On Sat Apr 28 09:52:47 2012, RIBASUSHI wrote:
Show quoted text> Your distribution is using the construct END { $global_destroy = 1 }
> in [1], which is not thread safe as described here [2].
Indeed:
clang -faddress-sanitizer caught this heap-use-after-free in global
destruction.
$ perl5.17.3d-asan -Mblib -DX t/001_mouse/060-threads.t
...
CV undef: cv=0x7ff8dc3d97b8 comppad=0x7ff8dc3d9800
Pad undef: cv=0x7ff8dc3d97b8 padlist=0x7ff8dc3d97d0
comppad=0x7ff8dc3d9800
CV undef: cv=0x7ff8d70faa70 comppad=0x7ff8dc3d9800
Pad undef: cv=0x7ff8d70faa70 padlist=0x7ff8d70fab00
comppad=0x7ff8dc3d9800
Pad 0x7ff8dc069a70[0x7ff8daf22498] sv: 1 sv=0x7ff8dc069aa0
CV undef: cv=0x7ff8d70fa308 comppad=0x0
Pad 0x7ff8dc069a70[0x7ff8daf22498] sv: 1 sv=0x7ff8dc069aa0
Pad 0x7ff8dc069a70[0x7ff8daf22498] sv: 1 sv=0x7ff8dc069aa0
CV undef: cv=0x7ff8dc005ad0 comppad=0x0
Pad undef: cv=0x7ff8dc005ad0 padlist=0x7ff8d70f4698 comppad=0x0
Pad 0x7ff8dc069a70[0x7ff8daf22498] sv: 1 sv=0x7ff8dc069aa0
Pad 0x7ff8dc2d18c0[0x7ff8db356898] sv: 1 sv=0x7ff8dc2d1890
Pad 0x7ff8dc2d18c0[0x7ff8db356898] sv: 1 sv=0x7ff8dc2d1890
CV undef: cv=0x7ff8d70fa260 comppad=0x0
Pad undef: cv=0x7ff8d70fa260 padlist=0x7ff8d70fa410 comppad=0x0
=================================================================
==23406== ERROR: AddressSanitizer heap-use-after-free on address
0x7f7aea7cc580 at pc 0x7f7af131e880 bp 0x7fff7548ea10 sp 0x7fff7548ea08
READ of size 8 at 0x7f7aea7cc580 thread T0
#0 0x7f7af131e87f in Perl_safesysfree /home/rurban/Perl/src/build-
5.17.3d-asan/util.c:261
#1 0x7f7af1890a51 in Perl_sv_clear /home/rurban/Perl/src/build-
5.17.3d-asan/sv.c:6095
#2 0x7f7af16fb30a in Perl_sv_free2 /home/rurban/Perl/src/build-
5.17.3d-asan/sv.c:6456
#3 0x7f7af0fec05d in Perl_cv_undef /home/rurban/Perl/src/build-
5.17.3d-asan/pad.c:456
#4 0x7f7af188c543 in Perl_sv_clear /home/rurban/Perl/src/build-
5.17.3d-asan/sv.c:6038
#5 0x7f7af16fb30a in Perl_sv_free2 /home/rurban/Perl/src/build-
5.17.3d-asan/sv.c:6456
#6 0x7f7af16efd40 in do_clean_objs /home/rurban/Perl/src/build-
5.17.3d-asan/sv.c:478
#7 0x7f7af16ecc72 in S_visit /home/rurban/Perl/src/build-5.17.3d-
asan/sv.c:420
#8 0x7f7af16ed594 in Perl_sv_clean_objs /home/rurban/Perl/src/build-
5.17.3d-asan/sv.c:577
#9 0x7f7af0b97a91 in perl_destruct /home/rurban/Perl/src/build-
5.17.3d-asan/perl.c:753
#10 0x407d91 in main /home/rurban/Perl/src/build-5.17.3d-
asan/perlmain.c:125
#11 0x7f7aef8d5ead in __libc_start_main /home/aurel32/eglibc/eglibc-
2.13/csu/libc-start.c:260
0x7f7aea7cc580 is located 0 bytes inside of 32-byte region
[0x7f7aea7cc580,0x7f7aea7cc5a0)
freed by thread T0 here:
previously allocated by thread T1 here:
Thread T1 created by T0 here:
#0 0x410ed4 in __interceptor_pthread_create ??:0
#1 0x7f7aec66a020 in S_ithread_create /home/rurban/Perl/src/build-
5.17.3d-asan/dist/threads/threads.xs:910
#2 0x7f7aec6246ee in XS_threads_create /home/rurban/Perl/src/build-
5.17.3d-asan/dist/threads/threads.xs:1089
#3 0x7f7af16d43b4 in Perl_pp_entersub /home/rurban/Perl/src/build-
5.17.3d-asan/pp_hot.c:2776
#4 0x7f7af131582b in Perl_runops_debug /home/rurban/Perl/src/build-
5.17.3d-asan/dump.c:2129
#5 0x7f7af0bd8959 in S_run_body /home/rurban/Perl/src/build-5.17.3d-
asan/perl.c:2382
#6 0x7f7af0bd183c in perl_run /home/rurban/Perl/src/build-5.17.3d-
asan/perl.c:2304
#7 0x407a16 in main /home/rurban/Perl/src/build-5.17.3d-
asan/perlmain.c:114
#8 0x7f7aef8d5ead in __libc_start_main /home/aurel32/eglibc/eglibc-
2.13/csu/libc-start.c:260
==23406== ABORTING
Stats: 14M malloced (25M for red zones) by 89216 calls
Stats: 1M realloced by 10810 calls
Stats: 8M freed by 64081 calls
Stats: 0M really freed by 0 calls
Stats: 76M (19466 full pages) mmaped in 19 calls
mmaps by size class: 8:98298; 9:8191; 10:4095; 11:2047; 12:1024;
13:1024; 14:512; 15:128; 16:64; 17:32; 18:16; 19:8;
mallocs by size class: 8:82554; 9:3029; 10:1180; 11:783; 12:526;
13:797; 14:257; 15:76; 16:7; 17:5; 18:1; 19:1;
frees by size class: 8:60279; 9:2262; 10:551; 11:281; 12:123;
13:356; 14:179; 15:39; 16:6; 17:3; 18:1; 19:1;
rfrees by size class:
Stats: malloc large: 7 small slow: 325
Shadow byte and word:
0x1fef5d4f98b0: fd
0x1fef5d4f98b0: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1fef5d4f9890: fd fd fd fd fd fd fd fd
0x1fef5d4f9898: fd fd fd fd fd fd fd fd
--
Reini Urban
