In function deallocate(pointer _p, size_type __n) there is no synchronization
on __bin._M_used[__block->_M_thread_id] variable. During block deallocation
current thread decrements other threads _M_used variable without a lock.
This can result in undefined value of _M_used variable which than is used to
calculate __remove size. SIGSEGV shows up in following code:
while (__remove-- > 0)
__tmp = __tmp->_M_next;
Since __remove variable might have undefined value code may surpass the end of
the list.
Increment and decrement operations are not atomic and should be placed in
critical section to avoid such situation.
Bug is very hard to reproduce. There must be many threads allocating memory and
deallocating other threads memory.
I have found this bug by code inspection - not gdb.
--
Summary: Possible race condition in mt_allocator causing SIGSEGV
Product: gcc
Version: 3.4.2
Status: UNCONFIRMED
Severity: critical
Priority: P1
Component: libstdc++
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: l_heldt at poczta dot onet dot pl
GCC host triplet: Linux 2.6.12 #4 SMP
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24469
