https://gcc.gnu.org/bugzilla/show_bug.cgi?id=62060
Bug ID: 62060
Summary: g++.dg/tsan/cond_race.C triggers heap-use-after-free
Product: gcc
Version: 4.10.0
Status: UNCONFIRMED
Severity: minor
Priority: P3
Component: testsuite
Assignee: unassigned at gcc dot gnu.org
Reporter: vries at gcc dot gnu.org
When testing a gcc patch, I ran into this failure
...
-./gcc/testsuite/g++/g++.sum:PASS: g++.dg/tsan/cond_race.C -O2 output
pattern test, ThreadSanitizer: data race.*pthread_cond_signal.*
+./gcc/testsuite/g++/g++.sum:FAIL: g++.dg/tsan/cond_race.C -O2 output
pattern test, is ==================
...
I've run into the same failure before, here:
https://gcc.gnu.org/ml/gcc-patches/2014-04/msg01758.html .
Also, I've noticed it here:
https://gcc.gnu.org/ml/gcc-testresults/2014-01/msg00127.html .
The complete failure from the log is:
...
FAIL: g++.dg/tsan/cond_race.C -O2 output pattern test, is ==================
WARNING: ThreadSanitizer: heap-use-after-free (pid=5192)
Read of size 8 at 0x7d180000efc8 by thread T1:
#0 pthread_cond_signal src/libsanitizer/tsan/tsan_interceptors.cc:1011
(libtsan.so.0+0x000000027794)
#1 thr(void*) src/gcc/testsuite/g++.dg/tsan/cond_race.C:20
(cond_race.exe+0x000000001033)
Previous write of size 8 at 0x7d180000efc8 by main thread:
#0 operator delete(void*) src/libsanitizer/tsan/tsan_interceptors.cc:583
(libtsan.so.0+0x000000025ab9)
#1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:34
(cond_race.exe+0x000000000ea0)
Location is heap block of size 96 at 0x7d180000efa0 allocated by main thread:
#0 operator new(unsigned long)
src/libsanitizer/tsan/tsan_interceptors.cc:551 (libtsan.so.0+0x000000025863)
#1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:25
(cond_race.exe+0x000000000e12)
Thread T1 (tid=5200, running) created by main thread at:
#0 pthread_create src/libsanitizer/tsan/tsan_interceptors.cc:853
(libtsan.so.0+0x000000026f54)
#1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:29
(cond_race.exe+0x000000000e5a)
SUMMARY: ThreadSanitizer: heap-use-after-free
src/gcc/testsuite/g++.dg/tsan/cond_race.C:20 thr(void*)
==================
ThreadSanitizer: reported 1 warnings
, should match ThreadSanitizer: data race.*pthread_cond_signal.*
...
When compiling and running from the command line, the expected output is
produced:
...
WARNING: ThreadSanitizer: data race (pid=6294)
Write of size 8 at 0x7d180000efc8 by main thread:
#0 operator delete(void*) src/libsanitizer/tsan/tsan_interceptors.cc:583
(libtsan.so.0+0x000000025ab9)
#1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:34
(cond_race.exe+0x000000000d00)
Previous read of size 8 at 0x7d180000efc8 by thread T1:
#0 pthread_cond_signal src/libsanitizer/tsan/tsan_interceptors.cc:1011
(libtsan.so.0+0x000000027794)
#1 thr(void*) src/gcc/testsuite/g++.dg/tsan/cond_race.C:20
(cond_race.exe+0x000000000e93)
Location is heap block of size 96 at 0x7d180000efa0 allocated by main thread:
#0 operator new(unsigned long)
src/libsanitizer/tsan/tsan_interceptors.cc:551 (libtsan.so.0+0x000000025863)
#1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:25
(cond_race.exe+0x000000000c72)
Thread T1 (tid=6296, running) created by main thread at:
#0 pthread_create src/libsanitizer/tsan/tsan_interceptors.cc:853
(libtsan.so.0+0x000000026f54)
#1 main src/gcc/testsuite/g++.dg/tsan/cond_race.C:29
(cond_race.exe+0x000000000cba)
SUMMARY: ThreadSanitizer: data race
src/gcc/testsuite/g++.dg/tsan/cond_race.C:34 main
...
So, it seems there is a data race between:
- the write from the delete at line 34, and
- the read from the pthread_cond_signal at line 20.
If the write comes first, we get the heap-use-after-free message. If the read
comes first, we get the data race message.
Tentatively setting component to testsuite.
