Date: Wed, 24 Nov 1999 06:06:53 +0100 (CET) From: Tor Egge <tegge@crash.fast.no> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/15070: vfprintf/cvt/__dtoa race condition in threaded programs Message-ID: <199911240506.GAA05938@crash.fast.no>
next in thread | raw e-mail | index | archive | help
>Number: 15070
>Category: bin
>Synopsis: vfprintf/cvt/__dtoa race condition in threaded programs
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 23 21:10:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Tor Egge
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
Fast Search & Transfer ASA
>Environment:
FreeBSD crash.fast.no 4.0-CURRENT FreeBSD 4.0-CURRENT #0: Sat Oct 16 04:21:25 CEST 1999 root@local-crash.fast.no:/usr/src/sys/compile/CRASH i386
>Description:
Printing floating point numbers in a threaded program might result in a
segmentation fault or bus error.
crash:~$ gdb ./threadbug4
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(gdb) run
Starting program: /home/tegge/./threadbug4
Time is 2.664
Time is 5.544
Program received signal SIGSEGV, Segmentation fault.
0x80528c8 in bcopy ()
(gdb) where
#0 0x80528c8 in bcopy ()
#1 0x4 in ?? ()
#2 0x8054473 in __dtoa ()
#3 0x80521d8 in vfprintf ()
#4 0x80508f2 in vfprintf ()
#5 0x804f9d1 in sprintf ()
#6 0x804819a in crashme (data=0x0) at threadbug4.c:27
#7 0x80487b0 in _thread_start ()
#8 0x0 in ?? ()
(gdb)
>How-To-Repeat:
Compile and run the enclosed threaded program.
-------------------------------------------
#include <sys/types.h>
#include <sys/errno.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <assert.h>
#include <signal.h>
#include <pthread.h>
#include <sys/time.h>
#include <time.h>
void *crashme(void *data)
{
char buf[200];
int i, j;
double div;
while (1) {
i = random();
j = random();
if (j == 0)
j = 1;
div = (double) i / (double) j;
sprintf(buf, "%6.5f", div);
sprintf(buf, "%2.4f", div);
sprintf(buf, "%3.6f", div);
sprintf(buf, "%8.2f", div);
sprintf(buf, "%10.2f", div);
}
}
void
reportloop(void)
{
struct timeval stime, now, delta;
double fdelta;
gettimeofday(&stime, NULL);
while (1) {
sleep(1);
gettimeofday(&now, NULL);
timersub(&now, &stime, &delta);
fdelta = delta.tv_sec + ((double) delta.tv_usec) / 1000000.0;
printf("Time is %6.3f\n", fdelta);
fflush(stdout);
}
}
int
main(int argc,char **argv)
{
int i;
pthread_t curthread;
srandom(time(NULL));
for (i = 0; i < 10; i++) {
pthread_create(&curthread, NULL, crashme, (void *) NULL);
}
reportloop();
exit(0);
}
--------------------------
crash:~$ cc -static -O -g -pthread -o threadbug4 threadbug4.c
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911240506.GAA05938>