Opened 10 years ago

Closed 5 years ago

Last modified 5 years ago

#10951 closed bug (fixed)

[libroot] double free in DestroyThreadLocalStorageValue

Reported by: diver Owned by: zooey
Priority: normal Milestone: R1/beta2
Component: System/libroot.so Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

This is hrev47387.

Running LD_PRELOAD=libroot_debug.so msggrep and attempting to reboot results in a crash.

Attachments (1)

msggrep-745-debug-17-06-2014-08-54-56.report (16.0 KB ) - added by diver 10 years ago.

Download all attachments as: .zip

Change History (10)

by diver, 10 years ago

Attachment: msggrep-745-debug-17-06-2014-08-54-56.report added

comment:1 by diver, 10 years ago

msggrep comes from gettext-0.18.1.1-5-x86_gcc2.hpkg

comment:2 by waddlesplash, 10 years ago

Is there anything else that causes this? I mean, a GUI program that would affect users?

comment:3 by diver, 10 years ago

Nope, or at least i'm not aware of one :-)

comment:4 by diver, 6 years ago

Still here in hrev53129.

comment:5 by waddlesplash, 6 years ago

Is this a duplicate of #13159?

comment:6 by korli, 6 years ago

UPDATE: was wrongly uninstalling the destructor.

I have tested two fix possibilities:

  • reset the value, so it won't be called a second time.
  • call __cxa_finalize() before _thread_do_exit_work()

the first one sounds better. 

diff --git a/src/system/libroot/posix/pthread/pthread_key.cpp b/src/system/libroot/posix/pthread/pthread_key.cpp
index 431a4d4481..a34ab022f0 100644
--- a/src/system/libroot/posix/pthread/pthread_key.cpp
+++ b/src/system/libroot/posix/pthread/pthread_key.cpp
@@ -54,6 +54,8 @@ get_key_value(pthread_thread* thread, uint32 key, int32 sequence)
                value = keyData.value;
        } while (specificSequence != sequence);
 
+       keyData.value = NULL;
+
        return value;
 }

and 

diff --git a/src/system/libroot/posix/stdlib/exit.cpp b/src/system/libroot/posix/stdlib/exit.cpp
index 2bc67821e7..31a88fd5b3 100644
--- a/src/system/libroot/posix/stdlib/exit.cpp
+++ b/src/system/libroot/posix/stdlib/exit.cpp
@@ -310,12 +310,12 @@ atexit(void (*func)(void))
 void
 exit(int status)
 {
-       // BeOS on exit notification for the main thread
-       _thread_do_exit_work();
-
        // unwind the exit stack, calling the registered functions
        __cxa_finalize(NULL);
 
+       // BeOS on exit notification for the main thread
+       _thread_do_exit_work();
+
        // close all open files
        _IO_cleanup();
Last edited 6 years ago by korli (previous) (diff)

comment:8 by waddlesplash, 5 years ago

Resolution: fixed
Status: newclosed

Merged in hrev53150.

comment:9 by nielx, 5 years ago

Milestone: R1R1/beta2

Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone

Note: See TracTickets for help on using tickets.