TSan crashes with SIGSEGV

[lucie.m...@gmail.com]

Hi there,

I have solved a few issues but I now I am getting segfault which I cannot solve after reading the forum. So hopefully someone will be able to help :)

I work in Virtualbox, Ubuntu (14.04.1 x86_64). I have tried both gcc (4.8.2) and clang (3.5). I would like to run a very simple application which just creates two threads that do something in a loop. There is basically only the pthread_create() call, a few assignments and printf. I compile it using this: gcc -o ordering ordering.cpp -lpthread -fsanitize=thread -g -O0 -fPIE -pie -ltsan and I have also set the ASLR to 2 (cat /proc/sys/kernel/randomize_va_space returns 2). 

Running gdb -ex 'set disable-randomization off' --args ./ordering gives me following:

Starting program: /home/lucie/Desktop/mem_consistency/ordering 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Hello, I am starting.
[New Thread 0x7ff5ee3a8700 (LWP 2730)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ff5ee3a8700 (LWP 2730)]
0x00007ff5eeba3531 in __tsan_func_entry ()
   from /usr/lib/x86_64-linux-gnu/libtsan.so.0

Any ideas? Thanks!

Lucy

[Dmitry Vyukov]

Hi Lucy,

Can you provide a producer program?

Also, please type 'bt', 'disass' and 'info registers' commands in gdb
and post output.

[lucie.m...@gmail.com]

Thanks for quick reply, Dmitry. The code is very simple:

#include <pthread.h>
#include <stdio.h>

volatile int X;
volatile int Y;
volatile int r1;
volatile int r2;

void *thread1Func(void *param) {
    X = 1;
    r1 = Y;
};

void *thread2Func(void *param) {
    Y = 1;
    r2 = X;
};

int main() {
    printf("Hello, world.\n");

    pthread_t thread1, thread2;
    pthread_create(&thread1, NULL, thread1Func, NULL);
    pthread_create(&thread2, NULL, thread2Func, NULL);

    return 0;
}

And gdb outputs:

(gdb) bt
#0  0x00007f99534bf531 in __tsan_func_entry ()
   from /usr/lib/x86_64-linux-gnu/libtsan.so.0
#1  0x00007f995455ba0e in thread1Func (param=0x0) at ordering.cpp:9
#2  0x00007f9954120182 in start_thread (arg=0x7f9952cc4700)
    at pthread_create.c:312
#3  0x00007f99531da00d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) disass
Dump of assembler code for function __tsan_func_entry:
   0x00007f99534bf4b0 <+0>:    push   %rbx
   0x00007f99534bf4b1 <+1>:    mov    %rdi,%rbx
   0x00007f99534bf4b4 <+4>:    data32 lea 0x22e624(%rip),%rdi        # 0x7f99536edae0
   0x00007f99534bf4bc <+12>:    data32 data32 callq 0x7f99534ae330 <__tls_get_addr@plt>
   0x00007f99534bf4c4 <+20>:    mov    (%rax),%rsi
   0x00007f99534bf4c7 <+23>:    lea    0x100(%rsi),%rdx
   0x00007f99534bf4ce <+30>:    mov    %edx,%ecx
   0x00007f99534bf4d0 <+32>:    mov    %rdx,(%rax)
   0x00007f99534bf4d3 <+35>:    mov    $0x1,%eax
   0x00007f99534bf4d8 <+40>:    and    $0x7,%ecx
   0x00007f99534bf4db <+43>:    add    $0xf,%ecx
   0x00007f99534bf4de <+46>:    shl    %cl,%rax
   0x00007f99534bf4e1 <+49>:    mov    %rdx,%rcx
   0x00007f99534bf4e4 <+52>:    shl    $0xe,%rcx
   0x00007f99534bf4e8 <+56>:    sub    $0x1,%rax
   0x00007f99534bf4ec <+60>:    shr    $0x16,%rcx
   0x00007f99534bf4f0 <+64>:    and    %rcx,%rax
   0x00007f99534bf4f3 <+67>:    test   $0x3fff,%eax
   0x00007f99534bf4f8 <+72>:    je     0x7f99534bf53e <__tsan_func_entry+142>
   0x00007f99534bf4fa <+74>:    add    %rdx,%rdx
---Type <return> to continue, or q <return> to quit---
   0x00007f99534bf4fd <+77>:    movabs $0x2000000000000000,%rcx
   0x00007f99534bf507 <+87>:    shr    $0x33,%rdx
   0x00007f99534bf50b <+91>:    or     %rbx,%rcx
   0x00007f99534bf50e <+94>:    add    $0x300000,%rdx
   0x00007f99534bf515 <+101>:    shl    $0x19,%rdx
   0x00007f99534bf519 <+105>:    mov    %rcx,(%rdx,%rax,8)
   0x00007f99534bf51d <+109>:    data32 lea 0x22e5bb(%rip),%rdi        # 0x7f99536edae0
   0x00007f99534bf525 <+117>:    data32 data32 callq 0x7f99534ae330 <__tls_get_addr@plt>
   0x00007f99534bf52d <+125>:    mov    0x18(%rax),%rdx
=> 0x00007f99534bf531 <+129>:    mov    %rbx,(%rdx)
   0x00007f99534bf534 <+132>:    add    $0x8,%rdx
   0x00007f99534bf538 <+136>:    mov    %rdx,0x18(%rax)
   0x00007f99534bf53c <+140>:    pop    %rbx
   0x00007f99534bf53d <+141>:    retq   
   0x00007f99534bf53e <+142>:    sub    $0x400,%rsp
   0x00007f99534bf545 <+149>:    callq  0x7f99534d7db3
   0x00007f99534bf54a <+154>:    add    $0x400,%rsp
   0x00007f99534bf551 <+161>:    jmp    0x7f99534bf4fa <__tsan_func_entry+74>
End of assembler dump.

(gdb) info registers
rax            0x7f9952b3f840    140296494250048
rbx            0x7f9954120182    140296517190018
rcx            0x20007f9954120182    2305983305730883970
rdx            0x0    0
rsi            0x7d220001fdb0    137584982490544
rdi            0x7f99536edae0    140296506497760
rbp            0x7f9952b3f050    0x7f9952b3f050
rsp            0x7f9952b3f020    0x7f9952b3f020
r8             0x0    0
r9             0x7f9952cc4700    140296495843072
r10            0x7f9952b3ee20    140296494247456
r11            0x0    0
r12            0x1    1
r13            0x0    0
r14            0x7f9952cc49c0    140296495843776
r15            0x7f9952cc4700    140296495843072
rip            0x7f99534bf531    0x7f99534bf531 <__tsan_func_entry+129>
eflags         0x10202    [ IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0

I have just found out that the error dissapears when I create only one thread. What am I doing wrong?

L.

[Dmitry Vyukov]

The problem is with library linking order (due to the fact that gcc
builds tsan runtime as shared library).
Either remove -lpthread at all, or pass it after -ltsan. Then it should work.
With clang you can build just as:
$ clang ordering.c -fsanitize=thread

[lucie.m...@gmail.com]

Aaah, I see. Everything works correctly now. 

Thanks a lot, Dmitry!