Opened 11 years ago

Closed 6 years ago

Last modified 5 years ago

#10951 closed bug (fixed)

[libroot] double free in DestroyThreadLocalStorageValue

Reported by: diver Owned by: zooey
Priority: normal Milestone: R1/beta2
Component: System/libroot.so Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

This is hrev47387.

Running LD_PRELOAD=libroot_debug.so msggrep and attempting to reboot results in a crash.

Attachments (1)

msggrep-745-debug-17-06-2014-08-54-56.report (16.0 KB ) - added by diver 11 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 by diver, 11 years ago

msggrep comes from gettext-0.18.1.1-5-x86_gcc2.hpkg

comment:2 by waddlesplash, 11 years ago

Is there anything else that causes this? I mean, a GUI program that would affect users?

comment:3 by diver, 11 years ago

Nope, or at least i'm not aware of one :-)

comment:4 by diver, 6 years ago

Still here in hrev53129.

comment:5 by waddlesplash, 6 years ago

Is this a duplicate of #13159?

comment:6 by korli, 6 years ago

I have tested two fix possibilities:

  • uninstall the destructor, so it won't be called a second time.
  • call __cxa_finalize() before _thread_do_exit_work()

the first one sounds better.

diff --git a/src/system/libroot/posix/pthread/pthread_key.cpp b/src/system/libroot/posix/pthread/pthread_key.cpp
index 431a4d4481..9777205fa3 100644
--- a/src/system/libroot/posix/pthread/pthread_key.cpp
+++ b/src/system/libroot/posix/pthread/pthread_key.cpp
@@ -30,6 +30,8 @@ get_key_destructor(uint32 key, int32& sequence)
                destructor = sKeyTable[key].destructor;
        } while (sKeyTable[key].sequence != sequence);
 
+       sKeyTable[key].destructor = NULL;
+
        return destructor;
 }
 

and

diff --git a/src/system/libroot/posix/stdlib/exit.cpp b/src/system/libroot/posix/stdlib/exit.cpp
index 2bc67821e7..31a88fd5b3 100644
--- a/src/system/libroot/posix/stdlib/exit.cpp
+++ b/src/system/libroot/posix/stdlib/exit.cpp
@@ -310,12 +310,12 @@ atexit(void (*func)(void))
 void
 exit(int status)
 {
-       // BeOS on exit notification for the main thread
-       _thread_do_exit_work();
-
        // unwind the exit stack, calling the registered functions
        __cxa_finalize(NULL);
 
+       // BeOS on exit notification for the main thread
+       _thread_do_exit_work();
+
        // close all open files
        _IO_cleanup();
 
Version 0, edited 6 years ago by korli (next)

comment:8 by waddlesplash, 6 years ago

Resolution: fixed
Status: newclosed

Merged in hrev53150.

comment:9 by nielx, 5 years ago

Milestone: R1R1/beta2

Assign tickets with status=closed and resolution=fixed within the R1/beta2 development window to the R1/beta2 Milestone

Note: See TracTickets for help on using tickets.