If we create a thread with QEMU_THREAD_DETACHED mode, QEMU may get a segfault
in a low probability.
The backtrace is:
arg=arg@entry=0x3f5cf70, mode=mode@entry=1) at util/qemu_thread_posix.c:512
at io/task.c:141
destroy=destroy@entry=0x0) at io/channel_socket.c:194
The root cause of this problem is a bug of glibc(version 2.17,the latest
version have the same bug),
let's see what happened in glibc's code.
Here is the code slice of pthread_detach.c
25 int
26 pthread_detach (pthread_t th)
27 {
28 struct pthread *pd = (struct pthread *) th;
29
30 /* Make sure the descriptor is valid. */
31 if (INVALID_NOT_TERMINATED_TD_P (pd))
32 /* Not a valid thread handle. */
34 return ESRCH;
35
36 int result = 0;
37 /* Mark the thread as detached. */
38 if (atomic_compare_and_exchange_bool_acq (&pd->joinid, pd, NULL))
39 {
40 /* There are two possibilities here. First, the thread might
41 already be detached. In this case we return EINVAL.
42 Otherwise there might already be a waiter. The standard does
43 not mention what happens in this case. */
44 if (IS_DETACHED (pd))
45 result = EINVAL;
46 }
47 else
48 /* Check whether the thread terminated meanwhile. In this case we
49 will just free the TCB. */
50 if ((pd->cancelhandling & EXITING_BITMASK) != 0)
51 /* Note that the code in __free_tcb makes sure each thread
52 control block is freed only once. */
53 __free_tcb (pd);
54 return result;
55}
QEMU get a segfault at line 50, becasue pd is an invalid address.
pd is still valid at line 38 when set pd->joinid = pd, at this moment,
created thread is just exiting(only keeps runing for a short time),
created thread is running in code of start_thread:
404 /* If the thread is detached free the TCB. */
405 if (IS_DETACHED (pd))
406 /* Free the TCB. */
407 __free_tcb (pd);
created thread found that pd is detached, so it freed pd, in this case,
pd became an invalid address.
I rewrite qemu_thread_create to move detach_thread from creating thread to
created
to avoid this concurrency problem.
Change-Id: I2293d5be1526241cf58785d701b922f2ffc6491b
Signed-off-by: linzhecheng <linzhech...@huawei.com>
---
include/qemu/thread-posix.h | 8 ++++++++
include/qemu/thread.h | 1 +
util/qemu-thread-posix.c | 45 ++++++++++++++++++++++++++++++++++-----------
3 files changed, 43 insertions(+), 11 deletions(-)
diff --git a/include/qemu/thread-posix.h b/include/qemu/thread-posix.h
index f3f47e426f..d855c15dab 100644
--- a/include/qemu/thread-posix.h
+++ b/include/qemu/thread-posix.h
@@ -44,4 +44,12 @@ struct QemuThread {
pthread_t thread;
};
+struct QemuThread_args {
+ void *(*start_routine)(void *);
+ void *arg;
+ char *name;
+ int mode;
+};
+
+
#endif
diff --git a/include/qemu/thread.h b/include/qemu/thread.h
index 9910f49b3a..db365242da 100644
--- a/include/qemu/thread.h
+++ b/include/qemu/thread.h
@@ -10,6 +10,7 @@ typedef struct QemuSemaphore QemuSemaphore;
typedef struct QemuEvent QemuEvent;
typedef struct QemuLockCnt QemuLockCnt;
typedef struct QemuThread QemuThread;
+typedef struct QemuThread_args QemuThread_args;
#ifdef _WIN32
#include "qemu/thread-win32.h"
diff --git a/util/qemu-thread-posix.c b/util/qemu-thread-posix.c
index 7306475899..07b5838862 100644
--- a/util/qemu-thread-posix.c
+++ b/util/qemu-thread-posix.c
@@ -489,6 +489,30 @@ static void qemu_thread_set_name(QemuThread *thread, const
char *name)
#endif
}
+static void *qemu_thread_start(void *args)
+{
+ QemuThread_args *qemu_thread_args;
+ void *ret;
+ QemuThread qemu_thread;
+
+ qemu_thread_args = (QemuThread_args *)args;
+ qemu_thread_get_self(&qemu_thread);
+
+ if (qemu_thread_args->name) {
+ qemu_thread_set_name(&qemu_thread, qemu_thread_args->name);
+ g_free(qemu_thread_args->name);
+ }
+
+ if (qemu_thread_args->mode == QEMU_THREAD_DETACHED) {
+ pthread_detach(qemu_thread.thread);
+ }
+ ret = qemu_thread_args->start_routine(qemu_thread_args->arg);
+
+ g_free(qemu_thread_args);
+ return ret;
+}
+
+
void qemu_thread_create(QemuThread *thread, const char *name,
void *(*start_routine)(void*),
void *arg, int mode)
@@ -496,6 +520,7 @@ void qemu_thread_create(QemuThread *thread, const char
*name,
sigset_t set, oldset;
int err;
pthread_attr_t attr;
+ QemuThread_args *qemu_thread_args;
err = pthread_attr_init(&attr);
if (err) {
@@ -505,20 +530,18 @@ void qemu_thread_create(QemuThread *thread, const char
*name,
/* Leave signal handling to the iothread. */
sigfillset(&set);
pthread_sigmask(SIG_SETMASK, &set, &oldset);
- err = pthread_create(&thread->thread, &attr, start_routine, arg);
+
+ qemu_thread_args = g_new0(QemuThread_args, 1);
+ qemu_thread_args->mode = mode;
+ qemu_thread_args->name = name_threads ? g_strdup_printf("%s", name) : NULL;
+ qemu_thread_args->start_routine = start_routine;
+ qemu_thread_args->arg = arg;
+
+ err = pthread_create(&thread->thread, &attr,
+ qemu_thread_start, qemu_thread_args);
if (err)
error_exit(err, __func__);
- if (name_threads) {
- qemu_thread_set_name(thread, name);
- }
-
- if (mode == QEMU_THREAD_DETACHED) {
- err = pthread_detach(thread->thread);
- if (err) {
- error_exit(err, __func__);
- }
- }
pthread_sigmask(SIG_SETMASK, &oldset, NULL);
pthread_attr_destroy(&attr);
--
2.12.2.windows.2
