Bug#358518: forwarded upstream

Chris Butler chrisb at debian.org
Fri Jan 2 16:54:02 UTC 2009 

forwarded 358518 http://rt.perl.org/rt3/Ticket/Display.html?id=61912
thanks

I have managed to isolate a test-case for this and submitted it upstream.

The report I submitted upstream is as follows:

-----------------------------------------------------------------
This bug report is based on a report submitted to the Debian Bug Tracking
System by Eduard Bloch -
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358518

The SDBM_File module doesn't seem to be thread-safe. If a file is tied
before a
thread is created, the pointer to the DBM object is shared between threads.
Each thread then attempts to free it, causing a crash.

The following script reproduces the problem for me:

==================================
#!/usr/bin/perl

use strict;
use Fcntl;
use SDBM_File;
use threads;
use threads::shared;

my %dbtest;
tie(%dbtest, 'SDBM_File', "test.db", O_RDWR|O_CREAT, 0666);

for (1 .. 2)
{
    my $thr = threads->new(\&testThread, $_);
    $thr->detach();
}
sleep 4;

sub testThread
{
    my $n = shift;
    print "thread #" . $n . " started\n";
}
==================================

Running it using debugperl/gdb:

==================================
Starting program: /usr/bin/debugperl sdbm_test.pl
[Thread debugging using libthread_db enabled]
[New Thread 0xb7d868c0 (LWP 17290)]
[New Thread 0xb7c2eb90 (LWP 17295)]
[New Thread 0xb742db90 (LWP 17308)]
[Thread 0xb742db90 (LWP 17308) exited]
[New Thread 0xb742db90 (LWP 17313)]
*** glibc detected *** /usr/bin/debugperl: double free or corruption
(!prev): 0x08a5b4e8 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7e276b4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7e298b6]
/usr/lib/perl/5.10/auto/SDBM_File/SDBM_File.so(sdbm_close+0x3b)[0xb7c3f79b]
/usr/lib/perl/5.10/auto/SDBM_File/SDBM_File.so(XS_SDBM_File_DESTROY+0xcf)[0xb7c3e5df]
/usr/bin/debugperl(Perl_pp_entersub+0xae1)[0x80e0bd1]
/usr/bin/debugperl(Perl_call_sv+0x720)[0x80d5c50]
/usr/bin/debugperl(Perl_sv_clear+0x1d4)[0x81065d4]
/usr/bin/debugperl(Perl_sv_free2+0x69)[0x8107289]
/usr/bin/debugperl[0x80eefc1]
/usr/bin/debugperl(Perl_sv_clean_objs+0x29)[0x80ef039]
/usr/bin/debugperl(perl_destruct+0x3f0)[0x80dadf0]
/usr/lib/perl/5.10/auto/threads/threads.so[0xb7f651ab]
/usr/lib/perl/5.10/auto/threads/threads.so[0xb7f653ab]
/usr/lib/perl/5.10/auto/threads/threads.so[0xb7f68c0b]
/lib/i686/cmov/libpthread.so.0[0xb7f1a4c0]
/lib/i686/cmov/libc.so.6(clone+0x5e)[0xb7e9961e]
======= Memory map: ========
08048000-0828a000 r-xp 00000000 fe:01 527887 /usr/bin/debugperl
0828a000-0828c000 rw-p 00242000 fe:01 527887 /usr/bin/debugperl
086d8000-08f33000 rw-p 086d8000 00:00 0 [heap]
b6b00000-b6b21000 rw-p b6b00000 00:00 0
b6b21000-b6c00000 ---p b6b21000 00:00 0
b6c0d000-b6c19000 r-xp 00000000 fe:01 762863 /lib/libgcc_s.so.1
b6c19000-b6c1a000 rw-p 0000b000 fe:01 762863 /lib/libgcc_s.so.1
b6c2d000-b6c2e000 ---p b6c2d000 00:00 0
b6c2e000-b742e000 rw-p b6c2e000 00:00 0
b742e000-b742f000 ---p b742e000 00:00 0
b742f000-b7c2f000 rw-p b742f000 00:00 0
b7c2f000-b7c33000 r-xp 00000000 fe:01 557739 /usr/lib/perl/5.10.0/auto/Socket/Socket.so
b7c33000-b7c34000 rw-p 00004000 fe:01 557739 /usr/lib/perl/5.10.0/auto/Socket/Socket.so
b7c34000-b7c38000 r-xp 00000000 fe:01 557729 /usr/lib/perl/5.10.0/auto/IO/IO.so
b7c38000-b7c39000 rw-p 00003000 fe:01 557729 /usr/lib/perl/5.10.0/auto/IO/IO.so
b7c39000-b7c41000 r-xp 00000000 fe:01 17403 /usr/lib/perl/5.10.0/auto/SDBM_File/SDBM_File.so
b7c41000-b7c42000 rw-p 00007000 fe:01 17403 /usr/lib/perl/5.10.0/auto/SDBM_File/SDBM_File.so
b7c42000-b7c4b000 r-xp 00000000 fe:01 607618 /usr/lib/perl/5.10.0/auto/threads/shared/shared.so
b7c4b000-b7c4c000 rw-p 00009000 fe:01 607618 /usr/lib/perl/5.10.0/auto/threads/shared/shared.so
b7c4c000-b7d86000 r--p 00000000 fe:01 551711 /usr/lib/locale/locale-archive
b7d86000-b7d87000 rw-p b7d86000 00:00 0
b7d87000-b7d90000 r-xp 00000000 fe:01 762957 /lib/i686/cmov/libcrypt-2.7.so
b7d90000-b7d92000 rw-p 00008000 fe:01 762957 /lib/i686/cmov/libcrypt-2.7.so
b7d92000-b7db9000 rw-p b7d92000 00:00 0
b7db9000-b7f0e000 r-xp 00000000 fe:01 762955 /lib/i686/cmov/libc-2.7.so
b7f0e000-b7f0f000 r--p 00155000 fe:01 762955 /lib/i686/cmov/libc-2.7.so
b7f0f000-b7f11000 rw-p 00156000 fe:01 762955 /lib/i686/cmov/libc-2.7.so
b7f11000-b7f14000 rw-p b7f11000 00:00 0
b7f14000-b7f29000 r-xp 00000000 fe:01 763043 /lib/i686/cmov/libpthread-2.7.so
b7f29000-b7f2b000 rw-p 00014000 fe:01 763043 /lib/i686/cmov/libpthread-2.7.so
b7f2b000-b7f2e000 rw-p b7f2b000 00:00 0
b7f2e000-b7f52000 r-xp 00000000 fe:01 763006 /lib/i686/cmov/libm-2.7.so
b7f52000-b7f54000 rw-p 00023000 fe:01 763006 /lib/i686/cmov/libm-2.7.so
b7f54000-b7f56000 r-xp 00000000 fe:01 762998 /lib/i686/cmov/libdl-2.7.so
b7f56000-b7f58000 rw-p 00001000 fe:01 762998 /lib/i686/cmov/libdl-2.7.so
b7f58000-b7f5b000 r-xp 00000000 fe:01 557730 /usr/lib/perl/5.10.0/auto/Cwd/Cwd.so
b7f5b000-b7f5c000 rw-p 00002000 fe:01 557730 /usr/lib/perl/5.10.0/auto/Cwd/Cwd.so
b7f5c000-b7f5f000 r-xp 00000000 fe:01 557734 /usr/lib/perl/5.10.0/auto/Fcntl/Fcntl.so
b7f5f000-b7f60000 rw-p 00002000 fe:01 557734 /usr/lib/perl/5.10.0/auto/Fcntl/Fcntl.so
b7f60000-b7f6a000 r-xp 00000000 fe:01 607619 /usr/lib/perl/5.10.0/auto/threads/threads.so
b7f6a000-b7f6b000 rw-p 00009000 fe:01 607619 /usr/lib/perl/5.10.0/auto/threads/threads.so
b7f6b000-b7f6d000 rw-p b7f6b000 00:00 0
b7f6d000-b7f6e000 r-xp b7f6d000 00:00 0 [vdso]
b7f6e000-b7f88000 r-xp 00000000 fe:01 763488 /lib/ld-2.7.so
b7f88000-b7f8a000 rw-p 0001a000 fe:01 763488 /lib/ld-2.7.so
bf974000-bf989000 rw-p bffeb000 00:00 0 [stack]

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb742db90 (LWP 17313)]
0xb7f6d424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7f6d424 in __kernel_vsyscall ()
#1 0xb7de4640 in raise () from /lib/i686/cmov/libc.so.6
#2 0xb7de6018 in abort () from /lib/i686/cmov/libc.so.6
#3 0xb7e213dd in ?? () from /lib/i686/cmov/libc.so.6
#4 0x00000006 in ?? ()
#5 0xb742c914 in ?? ()
#6 0x00000400 in ?? ()
#7 0xb7ef75c8 in ?? () from /lib/i686/cmov/libc.so.6
#8 0x00000017 in ?? ()
#9 0xbf9887bd in ?? ()
#10 0x00000012 in ?? ()
#11 0xb7ef75e1 in ?? () from /lib/i686/cmov/libc.so.6
#12 0x00000002 in ?? ()
#13 0xb7ef76c0 in ?? () from /lib/i686/cmov/libc.so.6
#14 0x00000021 in ?? ()
#15 0xb7ef75e5 in ?? () from /lib/i686/cmov/libc.so.6
#16 0x00000004 in ?? ()
#17 0xb742ce43 in ?? ()
#18 0x00000008 in ?? ()
#19 0xb7ef75eb in ?? () from /lib/i686/cmov/libc.so.6
#20 0x00000005 in ?? ()
#21 0x08cc6dd8 in ?? ()
#22 0x00000000 in ?? ()
==================================

If I set a breakpoint in sdbm_close, I can see that it is called twice
from different threads with the same DB pointer.

-- 
Chris Butler <chrisb at debian.org>
  GnuPG Key ID: 1024D/D097A261

More information about the Perl-maintainers mailing list