Package: ltrace
Version: 0.5.3-2.1
Severity: important
When two threads of a program call simultaneously the same library
function, ltrace crashes because of a NULL pointer dereference.
Here is a simple way to reproduce the issue:
START TRANSCRIPT
len...@coruscant:~/doc/prog/test/testltracemt$ head -n 9999 *
==> f.c <==
#include <unistd.h>
#include "f.h"
void f( void )
{
usleep( 10000 );
}
==> f.h <==
#ifndef F_H
#define F_H
void f( void );
#endif /* defined( F_H ) */
==> main.c <==
#include <stdlib.h>
#include <pthread.h>
#include "f.h"
void *loop( void *u __attribute__((unused)) )
{
for( unsigned i = 0 ; i < 10 ; i++ )
f();
return NULL;
}
int main()
{
pthread_t t1, t2;
pthread_create( &t1, NULL, loop, NULL );
pthread_create( &t2, NULL, loop, NULL );
pthread_join( t1, NULL );
pthread_join( t2, NULL );
return EXIT_SUCCESS;
}
==> Makefile <==
.PHONY: all
all: ltrace_test
CFLAGS = -pipe -Wall -Wextra -g -std=c99 -D_BSD_SOURCE
libf.so: f.c f.h
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -fpic -shared
ltrace_test: main.c f.h libf.so
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -pthread -L. -lf
len...@coruscant:~/doc/prog/test/testltracemt$ make
cc -pipe -Wall -Wextra -g -std=c99 -D_BSD_SOURCE -o libf.so f.c -fpic -shared
cc -pipe -Wall -Wextra -g -std=c99 -D_BSD_SOURCE -o ltrace_test main.c
-pthread -L. -lf
len...@coruscant:~/doc/prog/test/testltracemt$ ltrace -f ./ltrace_test
[pid 9288] __libc_start_main(0x4006ef, 1, 0x7fff33dfcc88, 0x400770, 0x400760
<unfinished ...>
[pid 9288] pthread_create(0x7fff33dfcb98, 0, 0x4006c4, 0, 0x7f9f5db18300) = 0
[pid 9288] pthread_create(0x7fff33dfcb90, 0, 0x4006c4, 0, 0x7f9f5d7bb710) = 0
[pid 9288] pthread_join(0x7f9f5d7bb710, 0, 0x7f9f5cfba9e0, -1, 0x7f9f5cfba710
<unfinished ...>
[pid 9289] f(0, 0, 0, -1, 0x7f9f5d7bb710 <unfinished ...>
[pid 9290] f(0, 0, 0, -1, 0x7f9f5cfba710 <unfinished ...>
[pid 9289] <... f resumed> ) = 0
[pid 9289] f(0, 0, 0, -1, 0x7f9f5d7bb710 <unfinished ...>
[pid 9290] <... f resumed> ) = 0
Erreur de segmentation
END TRANSCRIPT
The segmentation fault occurs inside handle_breakpoint() at the line:
output_left(LT_TOF_FUNCTION, event->proc, sbp->libsym->name);
because sbp->libsym = 0
With some variant of the program (no usleep inside f() and much more
iterations in loop), the segmentation fault may be preceded by an
"unexpected breakpoint" message.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ltrace depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libelfg0 0.8.13-1 an ELF object file access library
ltrace recommends no packages.
ltrace suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
