This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/5741] New: Segfault in __libc_dlopen_mode ()
- From: "sjmunroe at us dot ibm dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 6 Feb 2008 16:26:56 -0000
- Subject: [Bug libc/5741] New: Segfault in __libc_dlopen_mode ()
- Reply-to: sourceware-bugzilla at sourceware dot org
This is race condition between the PLT call stubs and _dl_fixup on the contents
of the PLT entry. We have only seen this on out-of-order machines with deep
instruction queues like POWER5 and POWER5+.
In this case case multiple threads are going through pthread_exit,
__pthread_unwind, _Unwind_ForcedUnwind, pthread_cancel_init, __libc_dlopen_mode.
The 1st thread hits the unresolved PLT entry for __libc_dlopen_mode and ends up
in _dl_fixup to update that PLT entry. Other threads may be going through the
same call stubs on other cores and SMT threads.
Because POWER5 is out-of-order the load of the plt->fd_toc may actually execute
before the load of the plt->func executes. In this worst case timing the unlucky
thread may see the unresolved plt->toc value (which in NULL) and the updated
plt-func pointer. The results is a segfault when __libc_dlopen_mode tries to use
the toc pointer to reference static variables.
--
Summary: Segfault in __libc_dlopen_mode ()
Product: glibc
Version: unspecified
Status: NEW
Severity: critical
Priority: P1
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: sjmunroe at us dot ibm dot com
CC: glibc-bugs at sources dot redhat dot com,rsa at us dot
ibm dot com
GCC build triplet: powerpc64-*-linux
GCC host triplet: powerpc64-*-linux
GCC target triplet: powerpc64-*-linux
http://sourceware.org/bugzilla/show_bug.cgi?id=5741
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.