| Subject: | SDBM_File attempts to double-free DB pointer when threads are cleaned up |
| Date: | Fri, 2 Jan 2009 16:41:11 +0000 (GMT) |
| To: | perlbug [...] perl.org |
| From: | chrisb [...] crustynet.org.uk (Chris Butler) |
This is a bug report for perl from chrisb@debian.org,
generated with the help of perlbug 1.36 running under perl 5.10.0.
-----------------------------------------------------------------
This bug report is based on a report submitted to the Debian Bug Tracking
System by Eduard Bloch - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358518
The SDBM_File module doesn't seem to be thread-safe. If a file is tied before a
thread is created, the pointer to the DBM object is shared between threads.
Each thread then attempts to free it, causing a crash.
The following script reproduces the problem for me:
==================================
#!/usr/bin/perl
use strict;
use Fcntl;
use SDBM_File;
use threads;
use threads::shared;
my %dbtest;
tie(%dbtest, 'SDBM_File', "test.db", O_RDWR|O_CREAT, 0666);
for (1 .. 2)
{
my $thr = threads->new(\&testThread, $_);
$thr->detach();
}
sleep 4;
sub testThread
{
my $n = shift;
print "thread #" . $n . " started\n";
}
==================================
Running it using debugperl/gdb:
==================================
Starting program: /usr/bin/debugperl sdbm_test.pl
[Thread debugging using libthread_db enabled]
[New Thread 0xb7d868c0 (LWP 17290)]
[New Thread 0xb7c2eb90 (LWP 17295)]
[New Thread 0xb742db90 (LWP 17308)]
[Thread 0xb742db90 (LWP 17308) exited]
[New Thread 0xb742db90 (LWP 17313)]
*** glibc detected *** /usr/bin/debugperl: double free or corruption (!prev): 0x08a5b4e8 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7e276b4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7e298b6]
/usr/lib/perl/5.10/auto/SDBM_File/SDBM_File.so(sdbm_close+0x3b)[0xb7c3f79b]
/usr/lib/perl/5.10/auto/SDBM_File/SDBM_File.so(XS_SDBM_File_DESTROY+0xcf)[0xb7c3e5df]
/usr/bin/debugperl(Perl_pp_entersub+0xae1)[0x80e0bd1]
/usr/bin/debugperl(Perl_call_sv+0x720)[0x80d5c50]
/usr/bin/debugperl(Perl_sv_clear+0x1d4)[0x81065d4]
/usr/bin/debugperl(Perl_sv_free2+0x69)[0x8107289]
/usr/bin/debugperl[0x80eefc1]
/usr/bin/debugperl(Perl_sv_clean_objs+0x29)[0x80ef039]
/usr/bin/debugperl(perl_destruct+0x3f0)[0x80dadf0]
/usr/lib/perl/5.10/auto/threads/threads.so[0xb7f651ab]
/usr/lib/perl/5.10/auto/threads/threads.so[0xb7f653ab]
/usr/lib/perl/5.10/auto/threads/threads.so[0xb7f68c0b]
/lib/i686/cmov/libpthread.so.0[0xb7f1a4c0]
/lib/i686/cmov/libc.so.6(clone+0x5e)[0xb7e9961e]
======= Memory map: ========
08048000-0828a000 r-xp 00000000 fe:01 527887 /usr/bin/debugperl
0828a000-0828c000 rw-p 00242000 fe:01 527887 /usr/bin/debugperl
086d8000-08f33000 rw-p 086d8000 00:00 0 [heap]
b6b00000-b6b21000 rw-p b6b00000 00:00 0
b6b21000-b6c00000 ---p b6b21000 00:00 0
b6c0d000-b6c19000 r-xp 00000000 fe:01 762863 /lib/libgcc_s.so.1
b6c19000-b6c1a000 rw-p 0000b000 fe:01 762863 /lib/libgcc_s.so.1
b6c2d000-b6c2e000 ---p b6c2d000 00:00 0
b6c2e000-b742e000 rw-p b6c2e000 00:00 0
b742e000-b742f000 ---p b742e000 00:00 0
b742f000-b7c2f000 rw-p b742f000 00:00 0
b7c2f000-b7c33000 r-xp 00000000 fe:01 557739 /usr/lib/perl/5.10.0/auto/Socket/Socket.so
b7c33000-b7c34000 rw-p 00004000 fe:01 557739 /usr/lib/perl/5.10.0/auto/Socket/Socket.so
b7c34000-b7c38000 r-xp 00000000 fe:01 557729 /usr/lib/perl/5.10.0/auto/IO/IO.so
b7c38000-b7c39000 rw-p 00003000 fe:01 557729 /usr/lib/perl/5.10.0/auto/IO/IO.so
b7c39000-b7c41000 r-xp 00000000 fe:01 17403 /usr/lib/perl/5.10.0/auto/SDBM_File/SDBM_File.so
b7c41000-b7c42000 rw-p 00007000 fe:01 17403 /usr/lib/perl/5.10.0/auto/SDBM_File/SDBM_File.so
b7c42000-b7c4b000 r-xp 00000000 fe:01 607618 /usr/lib/perl/5.10.0/auto/threads/shared/shared.so
b7c4b000-b7c4c000 rw-p 00009000 fe:01 607618 /usr/lib/perl/5.10.0/auto/threads/shared/shared.so
b7c4c000-b7d86000 r--p 00000000 fe:01 551711 /usr/lib/locale/locale-archive
b7d86000-b7d87000 rw-p b7d86000 00:00 0
b7d87000-b7d90000 r-xp 00000000 fe:01 762957 /lib/i686/cmov/libcrypt-2.7.so
b7d90000-b7d92000 rw-p 00008000 fe:01 762957 /lib/i686/cmov/libcrypt-2.7.so
b7d92000-b7db9000 rw-p b7d92000 00:00 0
b7db9000-b7f0e000 r-xp 00000000 fe:01 762955 /lib/i686/cmov/libc-2.7.so
b7f0e000-b7f0f000 r--p 00155000 fe:01 762955 /lib/i686/cmov/libc-2.7.so
b7f0f000-b7f11000 rw-p 00156000 fe:01 762955 /lib/i686/cmov/libc-2.7.so
b7f11000-b7f14000 rw-p b7f11000 00:00 0
b7f14000-b7f29000 r-xp 00000000 fe:01 763043 /lib/i686/cmov/libpthread-2.7.so
b7f29000-b7f2b000 rw-p 00014000 fe:01 763043 /lib/i686/cmov/libpthread-2.7.so
b7f2b000-b7f2e000 rw-p b7f2b000 00:00 0
b7f2e000-b7f52000 r-xp 00000000 fe:01 763006 /lib/i686/cmov/libm-2.7.so
b7f52000-b7f54000 rw-p 00023000 fe:01 763006 /lib/i686/cmov/libm-2.7.so
b7f54000-b7f56000 r-xp 00000000 fe:01 762998 /lib/i686/cmov/libdl-2.7.so
b7f56000-b7f58000 rw-p 00001000 fe:01 762998 /lib/i686/cmov/libdl-2.7.so
b7f58000-b7f5b000 r-xp 00000000 fe:01 557730 /usr/lib/perl/5.10.0/auto/Cwd/Cwd.so
b7f5b000-b7f5c000 rw-p 00002000 fe:01 557730 /usr/lib/perl/5.10.0/auto/Cwd/Cwd.so
b7f5c000-b7f5f000 r-xp 00000000 fe:01 557734 /usr/lib/perl/5.10.0/auto/Fcntl/Fcntl.so
b7f5f000-b7f60000 rw-p 00002000 fe:01 557734 /usr/lib/perl/5.10.0/auto/Fcntl/Fcntl.so
b7f60000-b7f6a000 r-xp 00000000 fe:01 607619 /usr/lib/perl/5.10.0/auto/threads/threads.so
b7f6a000-b7f6b000 rw-p 00009000 fe:01 607619 /usr/lib/perl/5.10.0/auto/threads/threads.so
b7f6b000-b7f6d000 rw-p b7f6b000 00:00 0
b7f6d000-b7f6e000 r-xp b7f6d000 00:00 0 [vdso]
b7f6e000-b7f88000 r-xp 00000000 fe:01 763488 /lib/ld-2.7.so
b7f88000-b7f8a000 rw-p 0001a000 fe:01 763488 /lib/ld-2.7.so
bf974000-bf989000 rw-p bffeb000 00:00 0 [stack]
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb742db90 (LWP 17313)]
0xb7f6d424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7f6d424 in __kernel_vsyscall ()
#1 0xb7de4640 in raise () from /lib/i686/cmov/libc.so.6
#2 0xb7de6018 in abort () from /lib/i686/cmov/libc.so.6
#3 0xb7e213dd in ?? () from /lib/i686/cmov/libc.so.6
#4 0x00000006 in ?? ()
#5 0xb742c914 in ?? ()
#6 0x00000400 in ?? ()
#7 0xb7ef75c8 in ?? () from /lib/i686/cmov/libc.so.6
#8 0x00000017 in ?? ()
#9 0xbf9887bd in ?? ()
#10 0x00000012 in ?? ()
#11 0xb7ef75e1 in ?? () from /lib/i686/cmov/libc.so.6
#12 0x00000002 in ?? ()
#13 0xb7ef76c0 in ?? () from /lib/i686/cmov/libc.so.6
#14 0x00000021 in ?? ()
#15 0xb7ef75e5 in ?? () from /lib/i686/cmov/libc.so.6
#16 0x00000004 in ?? ()
#17 0xb742ce43 in ?? ()
#18 0x00000008 in ?? ()
#19 0xb7ef75eb in ?? () from /lib/i686/cmov/libc.so.6
#20 0x00000005 in ?? ()
#21 0x08cc6dd8 in ?? ()
#22 0x00000000 in ?? ()
==================================
If I set a breakpoint in sdbm_close, I can see that it is called twice from
different threads with the same DB pointer.
[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
category=library
severity=medium
---
Site configuration information for perl 5.10.0:
Configured by Debian Project at Thu Nov 20 23:16:48 UTC 2008.
Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
Platform:
osname=linux, osvers=2.6.26-1-686, archname=i486-linux-gnu-thread-multi
uname='linux rebekka 2.6.26-1-686 #1 smp thu oct 9 15:18:09 utc 2008 i686 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.0 -Dsitearch=/usr/local/lib/perl/5.10.0 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.0 -Dd_dosuid -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=undef, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O2 -g',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include'
ccversion='', gccversion='4.3.2', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib /usr/lib64
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=/lib/libc-2.7.so, so=so, useshrplib=true, libperl=libperl.so.5.10.0
gnulibc_version='2.7'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib'
Locally applied patches:
---
@INC for perl 5.10.0:
/etc/perl
/usr/local/lib/perl/5.10.0
/usr/local/share/perl/5.10.0
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.10
/usr/share/perl/5.10
/usr/local/lib/site_perl
.
---
Environment for perl 5.10.0:
HOME=/home/chrisb
LANG=en_GB.UTF-8
LANGUAGE (unset)
LC_ALL=en_GB.UTF-8
LC_CTYPE=en_GB.UTF-8
LC_MESSAGES=en_GB.UTF-8
LC_TIME=en_GB.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/chrisb/bin:/usr/local/bin:/usr/bin:/bin:/usr/games
PERL_BADLANG (unset)
SHELL=/bin/bash