Dennis Lubert wrote:
Am Freitag, den 10.06.2005, 10:38 +0200 schrieb Ludovic Drolez:
Paul Pluzhnikov wrote:
On 6/9/05, Ludovic Drolez <[EMAIL PROTECTED]> wrote:
So it seems to say that pthread_create tried to use a freed block and that this
block has been freed at tftpd.c:736 ?
Yes. The bug is as follows:
new = calloc(1, sizeof(thread_data)); ...
pthread_create(&new->tid, ..., new);
At this point it is indeterminate which thread goes first -- the
"current" one or the "new" one. If the "new" thread runs to
*completion* (including the free(data) on line 736) *before* the
"current" thread had a chance to write new->tid, then you'll have
the bug which VG cought for you: writing to now dangling memory.
Yes but, new->tid is malloc'd for each new thread, it's not shared.
So for example, the "new" thread cannot free the memory calloc'd for the
"current" thread...
It is shared, since pthread_create writes the new->tid field in the
*current* thread, not in the spawned one (where it might be freed()
before the *current* thread comes to run again)
Ok, now I understand. I thought that the 1st thing that pthread_create() did,
was to assign a value to new->tid. But you say that it might work like this:
pthread_create(...):
clone()
in my thread : free(new)
new->tid = segfault
So, we should never allocate memory for new->tid to fix this bug.
Many thanks for your valuable explanations !
Cheers,
--
Ludovic DROLEZ Linbox / Free&ALter Soft
www.linbox.com www.linbox.org tel: +33 3 87 50 87 90
152 rue de Grigy - Technopole Metz 2000 57070 METZ
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
