Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in __nptl_deallocate_tsd caused by dlclose before thead data freed #4410

Closed
michaelrsweet opened this issue May 3, 2014 · 2 comments
Closed

Segmentation fault in __nptl_deallocate_tsd caused by dlclose before thead data freed #4410

michaelrsweet opened this issue May 3, 2014 · 2 comments
Labels
priority-low wontfix This will not be worked on
Milestone
Stable

Comments

@michaelrsweet
Copy link
Collaborator

Version: 1.7-current
CUPS.org User: smani

What follows has been verified on Fedora (F20, rawhide) and Ubuntu (12.04 - 14.04).

cups_globals_init() (through _cupsGlobals ()) in cups/globals.c registers thread data with destructor cups_globals_free. If the cups shared object is dlclosed before the thread ends, __nptl_deallocate_tsd will attempt to call the destructor which is not a valid address anymore, and causes the application to crash.

To reproduce, make sure libsane-hpaio is installed and run the follwing sample program:

g++ -g -std=c++11 -o test test.cpp $(pkg-config --cflags --libs sane-backends)

include

include

include

include <sane/sane.h>

void scan_thread() {
SANE_Status status;

status = sane_init(nullptr, nullptr);
assert(status == SANE_STATUS_GOOD);

const SANE_Device** device_list = nullptr;
status = sane_get_devices(&device_list, false);
assert(status == SANE_STATUS_GOOD);

for(int i = 0; device_list[i] != nullptr; ++i){
    std::cout << device_list[i]->name << std::endl;
}

sane_exit();

}

int main() {
std::thread t(scan_thread);
t.join();
return 0;

}

See also https://bugzilla.redhat.com/show_bug.cgi?id=1065695

The attached patch fixes the issue, though likely not very portable.
@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Like most shared libraries, the CUPS library cannot be safely dynamically unloaded. What you are doing is importable and unsupported. And note that libraries like OpenSSL that libcups links to are also not dlopen/close safe.

@michaelrsweet
Copy link
Collaborator Author

"cups_free-dlclose.patch":

diff -rupN cups-1.7.2/cups/globals.c cups-1.7.2-new/cups/globals.c
--- cups-1.7.2/cups/globals.c 2013-07-10 16:08:39.000000000 +0200
+++ cups-1.7.2-new/cups/globals.c 2014-05-02 19:59:16.697124995 +0200
@@ -184,6 +184,15 @@ DllMain(HINSTANCE hinst, /* I - DLL mod

return (TRUE);
}
+#else
+
+static int attribute((destructor)) on_dlclose(void)
+{

  • cups_globals_free(_cupsGlobals());
  • pthread_key_delete(cups_globals_key);
  • return 0;
    +}

#endif /* WIN32 */

@michaelrsweet michaelrsweet added priority-low wontfix This will not be worked on labels Mar 17, 2016
@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority-low wontfix This will not be worked on
Projects
None yet
Milestone
Stable
Development

No branches or pull requests
1 participant
@michaelrsweet