| 1 | // RUN: %clang_scudo %s -O2 -o %t |
|---|
| 2 | // RUN: %env_scudo_opts="QuarantineChunksUpToSize=0" %run %t 2>&1 |
|---|
| 3 | |
|---|
| 4 | // This test attempts to reproduce a race condition in the deallocation path |
|---|
| 5 | // when bypassing the Quarantine. The old behavior was to zero-out the chunk |
|---|
| 6 | // header after checking its checksum, state & various other things, but that |
|---|
| 7 | // left a window during which 2 (or more) threads could deallocate the same |
|---|
| 8 | // chunk, with a net result of having said chunk present in those distinct |
|---|
| 9 | // thread caches. |
|---|
| 10 | |
|---|
| 11 | // A passing test means all the children died with an error. The failing |
|---|
| 12 | // scenario involves winning a race, so repro can be scarce. |
|---|
| 13 | |
|---|
| 14 | #include <pthread.h> |
|---|
| 15 | #include <stdlib.h> |
|---|
| 16 | #include <sys/types.h> |
|---|
| 17 | #include <sys/wait.h> |
|---|
| 18 | #include <unistd.h> |
|---|
| 19 | |
|---|
| 20 | const int kNumThreads = 2; |
|---|
| 21 | pthread_t tid[kNumThreads]; |
|---|
| 22 | |
|---|
| 23 | pthread_cond_t cond = PTHREAD_COND_INITIALIZER; |
|---|
| 24 | pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; |
|---|
| 25 | char go = 0; |
|---|
| 26 | |
|---|
| 27 | // Frees the pointer passed when signaled to. |
|---|
| 28 | void *thread_free(void *p) { |
|---|
| 29 | pthread_mutex_lock(mutex: &mutex); |
|---|
| 30 | while (!go) |
|---|
| 31 | pthread_cond_wait(cond: &cond, mutex: &mutex); |
|---|
| 32 | pthread_mutex_unlock(mutex: &mutex); |
|---|
| 33 | free(ptr: p); |
|---|
| 34 | return 0; |
|---|
| 35 | } |
|---|
| 36 | |
|---|
| 37 | // Allocates a chunk, and attempts to free it "simultaneously" by 2 threads. |
|---|
| 38 | void child(void) { |
|---|
| 39 | void *p = malloc(size: 16); |
|---|
| 40 | for (int i = 0; i < kNumThreads; i++) |
|---|
| 41 | pthread_create(newthread: &tid[i], attr: 0, start_routine: thread_free, arg: p); |
|---|
| 42 | pthread_mutex_lock(mutex: &mutex); |
|---|
| 43 | go = 1; |
|---|
| 44 | pthread_cond_broadcast(cond: &cond); |
|---|
| 45 | pthread_mutex_unlock(mutex: &mutex); |
|---|
| 46 | for (int i = 0; i < kNumThreads; i++) |
|---|
| 47 | pthread_join(th: tid[i], thread_return: 0); |
|---|
| 48 | } |
|---|
| 49 | |
|---|
| 50 | int main(int argc, char **argv) { |
|---|
| 51 | const int kChildren = 40; |
|---|
| 52 | pid_t pid; |
|---|
| 53 | for (int i = 0; i < kChildren; ++i) { |
|---|
| 54 | pid = fork(); |
|---|
| 55 | if (pid < 0) { |
|---|
| 56 | exit(status: 1); |
|---|
| 57 | } else if (pid == 0) { |
|---|
| 58 | child(); |
|---|
| 59 | exit(status: 0); |
|---|
| 60 | } else { |
|---|
| 61 | int status; |
|---|
| 62 | wait(stat_loc: &status); |
|---|
| 63 | // A 0 status means the child didn't die with an error. The race was won. |
|---|
| 64 | if (status == 0) |
|---|
| 65 | exit(status: 1); |
|---|
| 66 | } |
|---|
| 67 | } |
|---|
| 68 | return 0; |
|---|
| 69 | } |
|---|
| 70 | |
|---|
