[PATCH] PR libstdc++/91910 fix data race in Debug Mode destructors

Thu, 26 Sep 2019 06:21:01 -0700 

Fix data race when _Safe_iterator_base::_M_detach() runs concurrently with
the _Safe_container_base destructor.

        PR libstdc++/91910
        * src/c++11/debug.cc (_Safe_iterator_base::_M_detach()): Load pointer
        atomically and lock the mutex before accessing the sequence.
        (_Safe_iterator_base::_M_reset()): Clear _M_sequence atomically.

Tested x86_64-linux. I plan to commit this to trunk unless somebody
sees a problem with it.



commit c1ca5aa0271726d962c45220656b2411ece0e001
Author: Jonathan Wakely <jwak...@redhat.com>
Date:   Thu Sep 26 13:08:48 2019 +0100

    PR libstdc++/91910 fix data race in Debug Mode destructors
    
    Fix data race when _Safe_iterator_base::_M_detach() runs concurrently with
    the _Safe_container_base destructor.
    
            PR libstdc++/91910
            * src/c++11/debug.cc (_Safe_iterator_base::_M_detach()): Load 
pointer
            atomically and lock the mutex before accessing the sequence.
            (_Safe_iterator_base::_M_reset()): Clear _M_sequence atomically.

diff --git a/libstdc++-v3/src/c++11/debug.cc b/libstdc++-v3/src/c++11/debug.cc
index f5a49992efa..cc4107ba354 100644
--- a/libstdc++-v3/src/c++11/debug.cc
+++ b/libstdc++-v3/src/c++11/debug.cc
@@ -381,10 +381,17 @@ namespace __gnu_debug
   _Safe_iterator_base::
   _M_detach()
   {
-    if (_M_sequence)
+    // This function can run concurrently with the sequence destructor,
+    // so there is a TOCTTOU race here: the sequence could be destroyed
+    // after we check that _M_sequence is not null. Use the pointer value
+    // to acquire the mutex (rather than via _M_sequence->_M_get_mutex()).
+    // If the sequence destructor runs between loading the pointer and
+    // locking the mutex, it will detach this iterator and set _M_sequence
+    // to null, and then _M_detach_single() will do nothing.
+    if (auto seq = __atomic_load_n(&_M_sequence, __ATOMIC_ACQUIRE))
       {
-       _M_sequence->_M_detach(this);
-       _M_reset();
+       __gnu_cxx::__scoped_lock sentry(get_safe_base_mutex(seq));
+       _M_detach_single();
       }
   }
 
@@ -403,7 +410,7 @@ namespace __gnu_debug
   _Safe_iterator_base::
   _M_reset() throw ()
   {
-    _M_sequence = 0;
+    __atomic_store_n(&_M_sequence, (_Safe_sequence_base*)0, __ATOMIC_RELEASE);
     _M_version = 0;
     _M_prior = 0;
     _M_next = 0;

Reply via email to