[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#443660: libc6: dgettext not thread-safe



On Sun, Sep 23, 2007 at 08:15:45AM +0000, Rémi Denis-Courmont wrote:
> #include <stdio.h>
> #include <pthread.h>
> #include <locale.h>
> #include <libintl.h>
> 
> static void *run (void *dummy)
> {
>         (void)dummy;
> 
>         for (;;)
>                 printf ("Translation code: %s\n", dgettext("vlc", "C"));
> }
> 
> int main (void)
> {
>         unsigned i;
>         setlocale (LC_ALL, "");
>         bindtextdomain ("vlc", "/usr/share/locale");
> 
>         pthread_t threads[300];
>         for (i = 0; i < sizeof (threads) / sizeof (threads[0]); i++)
>                 pthread_create (threads + i, NULL, run, NULL);
> 
>         run (NULL);
>         return 0;
> }
> 
> When the problem occurs under valgrind, it complains:
> 
> ==3535== Thread 3:
> ==3535== Invalid read of size 4
  This is probably because of a speculative strcmp (libc sometimes reads
outside the string because it knows it can).
> ==3535==    at 0x4063F0B: _nl_find_msg (dcigettext.c:862)
> ==3535==    by 0x4064A41: __dcigettext (dcigettext.c:639)
> ==3535==    by 0x4063972: dcgettext (dcgettext.c:53)
> ==3535==    by 0x406399F: dgettext (dgettext.c:54)
> ==3535==    by 0x80484DD: run (in /home/remi/a.out)
> ==3535==    by 0x402D2D2: start_thread (pthread_create.c:296)
> ==3535==    by 0x41124ED: clone (in /usr/lib/debug/libc-2.6.1.so)


> ==3535==  Address 0x418C91C is 0 bytes after a block of size 12 alloc'd
> ==3535==    at 0x4024862: realloc (vg_replace_malloc.c:306)
> ==3535==    by 0x4063FF1: _nl_find_msg (dcigettext.c:876)
> ==3535==    by 0x4064A41: __dcigettext (dcigettext.c:639)
> ==3535==    by 0x4063972: dcgettext (dcgettext.c:53)
> ==3535==    by 0x406399F: dgettext (dgettext.c:54)
> ==3535==    by 0x80484DD: run (in /home/remi/a.out)
> ==3535==    by 0x402D2D2: start_thread (pthread_create.c:296)
> ==3535==    by 0x41124ED: clone (in /usr/lib/debug/libc-2.6.1.so)
  This one though looks fishy.


> There appears to be a similar issue with strerror_r() also.
  Have you looked at the code ? I can tell it's thread safe, except that
it calls _("Unknown error") at some point, which would indicate to be
the same bug as yours, the rest is definitely thread safe.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Attachment: pgpsudrMkMiNb.pgp
Description: PGP signature


Reply to: