From owner-freebsd-bugs  Tue Nov 23 21:10: 6 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 5B7F81550A
	for <freebsd-bugs@FreeBSD.org>; Tue, 23 Nov 1999 21:10:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id VAA81248;
	Tue, 23 Nov 1999 21:10:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from midten.fast.no (midten.fast.no [195.139.251.11])
	by hub.freebsd.org (Postfix) with ESMTP id 2910F1550A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 23 Nov 1999 21:07:09 -0800 (PST)
	(envelope-from tegge@crash.fast.no)
Received: from crash.fast.no (crash.fast.no [195.139.251.13])
	by midten.fast.no (8.9.3/8.9.3) with ESMTP id GAA69810
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Nov 1999 06:06:53 +0100 (CET)
Received: (from tegge@localhost)
	by crash.fast.no (8.9.3/8.8.8) id GAA05938;
	Wed, 24 Nov 1999 06:06:53 +0100 (CET)
	(envelope-from tegge@crash.fast.no)
Message-Id: <199911240506.GAA05938@crash.fast.no>
Date: Wed, 24 Nov 1999 06:06:53 +0100 (CET)
From: Tor Egge <tegge@crash.fast.no>
Reply-To: tegge@crash.fast.no
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/15070: vfprintf/cvt/__dtoa race condition in threaded programs
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         15070
>Category:       bin
>Synopsis:       vfprintf/cvt/__dtoa race condition in threaded programs
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 23 21:10:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Tor Egge
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Fast Search & Transfer ASA
>Environment:

FreeBSD crash.fast.no 4.0-CURRENT FreeBSD 4.0-CURRENT #0: Sat Oct 16 04:21:25 CEST 1999     root@local-crash.fast.no:/usr/src/sys/compile/CRASH  i386

>Description:

Printing floating point numbers in a threaded program might result in a
segmentation fault or bus error.

crash:~$ gdb ./threadbug4
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(gdb) run
Starting program: /home/tegge/./threadbug4 
Time is  2.664
Time is  5.544

Program received signal SIGSEGV, Segmentation fault.
0x80528c8 in bcopy ()
(gdb) where
#0  0x80528c8 in bcopy ()
#1  0x4 in ?? ()
#2  0x8054473 in __dtoa ()
#3  0x80521d8 in vfprintf ()
#4  0x80508f2 in vfprintf ()
#5  0x804f9d1 in sprintf ()
#6  0x804819a in crashme (data=0x0) at threadbug4.c:27
#7  0x80487b0 in _thread_start ()
#8  0x0 in ?? ()
(gdb)

>How-To-Repeat:

Compile and run the enclosed threaded program.

-------------------------------------------
#include <sys/types.h>
#include <sys/errno.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <assert.h>
#include <signal.h>
#include <pthread.h>
#include <sys/time.h>
#include <time.h>


void *crashme(void *data)
{
  char buf[200];
  int i, j;
  double div;
  while (1) {
    i = random();
    j = random();
    if (j == 0)
      j = 1;
    div = (double) i / (double) j;
    sprintf(buf, "%6.5f", div);
    sprintf(buf, "%2.4f", div);
    sprintf(buf, "%3.6f", div);
    sprintf(buf, "%8.2f", div);
    sprintf(buf, "%10.2f", div);
  }
}

void 
reportloop(void)
{
  struct timeval stime, now, delta;
  double fdelta;

  gettimeofday(&stime, NULL);
  while (1) {
    sleep(1);
    gettimeofday(&now, NULL);
    timersub(&now, &stime, &delta);
    fdelta = delta.tv_sec + ((double) delta.tv_usec) / 1000000.0;
    printf("Time is %6.3f\n", fdelta);
    fflush(stdout);
  }
}

int
main(int argc,char **argv)
{
  int i;
  pthread_t curthread;
  srandom(time(NULL));

  for (i = 0; i < 10; i++) {
    pthread_create(&curthread, NULL, crashme, (void *) NULL);
  }
  reportloop();
  exit(0);
}
--------------------------
crash:~$ cc -static -O -g -pthread -o threadbug4 threadbug4.c

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message