[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#443660: libc6: dgettext not thread-safe

Package: libc6
Version: 2.6.1-5
Severity: important
Tags: l10n

	Hello,

Recent version of libc6 seems to include a libintl that regularly
crashes when gettext is invoked from different threads simultaneously.
This renders gettext mostly unusable on multi-threaded software.

I had been suspecting a bug in VLC and banging my head around, but it
appears that this can be reproduced with code as simple as the piece
above. It triggers a segmentation fault on a very time-dependant basis.
It seems a lot easier to reproduce under valgrind, though I also get
segfaults when run without debuggers:

#include <stdio.h>
#include <pthread.h>
#include <locale.h>
#include <libintl.h>

static void *run (void *dummy)
{
        (void)dummy;

        for (;;)
                printf ("Translation code: %s\n", dgettext("vlc", "C"));
}

int main (void)
{
        unsigned i;
        setlocale (LC_ALL, "");
        bindtextdomain ("vlc", "/usr/share/locale");

        pthread_t threads[300];
        for (i = 0; i < sizeof (threads) / sizeof (threads[0]); i++)
                pthread_create (threads + i, NULL, run, NULL);

        run (NULL);
        return 0;
}

When the problem occurs under valgrind, it complains:

==3535== Thread 3:
==3535== Invalid read of size 4
==3535==    at 0x4063F0B: _nl_find_msg (dcigettext.c:862)
==3535==    by 0x4064A41: __dcigettext (dcigettext.c:639)
==3535==    by 0x4063972: dcgettext (dcgettext.c:53)
==3535==    by 0x406399F: dgettext (dgettext.c:54)
==3535==    by 0x80484DD: run (in /home/remi/a.out)
==3535==    by 0x402D2D2: start_thread (pthread_create.c:296)
==3535==    by 0x41124ED: clone (in /usr/lib/debug/libc-2.6.1.so)
==3535==  Address 0x418C91C is 0 bytes after a block of size 12 alloc'd
==3535==    at 0x4024862: realloc (vg_replace_malloc.c:306)
==3535==    by 0x4063FF1: _nl_find_msg (dcigettext.c:876)
==3535==    by 0x4064A41: __dcigettext (dcigettext.c:639)
==3535==    by 0x4063972: dcgettext (dcgettext.c:53)
==3535==    by 0x406399F: dgettext (dgettext.c:54)
==3535==    by 0x80484DD: run (in /home/remi/a.out)
==3535==    by 0x402D2D2: start_thread (pthread_create.c:296)
==3535==    by 0x41124ED: clone (in /usr/lib/debug/libc-2.6.1.so)

There appears to be a similar issue with strerror_r() also.

Regards,


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (100, 'unstable'), (100, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.20.15 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii  libgcc1                       1:4.2.1-5  GCC support library

libc6 recommends no packages.

-- debconf information:
  glibc/restart-failed:
  glibc/restart-services:
Reply to: