From nobody@FreeBSD.org  Mon Jan 16 00:22:50 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B9AD116A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 16 Jan 2006 00:22:50 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8344F43D48
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 16 Jan 2006 00:22:50 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k0G0Mo7B079468
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 16 Jan 2006 00:22:50 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k0G0MosU079467;
	Mon, 16 Jan 2006 00:22:50 GMT
	(envelope-from nobody)
Message-Id: <200601160022.k0G0MosU079467@www.freebsd.org>
Date: Mon, 16 Jan 2006 00:22:50 GMT
From: Marcel Moolenaar <marcel@xcllnt.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: TLS: malloc(3) exposes DTLS bug in non-threaded applications
X-Send-Pr-Version: www-2.3

>Number:         91846
>Category:       ia64
>Synopsis:       TLS: malloc(3) exposes DTLS bug in non-threaded applications
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ia64
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 16 00:30:07 GMT 2006
>Closed-Date:    Wed Aug 30 01:08:53 GMT 2006
>Last-Modified:  Wed Aug 30 01:08:53 GMT 2006
>Originator:     Marcel Moolenaar
>Release:        7-CURRENT
>Organization:
>Environment:
FreeBSD bigsur.pn.xcllnt.net 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Fri Jan 13 16:26:27 PST 2006     marcel@bigsur.pn.xcllnt.net:/usr/obj/nfs/freebsd/7.x/src/sys/BIGSUR  ia64

>Description:
When NO_TLS is *not* defined in src/lib/libc/stdlib/malloc.c on ia64, then a SIGSEGV will result due to arenas_map being thread-local and it being referenced in choose_arena(). That reference causes a
thread-local relocation to end up in tls_get_addr_common() in src/libexec/rtld-elf/rtld.c for which the dtvp argument is NULL. This pretty much means that __tls_get_addr() on ia64 does the wrong thing. In this case it assumes that r13 (aka TP) is non-NULL in all cases, which is false for non-threaded applications.

>How-To-Repeat:
n/a
>Fix:
tbd
>Release-Note:
>Audit-Trail:

From: Doug Rabson <dfr@rabson.org>
To: freebsd-ia64@freebsd.org
Cc: Marcel Moolenaar <marcel@xcllnt.net>, freebsd-gnats-submit@freebsd.org
Subject: Re: ia64/91846: TLS: malloc(3) exposes DTLS bug in non-threaded applications
Date: Mon, 16 Jan 2006 10:09:41 +0000

 On Monday 16 January 2006 00:22, Marcel Moolenaar wrote:
 > >Number:         91846
 > >Category:       ia64
 > >Synopsis:       TLS: malloc(3) exposes DTLS bug in non-threaded
 > > applications Confidential:   no
 > >Severity:       serious
 > >Priority:       medium
 > >Responsible:    freebsd-ia64
 > >State:          open
 > >Quarter:
 > >Keywords:
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Mon Jan 16 00:30:07 GMT 2006
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Marcel Moolenaar
 > >Release:        7-CURRENT
 > >Organization:
 > >Environment:
 >
 > FreeBSD bigsur.pn.xcllnt.net 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Fri
 > Jan 13 16:26:27 PST 2006    
 > marcel@bigsur.pn.xcllnt.net:/usr/obj/nfs/freebsd/7.x/src/sys/BIGSUR 
 > ia64
 >
 > >Description:
 >
 > When NO_TLS is *not* defined in src/lib/libc/stdlib/malloc.c on ia64,
 > then a SIGSEGV will result due to arenas_map being thread-local and
 > it being referenced in choose_arena(). That reference causes a
 > thread-local relocation to end up in tls_get_addr_common() in
 > src/libexec/rtld-elf/rtld.c for which the dtvp argument is NULL. This
 > pretty much means that __tls_get_addr() on ia64 does the wrong thing.
 > In this case it assumes that r13 (aka TP) is non-NULL in all cases,
 > which is false for non-threaded applications.
 
 I don't understand this. Any dynamic application (threaded or 
 non-threaded) should end up 
 calling .../ia64/reloc.c:allocate_initial_tls() which sets r13 to point 
 at the TLS block for the main thread (or only thread for non-threaded).

From: Maxim Sobolev <sobomax@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc: marcel@xcllnt.net, jasone@FreeBSD.org
Subject: Re: ia64/91846: TLS: malloc(3) exposes DTLS bug in non-threaded applications
Date: Wed, 02 Aug 2006 21:40:03 -0700

 Apparently, the same bug affects FreeBSD/powerpc:
 
 Loaded symbols for /libexec/ld-elf.so.1
 #0  0x2183f7b4 in tls_get_addr_common (dtvp=0x1a31490, index=2, 
 offset=4294934528) at rtld.c:2663
 2663        if (dtv[0] != tls_dtv_generation) {
 (gdb) bt
 #0  0x2183f7b4 in tls_get_addr_common (dtvp=0x1a31490, index=2, 
 offset=4294934528) at rtld.c:2663
 #1  0x218397f8 in __tls_get_addr (ti=0x21bbf0e8) at 
 /usr/src/libexec/rtld-elf/powerpc/reloc.c:577
 #2  0x21ad3ef8 in choose_arena () at /usr/src/lib/libc/stdlib/malloc.c:1422
 #3  0x21ad8f40 in imalloc (size=480) at 
 /usr/src/lib/libc/stdlib/malloc.c:2662
 #4  0x21ada810 in malloc (size=480) at 
 /usr/src/lib/libc/stdlib/malloc.c:3422
 #5  0x21a1ba90 in _thr_alloc (curthread=0x1a502e0) at 
 /usr/src/lib/libpthread/thread/thr_kern.c:2369
 #6  0x21a021b0 in _pthread_create (thread=0x1ab05a0, attr=0x0, 
 start_routine=0x18109dc <sender_loop>,
      arg=0x1ab0580) at /usr/src/lib/libpthread/thread/thr_create.c:110
 #7  0x01810640 in mux_init (m=0x1ab0580) at 
 /usr/src/usr.bin/csup/../../contrib/csup/mux.c:661
 #8  0x0180f8b0 in mux_open (sock=3, chan=0x7fffdad8) at 
 /usr/src/usr.bin/csup/../../contrib/csup/mux.c:328
 #9  0x018146a4 in proto_mux (config=0x1a118c0) at 
 /usr/src/usr.bin/csup/../../contrib/csup/proto.c:555
 #10 0x018148f4 in proto_run (config=0x1a118c0) at 
 /usr/src/usr.bin/csup/../../contrib/csup/proto.c:617
 #11 0x0180dddc in main (argc=1, argv=0x7fffdcac) at 
 /usr/src/usr.bin/csup/../../contrib/csup/main.c:314
 (gdb) print dtv
 $1 = (Elf_Addr *) 0x0
 (gdb)
 
 Perhaps, TLS is not initialized at the point when malloc is called or 
 something like that.
 
 -Maxim
State-Changed-From-To: open->closed 
State-Changed-By: marcel 
State-Changed-When: Wed Aug 30 01:08:03 UTC 2006 
State-Changed-Why:  
Fixed. The assignment to TP was being eliminated by GCC. use of 
inline assembly avoids this. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=91846 
>Unformatted:
