• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // RUN: %clang_scudo %s -O2 -o %t
2 // RUN: %env_scudo_opts="QuarantineChunksUpToSize=0" %run %t 2>&1
3 
4 // This test attempts to reproduce a race condition in the deallocation path
5 // when bypassing the Quarantine. The old behavior was to zero-out the chunk
6 // header after checking its checksum, state & various other things, but that
7 // left a window during which 2 (or more) threads could deallocate the same
8 // chunk, with a net result of having said chunk present in those distinct
9 // thread caches.
10 
11 // A passing test means all the children died with an error. The failing
12 // scenario involves winning a race, so repro can be scarce.
13 
14 #include <pthread.h>
15 #include <stdlib.h>
16 #include <sys/types.h>
17 #include <sys/wait.h>
18 #include <unistd.h>
19 
20 const int kNumThreads = 2;
21 pthread_t tid[kNumThreads];
22 
23 pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
24 pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
25 char go = 0;
26 
27 // Frees the pointer passed when signaled to.
thread_free(void * p)28 void *thread_free(void *p) {
29   pthread_mutex_lock(&mutex);
30   while (!go)
31     pthread_cond_wait(&cond, &mutex);
32   pthread_mutex_unlock(&mutex);
33   free(p);
34   return 0;
35 }
36 
37 // Allocates a chunk, and attempts to free it "simultaneously" by 2 threads.
child(void)38 void child(void) {
39   void *p = malloc(16);
40   for (int i = 0; i < kNumThreads; i++)
41     pthread_create(&tid[i], 0, thread_free, p);
42   pthread_mutex_lock(&mutex);
43   go = 1;
44   pthread_cond_broadcast(&cond);
45   pthread_mutex_unlock(&mutex);
46   for (int i = 0; i < kNumThreads; i++)
47     pthread_join(tid[i], 0);
48 }
49 
main(int argc,char ** argv)50 int main(int argc, char **argv) {
51   const int kChildren = 40;
52   pid_t pid;
53   for (int i = 0; i < kChildren; ++i) {
54     pid = fork();
55     if (pid < 0) {
56       exit(1);
57     } else if (pid == 0) {
58       child();
59       exit(0);
60     } else {
61       int status;
62       wait(&status);
63       // A 0 status means the child didn't die with an error. The race was won.
64       if (status == 0)
65         exit(1);
66     }
67   }
68   return 0;
69 }
70