Re: RFC: jemalloc: qdbus sigsegv in malloc_init

Sun, 20 May 2012 10:25:29 -0700 

On Sun, May 20, 2012 at 06:42:35PM +0200, Alberto Villa wrote:
> On Sun, May 20, 2012 at 8:03 AM, David Xu <listlog2...@gmail.com> wrote:
> > qdbus segfaults on my machine too, I tracked it down, and found the problem
> > is in QT,
> > it deleted current_thread_data_key,  but it still uses it in some cxa hooks,
> >  I  applied the
> > following patch,  and it works fine.
> 
> Thanks for the analysis David!
> 
> > I think the bug depends on linking order in QT library ? if the
> > qthread_unix.cpp is linked
> > as lastest module, the key will be deleted after all cxa hooks run, then it
> > will be fine,
> > otherwise, it would crash.
> 
> Is this really possible?
No, I do not think it is possible.

The only possibility for something weird happen is for atexit/__cxa_atexit
functions to be registered from another atexit function, and then we
indeed could call the newly registered function too late.

I wonder if the following hack makes any change in the observed behaviour.

diff --git a/lib/libc/stdlib/atexit.c b/lib/libc/stdlib/atexit.c
index 511172a..bab850c 100644
--- a/lib/libc/stdlib/atexit.c
+++ b/lib/libc/stdlib/atexit.c
@@ -72,6 +72,7 @@ struct atexit {
 };
 
 static struct atexit *__atexit;                /* points to head of LIFO stack 
*/
+static int atexit_gen;
 
 /*
  * Register the function described by 'fptr' to be called at application
@@ -107,6 +108,7 @@ atexit_register(struct atexit_fn *fptr)
                __atexit = p;
        }
        p->fns[p->ind++] = *fptr;
+       atexit_gen++;
        _MUTEX_UNLOCK(&atexit_mutex);
        return 0;
 }
@@ -162,7 +164,7 @@ __cxa_finalize(void *dso)
        struct dl_phdr_info phdr_info;
        struct atexit *p;
        struct atexit_fn fn;
-       int n, has_phdr;
+       int atexit_gen_prev, n, has_phdr;
 
        if (dso != NULL)
                has_phdr = _rtld_addr_phdr(dso, &phdr_info);
@@ -170,6 +172,8 @@ __cxa_finalize(void *dso)
                has_phdr = 0;
 
        _MUTEX_LOCK(&atexit_mutex);
+retry:
+       atexit_gen_prev = atexit_gen;
        for (p = __atexit; p; p = p->next) {
                for (n = p->ind; --n >= 0;) {
                        if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
@@ -196,6 +200,8 @@ __cxa_finalize(void *dso)
                        _MUTEX_LOCK(&atexit_mutex);
                }
        }
+       if (atexit_gen_prev != atexit_gen)
+               goto retry;
        _MUTEX_UNLOCK(&atexit_mutex);
        if (dso == NULL)
                _MUTEX_DESTROY(&atexit_mutex);

Attachment: pgpltDYlBjW1z.pgp
Description: PGP signature

Reply via email to