This is the mail archive of the cygwin-developers@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

race in atexit.c / on_exit.c (in newlib/libc/stdlib)

From: Joe Buehler <jbuehler at hekimian dot com>
To: Cygwin Developers <cygwin-developers at cygwin dot com>
Date: Tue, 30 Jul 2002 08:11:59 -0400
Subject: race in atexit.c / on_exit.c (in newlib/libc/stdlib)
Organization: Spirent Communications
Reply-to: joseph dot buehler at spirentcom dot com

I installed a patch in my local copy of Cygwin to work around null
pointer dereferences emanating from an array filled in in the newlib
atexit() / on_exit() functions.

The _fns[] array sometimes ends up with a null pointer in it, causing
a core dump, so I changed the code that dereferences the array
elements (calls the function pointers in the array) to ignore null
pointers.

Looking at the instructions generated by gcc, it looks like this is
probably another race condition in cygwin.  If two threads execute
atexit()/on_exit() at the same time, they can overwrite the same entry
in the _fns[] array, then double-increment the array index, thus
(probably) leaving a null pointer in the array.

If this is indeed what is happening, my fix avoids the core dump, but
at the cost of not executing an atexit() function that might be rather
important Cygwin cleanup code.  So I'm going to try some C code
variations that might make the code thread-safe...

Joe Buehler

Follow-Ups:
- Re: race in atexit.c / on_exit.c (in newlib/libc/stdlib)
  - From: Christopher Faylor
- gcc problem with static instance destructors
  - From: Joe Buehler

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]