The branch releng/14.2 has been updated by gordon:
URL:
https://cgit.FreeBSD.org/src/commit/?id=89a2823e17e5e86b03516b89bfde88f2077c6da0
commit 89a2823e17e5e86b03516b89bfde88f2077c6da0
Author: Aurélien Croc de Suray <free...@ap2c.com>
AuthorDate: 2025-04-05 00:47:53 +0000
Commit: Gordon Tetlow <gor...@freebsd.org>
CommitDate: 2025-07-02 05:46:14 +0000
libc: allow __cxa_atexit handlers to be added during __cxa_finalize
science/dlib-cpp reveals an interesting scenario that works fine on
other platforms but not on FreeBSD; notably, it ends up creating a new
global object from some destructor which is called during
__cxa_finalize. This breaks when libdlib is dlopen()ed and then
subsequently dlclose()ed, as we never end up invoking the created
object's dtor until program exit when the shlib is already unmapped.
Fix it by noting when we're in the middle of __cxa_finalize for a dso,
and then restarting the search if __cxa_atexit() was called in the
middle somewhere.
We wait until we've processed the initial set before starting over and
processing the newly added handlers as if it were a complete set of
handlers added during runtime. The alternative is calling them as
they're added to maintain a LIFO in terms of total ordering, but in
theory a constructor could add another global object that also needs to
be destroyed, and that object needs to be destroyed after the one that
constructed it to avoid creating unexpected lifetime issues.
This manifests in the pdlib PHP extension for dlib crashing, see [0].
[0] https://github.com/goodspb/pdlib/issues/39
PR: 285870
Reviewed by: kevans (also supplied commit message)
Approved by: so
Security: FreeBSD-EN-25:09.libc
(cherry picked from commit 23427c8e1fedb9fc68ad0bd27a59c7ffd2b3008c)
(cherry picked from commit c43ae65b4b89be422cdcd399a7abc44f6db4b298)
---
lib/libc/stdlib/atexit.c | 61 ++++++++++++++++++++++++++++--------------------
1 file changed, 36 insertions(+), 25 deletions(-)
diff --git a/lib/libc/stdlib/atexit.c b/lib/libc/stdlib/atexit.c
index b2c10ca4cca5..6468b9ff0a62 100644
--- a/lib/libc/stdlib/atexit.c
+++ b/lib/libc/stdlib/atexit.c
@@ -38,6 +38,7 @@ static char sccsid[] = "@(#)atexit.c 8.2 (Berkeley) 7/3/94";
#include "namespace.h"
#include <errno.h>
#include <link.h>
+#include <stdbool.h>
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>
@@ -59,6 +60,8 @@ _Block_copy(void*);
#define ATEXIT_FN_CXA 2
static pthread_mutex_t atexit_mutex = PTHREAD_MUTEX_INITIALIZER;
+static void *current_finalize_dso = NULL;
+static bool call_finalize_again = false;
#define _MUTEX_LOCK(x) if (__isthreaded) _pthread_mutex_lock(x)
#define _MUTEX_UNLOCK(x) if (__isthreaded) _pthread_mutex_unlock(x)
@@ -118,6 +121,9 @@ atexit_register(struct atexit_fn *fptr)
__atexit = p;
}
p->fns[p->ind++] = *fptr;
+ if (current_finalize_dso != NULL &&
+ current_finalize_dso == fptr->fn_dso)
+ call_finalize_again = true;
_MUTEX_UNLOCK(&atexit_mutex);
return 0;
}
@@ -211,33 +217,38 @@ __cxa_finalize(void *dso)
}
_MUTEX_LOCK(&atexit_mutex);
- for (p = __atexit; p; p = p->next) {
- for (n = p->ind; --n >= 0;) {
- if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
- continue; /* already been called */
- fn = p->fns[n];
- if (dso != NULL && dso != fn.fn_dso) {
- /* wrong DSO ? */
- if (!has_phdr || global_exit ||
- !__elf_phdr_match_addr(&phdr_info,
- fn.fn_ptr.cxa_func))
- continue;
+ current_finalize_dso = dso;
+ do {
+ call_finalize_again = false;
+ for (p = __atexit; p; p = p->next) {
+ for (n = p->ind; --n >= 0;) {
+ if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
+ continue; /* already been called */
+ fn = p->fns[n];
+ if (dso != NULL && dso != fn.fn_dso) {
+ /* wrong DSO ? */
+ if (!has_phdr || global_exit ||
+ !__elf_phdr_match_addr(&phdr_info,
+ fn.fn_ptr.cxa_func))
+ continue;
+ }
+ /*
+ Mark entry to indicate that this particular
+ handler has already been called.
+ */
+ p->fns[n].fn_type = ATEXIT_FN_EMPTY;
+ _MUTEX_UNLOCK(&atexit_mutex);
+
+ /* Call the function of correct type. */
+ if (fn.fn_type == ATEXIT_FN_CXA)
+ fn.fn_ptr.cxa_func(fn.fn_arg);
+ else if (fn.fn_type == ATEXIT_FN_STD)
+ fn.fn_ptr.std_func();
+ _MUTEX_LOCK(&atexit_mutex);
}
- /*
- Mark entry to indicate that this particular handler
- has already been called.
- */
- p->fns[n].fn_type = ATEXIT_FN_EMPTY;
- _MUTEX_UNLOCK(&atexit_mutex);
-
- /* Call the function of correct type. */
- if (fn.fn_type == ATEXIT_FN_CXA)
- fn.fn_ptr.cxa_func(fn.fn_arg);
- else if (fn.fn_type == ATEXIT_FN_STD)
- fn.fn_ptr.std_func();
- _MUTEX_LOCK(&atexit_mutex);
}
- }
+ } while (call_finalize_again);
+ current_finalize_dso = NULL;
_MUTEX_UNLOCK(&atexit_mutex);
if (dso == NULL)
_MUTEX_DESTROY(&atexit_mutex);
