View Issue Details

IDProjectCategoryView StatusLast Update
0034640FPCRTLpublic2018-12-29 12:22
ReporterMartin FriebeAssigned ToSven Barth 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Platform64bit IntelOSwin 10OS Version10
Product Version3.0.4Product Build 
Target VersionFixed in Version3.3.1 
Summary0034640: race condition in ThreadQueueAppend // threads may access random memory and crash
DescriptionAlso present in trunk


procedure ThreadQueueAppend(aEntry: TThread.PThreadQueueEntry; aQueueIfMain: Boolean);
begin
....
    System.EnterCriticalSection(ThreadQueueLock);
....
// put aEntry on queue
        ThreadQueueTail^.Next := aEntry;
...
      System.LeaveCriticalSection(ThreadQueueLock);


....
    if assigned(WakeMainThread) then
      WakeMainThread(aEntry^.Thread);

    { is this a Synchronize or Queue entry? }
    if Assigned(aEntry^.SyncEvent) then begin
      RtlEventWaitFor(aEntry^.SyncEvent);

By the time aEntry^.Thread and aEntry^.SyncEvent is accessed, the main thread may have freed the memory. (in CheckSyncronize)

RtlEventWaitFor might be called with whatever random value is now in that place.
Additional Informationvalgrind log

=25013== Thread 4:
==25013== Invalid read of size 8
==25013== at 0x56795B: CLASSES_$$_THREADQUEUEAPPEND$TThread.PTHREADQUEUEENTRY (classes.inc:305)
==25013== by 0x567EF7: CLASSES$_$TTHREAD_$__$$_QUEUE$TTHREAD$TTHREADMETHOD (classes.inc:466)
==25013== by 0x567E78: CLASSES$_$TTHREAD_$__$$_QUEUE$TTHREADMETHOD (classes.inc:448)
==25013== by 0x14D0D26: DEBUGPROCESS$_$TDEBUGPROCESSREADTHREAD_$__$$_EXECUTE (debugprocess.pas:176)
==25013== by 0x567002: CLASSES_$$_THREADFUNC$POINTER$$INT64 (tthread.inc:109)
==25013== by 0x4504DC: CTHREADS_$$_THREADMAIN$POINTER$$POINTER (cthreads.pp:300)
==25013== by 0x4E42593: start_thread (in /usr/lib64/libpthread-2.27.so)
==25013== by 0x7722E6E: clone (in /usr/lib64/libc-2.27.so)
==25013== Address 0x209c1258 is 40 bytes inside a block of size 56 free'd
==25013== at 0x4C2FDAC: free (vg_replace_malloc.c:530)
==25013== by 0x44F924: CMEM_$$_CFREEMEM$POINTER$$QWORD (cmem.pp:75)
==25013== by 0x43C229: fpc_freemem (heap.inc:359)
==25013== by 0x567D6E: CLASSES_$$_CHECKSYNCHRONIZE$LONGINT$$BOOLEAN (classes.inc:419)
==25013== by 0x522C80: GTK2INT_$$_THREADSYNC_IOCALLBACK$PGIOCHANNEL$LONGINT$POINTER$$BOOLEAN32 (gtk2widgetset.inc:1843)
==25013== by 0x63B88AC: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5600.1)
==25013== by 0x63B8C77: ??? (in /usr/lib64/libglib-2.0.so.0.5600.1)
==25013== by 0x63B8D0F: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.5600.1)
==25013== by 0x523DA2: GTK2INT$_$TGTK2WIDGETSET_$__$$_APPPROCESSMESSAGES (gtk2widgetset.inc:2353)
==25013== by 0x49FCFA: FORMS$_$TAPPLICATION_$__$$_HANDLEMESSAGE (application.inc:1282)
==25013== by 0x4A05B4: FORMS$_$TAPPLICATION_$__$$_RUNLOOP (application.inc:1419)
==25013== by 0x725556: INTERFACEBASE$_$TWIDGETSET_$__$$_APPRUN$TAPPLICATIONMAINLOOP (interfacebase.inc:54)
==25013== Block was alloc'd at
==25013== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
==25013== by 0x44F8D9: CMEM_$$_CGETMEM$QWORD$$POINTER (cmem.pp:62)
==25013== by 0x43C1F9: fpc_getmem (heap.inc:354)
==25013== by 0x567EB3: CLASSES$_$TTHREAD_$__$$_QUEUE$TTHREAD$TTHREADMETHOD (classes.inc:460)
==25013== by 0x567E78: CLASSES$_$TTHREAD_$__$$_QUEUE$TTHREADMETHOD (classes.inc:448)
==25013== by 0x14D0D26: DEBUGPROCESS$_$TDEBUGPROCESSREADTHREAD_$__$$_EXECUTE (debugprocess.pas:176)
==25013== by 0x567002: CLASSES_$$_THREADFUNC$POINTER$$INT64 (tthread.inc:109)
==25013== by 0x4504DC: CTHREADS_$$_THREADMAIN$POINTER$$POINTER (cthreads.pp:300)
==25013== by 0x4E42593: start_thread (in /usr/lib64/libpthread-2.27.so)
==25013== by 0x7722E6E: clone (in /usr/lib64/libc-2.27.so)
TagsNo tags attached.
Fixed in Revision40651
FPCOldBugId0
FPCTarget
Attached Files

Activities

Sven Barth

2018-12-26 00:31

manager   ~0112881

Please test and close if okay.

Martin Friebe

2018-12-28 19:20

manager   ~0112962

ok, thanks

Marco van de Voort

2018-12-29 12:22

manager   ~0112976

Merged to 3.2 r40688

Issue History

Date Modified Username Field Change
2018-12-03 22:23 Martin Friebe New Issue
2018-12-26 00:31 Sven Barth Fixed in Revision => 40651
2018-12-26 00:31 Sven Barth Note Added: 0112881
2018-12-26 00:31 Sven Barth Status new => resolved
2018-12-26 00:31 Sven Barth Fixed in Version => 3.3.1
2018-12-26 00:31 Sven Barth Resolution open => fixed
2018-12-26 00:31 Sven Barth Assigned To => Sven Barth
2018-12-28 19:20 Martin Friebe Note Added: 0112962
2018-12-28 19:20 Martin Friebe Status resolved => closed
2018-12-29 12:22 Marco van de Voort Note Added: 0112976