compiler-rt/test/scudo/dealloc-race.c

   1 // RUN: %clang_scudo %s -O2 -o %t
   2 // RUN: %env_scudo_opts="QuarantineChunksUpToSize=0" %run %t 2>&1
   3
   4 // This test attempts to reproduce a race condition in the deallocation path
   5 // when bypassing the Quarantine. The old behavior was to zero-out the chunk
   6 // header after checking its checksum, state & various other things, but that
   7 // left a window during which 2 (or more) threads could deallocate the same
   8 // chunk, with a net result of having said chunk present in those distinct
   9 // thread caches.
  10
  11 // A passing test means all the children died with an error. The failing
  12 // scenario involves winning a race, so repro can be scarce.
  13
  14 #include <pthread.h>
  15 #include <stdlib.h>
  16 #include <sys/types.h>
  17 #include <sys/wait.h>
  18 #include <unistd.h>
  19
  20 const int kNumThreads = 2;
  21 pthread_t tid[kNumThreads];
  22
  23 pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
  24 pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
  25 char go = 0;
  26
  27 // Frees the pointer passed when signaled to.
  28 void *thread_free(void *p) {
  29   pthread_mutex_lock(&mutex);
  30   while (!go)
  31     pthread_cond_wait(&cond, &mutex);
  32   pthread_mutex_unlock(&mutex);
  33   free(p);
  34   return 0;
  35 }
  36
  37 // Allocates a chunk, and attempts to free it "simultaneously" by 2 threads.
  38 void child(void) {
  39   void *p = malloc(16);
  40   for (int i = 0; i < kNumThreads; i++)
  41     pthread_create(&tid[i], 0, thread_free, p);
  42   pthread_mutex_lock(&mutex);
  43   go = 1;
  44   pthread_cond_broadcast(&cond);
  45   pthread_mutex_unlock(&mutex);
  46   for (int i = 0; i < kNumThreads; i++)
  47     pthread_join(tid[i], 0);
  48 }
  49
  50 int main(int argc, char **argv) {
  51   const int kChildren = 40;
  52   pid_t pid;
  53   for (int i = 0; i < kChildren; ++i) {
  54     pid = fork();
  55     if (pid < 0) {
  56       exit(1);
  57     } else if (pid == 0) {
  58       child();
  59       exit(0);
  60     } else {
  61       int status;
  62       wait(&status);
  63       // A 0 status means the child didn't die with an error. The race was won.
  64       if (status == 0)
  65         exit(1);
  66     }
  67   }
  68   return 0;
  69 }