#2068 closed defect (fixed)

pthread_create race condition (task_start userext executed after thread is already running)

Reported by: strauman Owned by: Gedare
Priority: normal Milestone: 4.9
Component: score Version: 4.10
Severity: critical Keywords:
Cc: cynt6007@… Blocked By:
Blocking:

Description

I observe pretty reproducable crashes when using pthreads under rtems-4.9.
(bug *still* present on current 'master' branch as of 2012/6/12) when
using 'capture' at the same time.

It seems that a function running in a new pthread context finds '0xdeaddead'
on the stack upon returning to its caller and jumps into the wild.

Apparently, the capture engine overwrites the task's stack with 0xdeaddead
*after* the task is already running.

I believe that 'pthread_create()' is the culprit. It creates a SCORE thread
and then calls

_Thread_Start( )

*without* disabling thread-dispatching.

However, _Thread_Start() marks the thread as 'runnable' *before* calling
user extensions (_Thread_Start() body):

{

if ( _States_Is_dormant( the_thread->current_state ) ) {

the_thread->Start.entry_point = (Thread_Entry) entry_point;

the_thread->Start.prototype = the_prototype;
the_thread->Start.pointer_argument = pointer_argument;
the_thread->Start.numeric_argument = numeric_argument;

_Thread_Load_environment( the_thread );

_Thread_Ready( the_thread );

_User_extensions_Thread_start( the_thread );

return true;

}

return false;

}

Therefore, could it not be that the thread is already scheduled *before*
user extensions are executed? In this scenario, the following race condition
could occur:

  1. thread X calls pthread_create
  2. _Thread_Start() marks new thread Y 'ready'
  3. 'Y' is scheduled, calls stuff and blocks
  4. 'X' runs again and executes user extensions for 'Y'
  5. capture engine's 'thread_start' extension fills 'Y's stack with

0xdeaddead

  1. 'Y' is scheduled again, when popping a return address from the stack

it jumps to 0xdeaddead and crashes the system.

NOTES:

  • other APIs (rtems, itron) *have* thread-dispatching disabled around

_Thread_Start()

  • the current 'master' branch seems to still suffer from this
  • has nothing to do with 'capture' per-se *any* user extension is possibly affected. It is a bug in pthread_create()
  • I consider this a serious bug.

Attachments (4)

rtems-PR#2068-pthreadcreate-4.9.diff (1.3 KB) - added by strauman on Jun 19, 2012 at 2:13:22 AM.
fix; patch for 4.9
rtems-PR#2068-pthreadcreate-4.10.diff (837 bytes) - added by strauman on Jun 19, 2012 at 2:14:16 AM.
fix; patch for 4.10
2068-patches.tar.gz (1.2 KB) - added by Daniel Ramirez on Dec 17, 2013 at 11:31:26 PM.
patches for 4.9, 4.10, 4.11 (apply cleanly and compile without warning)
2068-rtems-patches.tar.gz (1.2 KB) - added by Daniel Ramirez on Dec 18, 2013 at 1:28:39 AM.
patches for 4.9, 4.10, 4.11 (apply cleanly and compile without warning)

Download all attachments as: .zip

Change History (10)

Changed on Jun 19, 2012 at 2:13:22 AM by strauman

fix; patch for 4.9

comment:1 Changed on Jun 19, 2012 at 2:13:49 AM by strauman

Milestone: 4.114.9

Changed on Jun 19, 2012 at 2:14:16 AM by strauman

fix; patch for 4.10

Changed on Dec 17, 2013 at 11:31:26 PM by Daniel Ramirez

Attachment: 2068-patches.tar.gz added

patches for 4.9, 4.10, 4.11 (apply cleanly and compile without warning)

comment:2 Changed on Dec 17, 2013 at 11:31:26 PM by Daniel Ramirez

attachments.isobsolete: 01, 1

Changed on Dec 18, 2013 at 1:28:39 AM by Daniel Ramirez

Attachment: 2068-rtems-patches.tar.gz added

patches for 4.9, 4.10, 4.11 (apply cleanly and compile without warning)

comment:3 Changed on Dec 18, 2013 at 1:28:39 AM by Daniel Ramirez

attachments.isobsolete: 01

comment:4 Changed on Jan 8, 2014 at 4:15:18 AM by cynt6007

Owner: changed from Joel Sherrill to Gedare
Status: newassigned, cynt6007@vandals.uidaho.edu

comment:5 Changed on Mar 28, 2014 at 7:18:40 PM by Gedare

Version: 4.94.10

comment:6 Changed on Apr 11, 2014 at 6:45:30 PM by Gedare

Resolution: fixed
Status: assignedclosed

Applied to 4.9 and 4.10

Note: See TracTickets for help on using tickets.