From owner-freebsd-bugs@FreeBSD.ORG Tue Nov 2 17:40:11 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A1AC106564A for ; Tue, 2 Nov 2010 17:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6E0578FC0A for ; Tue, 2 Nov 2010 17:40:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oA2HeBGg053420 for ; Tue, 2 Nov 2010 17:40:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oA2HeBPn053419; Tue, 2 Nov 2010 17:40:11 GMT (envelope-from gnats) Date: Tue, 2 Nov 2010 17:40:11 GMT Message-Id: <201011021740.oA2HeBPn053419@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Jaakko Heinonen Cc: Subject: Re: misc/151861: dlclose() of library causes separately opened libraries to unload as well X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jaakko Heinonen List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Nov 2010 17:40:11 -0000 The following reply was made to PR misc/151861; it has been noted by GNATS. From: Jaakko Heinonen To: Arjan van Leeuwen Cc: bug-followup@FreeBSD.org, kan@FreeBSD.org, kib@FreeBSD.org Subject: Re: misc/151861: dlclose() of library causes separately opened libraries to unload as well Date: Tue, 2 Nov 2010 19:36:54 +0200 On 2010-11-01, Arjan van Leeuwen wrote: > Assume we have a library liba.so, containing a function a(), and a > library libb.so, containing function b(). liba.so needs functionality > from libb.so, so liba.so links in libb.so. > > An application doesn't know about the relation between these > libraries, but needs to call a() and b(). It dlopen()s libb.so and > obtains a pointer to b(), and it dlopen()s liba.so and obtains a > pointer to a(). > > As soon as the application doesn't need a() anymore, it dlclose()s > liba.so. > > Expected result: the pointer to b() is still valid and can be called > Actual result: the pointer to b() has become invalid, even though the > application did not dlclose() the handle to libb.so. On calling b(), > the application crashes with a segmentation fault. > > Extract the attached shar archive and execute 'make test'. Thank you for providing the test case. > This will cause a crash on FreeBSD, and will print 'success' on Linux. There is a problem with reference counting in dlopen(). If an object has been loaded by load_needed_objects() its dagmembers list may be empty after loading. If the list is empty, the ref_dag() call done for already loaded objects in dlopen() doesn't have effect. Here is a patch to demonstrate the problem. The test passes with the patch applied. %%% Index: libexec/rtld-elf/rtld.c =================================================================== --- libexec/rtld-elf/rtld.c (revision 214676) +++ libexec/rtld-elf/rtld.c (working copy) @@ -2046,7 +2046,10 @@ dlopen(const char *name, int mode) } else { /* Bump the reference counts for objects on this DAG. */ - ref_dag(obj); + if (STAILQ_EMPTY(&obj->dagmembers)) + init_dag(obj); + else + ref_dag(obj); if (ld_tracing) goto trace; %%% I have cc'd kan@ and kib@. Do you have ideas how to fix this correctly? -- Jaakko