately. Four or five tries of this are usually enough. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-237195-13406>