As for exit, also allows concurrent quick_exit to avoid race
conditions when it is called concurrently. Since it uses the same
internal function as exit, the __exit_lock lock is moved to
__run_exit_handlers. It also solved a potential concurrent when
calling exit and quick_exit concurrently.
The test case 'expected' is expanded to a value larger than the
minimum required by C/POSIX (32 entries) so at_quick_exit() will
require libc to allocate a new block. This makes the test mre likely to
trigger concurrent issues (through free() at __run_exit_handlers)
if quick_exit() interacts with the at_quick_exit list concurrently.
This is also the latest interpretation of the Austin Ticket [1].
Checked on x86_64-linux-gnu.
[1] https://austingroupbugs.net/view.php?id=1845
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Even if C/POSIX standard states that exit is not formally thread-unsafe,
calling it more than once is UB. The glibc already supports
it for the single-thread, and both elf/nodelete2.c and tst-rseq-disable.c
call exit from a DSO destructor (which is called by _dl_fini, registered
at program startup with __cxa_atexit).
However, there are still race issues when it is called more than once
concurrently by multiple threads. A recent Rust PR triggered this
issue [1], which resulted in an Austin Group ask for clarification [2].
Besides it, there is a discussion to make concurrent calling not UB [3],
wtih a defined semantic where any remaining callers block until the first
call to exit has finished (reentrant calls, leaving through longjmp, and
exceptions are still undefined).
For glibc, at least reentrant calls are required to be supported to avoid
changing the current behaviour. This requires locking using a recursive
lock, where any exit called by atexit() handlers resumes at the point of
the current handler (thus avoiding calling the current handle multiple
times).
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
[1] https://github.com/rust-lang/rust/issues/126600
[2] https://austingroupbugs.net/view.php?id=1845
[3] https://www.openwall.com/lists/libc-coord/2024/07/24/4
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
They are both used by __libc_freeres to free all library malloc
allocated resources to help tooling like mtrace or valgrind with
memory leak tracking.
The current scheme uses assembly markers and linker script entries
to consolidate the free routine function pointers in the RELRO segment
and to be freed buffers in BSS.
This patch changes it to use specific free functions for
libc_freeres_ptrs buffers and call the function pointer array directly
with call_function_static_weak.
It allows the removal of both the internal macros and the linker
script sections.
Checked on x86_64-linux-gnu, i686-linux-gnu, and aarch64-linux-gnu.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Post review removal of "goto restart" from
https://sourceware.org/pipermail/libc-alpha/2021-April/125470.html
introduced a bug when some atexit handers skipped.
Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
In the future, this will result in a compilation failure if the
macros are unexpectedly undefined (due to header inclusion ordering
or header inclusion missing altogether).
Assembler sources are more difficult to convert. In many cases,
they are hand-optimized for the mangling and no-mangling variants,
which is why they are not converted.
sysdeps/s390/s390-32/__longjmp.c and sysdeps/s390/s390-64/__longjmp.c
are special: These are C sources, but most of the implementation is
in assembler, so the PTR_DEMANGLE macro has to be undefined in some
cases, to match the assembler style.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
This allows us to define a generic no-op version of PTR_MANGLE and
PTR_DEMANGLE. In the future, we can use PTR_MANGLE and PTR_DEMANGLE
unconditionally in C sources, avoiding an unintended loss of hardening
due to missing include files or unlucky header inclusion ordering.
In i386 and x86_64, we can avoid a <tls.h> dependency in the C
code by using the computed constant from <tcb-offsets.h>. <sysdep.h>
no longer includes these definitions, so there is no cyclic dependency
anymore when computing the <tcb-offsets.h> constants.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.
I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah. I don't
know why I run into these diagnostics whereas others evidently do not.
remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
Keep __exit_funcs_lock almost all the time and unlock it only to execute
callbacks. This fixed two issues.
1. f->func.cxa was modified outside the lock with rare data race like:
thread 0: __run_exit_handlers unlock __exit_funcs_lock
thread 1: __internal_atexit locks __exit_funcs_lock
thread 0: f->flavor = ef_free;
thread 1: sees ef_free and use it as new
thread 1: new->func.cxa.fn = (void (*) (void *, int)) func;
thread 1: new->func.cxa.arg = arg;
thread 1: new->flavor = ef_cxa;
thread 0: cxafct = f->func.cxa.fn; // it's wrong fn!
thread 0: cxafct (f->func.cxa.arg, status); // it's wrong arg!
thread 0: goto restart;
thread 0: call the same exit_function again as it's ef_cxa
2. Don't unlock in main while loop after *listp = cur->next. If *listp
is NULL and __exit_funcs_done is false another thread may fail in
__new_exitfn on assert (l != NULL):
thread 0: *listp = cur->next; // It can be the last: *listp = NULL.
thread 0: __libc_lock_unlock
thread 1: __libc_lock_lock in __on_exit
thread 1: __new_exitfn
thread 1: if (__exit_funcs_done) // false: thread 0 isn't there yet.
thread 1: l = *listp
thread 1: moves one and crashes on assert (l != NULL);
The test needs multiple iterations to consistently fail without the fix.
Fixes https://sourceware.org/bugzilla/show_bug.cgi?id=27749
Checked on x86_64-linux-gnu.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
POSIX requires that dlclose() and exit() be thread safe, therefore
you can have one thread in the middle of dlclose() and another thread
executing exit() without causing any undefined behaviour on the part
of the implementation.
The existing implementation had a flaw that exit() exit handler processing
did not consider a concurrent dlclose() and would not mark already run
exit handlers using the ef_free flavour. The consequence of this is that
a concurrent exit() with dlclose() will run all the exit handlers that
dlclose() had not yet run, but then will block on the loader lock. The
concurrent dlclose() will continue to run all the exit handlers again
(twice) in violation of the Itanium C++ ABI requirements for __cxa_atexit().
This commit fixes this by having exit() mark all handlers with ef_free to
ensure that concurrent dlclose() won't re-run registered exit handlers that
have already run.
In C++11 18.5.12 says "Objects shall not be destroyed as a
result of calling quick_exit." In C11 quick_exit is silent
about thread object destruction. Therefore to make glibc
C++ compliant we do not call any thread local destructors.
A new regression test verifies the fix.
I will note that C++11 18.5.3 makes it clear that C++
defines additional requirements for _Exit() to prevent it
from executing destructors.
Given that the point of _Exit() is to terminate the process
immediately it makes sense the C and C++ should line up
and avoid calling destructors.
No failures. New regtest passes.
This feature is specifically for the C++ compiler to offload calling
thread_local object destructors on thread program exit, to glibc.
This is to overcome the possible complication of destructors of
thread_local objects getting called after the DSO in which they're
defined is unloaded by the dynamic linker. The DSO is marked as
'unloadable' if it has a constructed thread_local object and marked as
'unloadable' again when all the constructed thread_local objects
defined in it are destroyed.
cxa_at_quick_exit.
(static-only-routines): Add at_quick_exit.
* stdlib/Versions: Export quick_exit and __cxa_at_quick_exit for
GLIBC_2.10.
* stdlib/quick_exit.c: New file.
* stdlib/at_quick_exit.c: New file.
* stdlib/cxa_at_quick_exit.c: New file.
* stdlib/cxa_atexit.c (__cxa_atexit): Move body to new function. Call
it appropriately.
(__internal_atexit): New function.
(__new_exitfn): Now takes parameter to point to the list to use.
* stdlib/cxa_finalize.c: Remove quick_exit handlers, don't call them.
* stdlib/exit.c (__run_exit_handlers): New function. Split from...
(exit): ...here. Just call __run_exit_handlers appropriately.
* stdlib/exit.h: Declare __quick_exit_funcs, __run_exit_handlers,
__internal_atexit, __cxa_at_quick_exit. Adjust __new_exitfn.
* stdlib/on_exit.c: Adjust call to __new_exitfn.
* stdlib/stdlib.h: Declare at_quick_exit and quick_exit.
flavor field last and protect with memory barrier.
* stdlib/on_exit.c: Likewise.
* stdlib/cxa_finalize.c: Use PTR_DEMANGLE on function pointer before
using it.
* stdlib/exit.c: Likewise.
2001-07-06 Paul Eggert <eggert@twinsun.com>
* manual/argp.texi: Remove ignored LGPL copyright notice; it's
not appropriate for documentation anyway.
* manual/libc-texinfo.sh: "Library General Public License" ->
"Lesser General Public License".
2001-07-06 Andreas Jaeger <aj@suse.de>
* All files under GPL/LGPL version 2: Place under LGPL version
2.1.
1999-11-25 H.J. Lu <hjl@gnu.org>
* stdlib/exit.c (exit): Run funtions only if
__exit_funcs->idx > 0.
1999-11-25 Ulrich Drepper <drepper@cygnus.com>
* manual/charset.texi (iconv Examples): Add iconv call to flush
state. Reported by Andrew Clausen <clausen@alphalink.com.au>.
1999-11-25 Andreas Jaeger <aj@suse.de>
* manual/install.texi (Running make install): Better describe
update from libc5.
Patch by Michael Deutschmann <michael@talamasca.wkpowerlink.com>.
1999-11-25 Andreas Jaeger <aj@suse.de>
* include/sys/mman.h: Remove K&R compatibility.
1999-11-15 Andreas Jaeger <aj@suse.de>
* misc/sys/mman.h: Use __REDIRECT for mmap, correct prototype to
use __off64_t.
1999-11-25 Ulrich Drepper <drepper@cygnus.com>
* iconv/iconv_prog.c (process_block): For stateful charsets write
out byte sequence to get to initial state at the end of the file.
which was reported to not work (which proofed to be wrong).
Thu Oct 31 00:01:39 1996 Ulrich Drepper <drepper@cygnus.com>
* signal/Makefile (routines): Add sigwait.
* signal/signal.h: Add prototype for sigwait.
* sysdeps/posix/sigwait.c: New file. Implementation of sigwait
function from POSIX.1c.
* sysdeps/stub/sigwait.c: New file. Stub version of sigwait.
Wed Oct 30 02:01:17 1996 Richard Henderson <rth@tamu.edu>
* sunrpc/xdr_float.c (xdr_float): Handle sizeof(float)!=sizeof(long),
but don't bother going farther than sizeof(float)==sizeof(int).
(xdr_double): Handle little-endian machines! Handle sizeof(double)
!= 2*sizeof(long), though again don't bother with more than int.
Thu Oct 29 16:09:42 1996 Craig Metz <cmetz@inner.net>
* sysdeps/posix/getaddrinfo.c: Use buffer limits for inet_ntop
function.
Tue Oct 29 12:37:22 1996 Ulrich Drepper <drepper@cygnus.com>
* Makerules: Create symbolic links for linking in $(libdir).
(make-link): Use absolute path for destination if this is not in
the same directory.
* elf/rtld.c (dl_main): When verifying don't check the name of
the dynamic linker.
* shlib-versions: Change entries for Hurd specific libs from
*-*-gnu* to *-*-gnu?* so that i586-pc-linux-gnu does not match
these entries.
* assert/assert.h: Reformat copyright.
Change reference to ANSI into reference to ISO C.
* ctype/ctype.h: Likewise.
* errno.h: Likewise.
* limits.h: Likewise.
* math/math.h: Likewise.
* setjmp/setjmp.h: Likewise.
* stdio/stdio.h: Likewise.
* libio/stdio.h: Likewise.
* stdlib/stdlib.h: Likewise.
* string/string.h: Likewise.
* time/time.h: Likewise.
* string/argz.h: Use __const is definitions.
* elf/dlfcn.h: Use __const and __P. Reformat copyright.
* misc/err.h: Likewise.
* wctype/wctype.h (wctrans_t): Use __const instead of const.
* Makeconfig ($(common-objpfx)soversions.mk): Generate list of
sonames for versioned libraries.
* Makefile: Remove code to generate libc-version.h.
Generate gnu/lib-names.h with info from soversions.mk.
* features.h: Define __GLIBC__ and __GLIBC_MINOR__.
* dirent/tst-seekdir.c: Initialize save3.
* grp/testgrp.c: Initialize my_group.
* grp/fgetgrent_r.c: Change interface to follow POSIX.1c.
* grp/grp.h: Likewise.
* nss/getXXbyYY.c: Likewise.
* nss/getXXbyYY_r.c: Likewise.
* nss/getXXent.c: Likewise.
* nss/getXXent_r.c: Likewise.
* pwd/fgetpwent_r.c: Likewise.
* pwd/pwd.h: Likewise.
* shadow/fgetspent_r.c: Likewise.
* shadow/sgetspent.c: Likewise.
* shadow/sgetspent_r.c: Likewise.
* grp/fgetgrent.c: Adapt for change in interface of fgetgrent_r.
* pwd/fgetpwent.c: Likewise, for fgetpwent_r.c.
* shadow/fgetspent.c: Likewise, for fgetpwent_r.c.
* resolv/netdb.h: Adapt prototypes for reentrant functions to
follow POSIX.1c.
* sunrpc/rpc/netdb.h: Likewise,
* shadow/shadow.h: Likewise.
* inet/getnetgrent_r.c: Follow change in pwd/grp function interface.
* sysdeps/unix/getlogin_r.c: Return ERANGE when buffer is too small.
* inet/herrno.c: Don't define __h_errno. Only h_errno otherwise the
ELF aliasing creates strange situations.
* sysdeps/unix/sysv/linux/errnos.H: Define __set_errno as inline
function.
* sysdeps/unix/sysv/linux/i386/sysdep.S: Don't define __errno.
* sysdeps/unix/sysv/linux/m68k/sysdep.S: Likewise.
* libio/libio.h: Don't declare _IO_flockfile and _IO_funlockfile
weak.
* locale/programs/charmap.c: Add casts to prevent warnings.
* locale/programs/linereader.h: Likewise.
* locale/programs/ld-collate.c: Likewise.
* locale/programs/stringtrans.c: Likewise.
Change types for various variables to prevent warnings.
* locale/programs/ld-ctype.c: Likewise.
* locale/programs/linereader.h (lr_ungetc): Likewise.
* locale/programs/charset.h (struct charset): Use `unsigned int'
as type for width_default.
* posix/regex.c: Change type of `this_reg' variables.
* stdio-common/Makefile: Use -Wno-format for tstdiomisc.c.
* stdio-common/bug5.c: De-ANSI-fy. Use correct types for
variables.
* stdio-common/printf_fp.c: Initialize to_shift.
* stdio-common/test_rdwr.c: Add cast.
* stdio-common/vfprintf.c: Add casts and use correct types to
prevent warnings.
* stdio-common/vfscanf.c: Initialize str and strptr.
* sysdeps/libm-ieee754/e_jnf.c: Use correct types to prevent warnings.
* sysdeps/libm-ieee754/e_pow.c: Likewise.
* sysdeps/libm-ieee754/e_powf.c: Likewise.
* sysdeps/libm-ieee754/e_rem_pio2f.c: Likewise.
* time/test-tz.c: Likewise.
* manual/creature.texi: Document _REENTRANT and _THREAD_SAFE.
* manual/libc.texinfo: Prevent makeinfo failure by avoiding
libc.cp index. This must be fixed.
* manual/nss.texi: Adapt for correct POSIX.1c interface of
reentrant functions.
* manual/users.texi: Document netgroup functions.
* po/es.po: Updated.
* po/fr.po: Updated.
* posix/fnmatch.c: Change to match libit version.
* posix/unistd.h: Change prototype for ttyname_r to match POSIX.1c.
* sysdep/posix/ttyname_r.c: Likewise.
* stdlib/atexit.h (__new_exitfn): Add internal locking.
* stdlib/exit.c: De-ANSI-fy. Handle new ef_us value for flavor.
* stdlib/exit.h: De-ANSI-fy. Define new ef_us value for flavor.
* stdlib/random.c (__srandom): Add internal locking.
(__initstate): Likewise.
(__setstate): Likewise.
(__random): Likewise.
Mon Oct 28 22:28:37 1996 NIIBE Yutaka <gniibe@mri.co.jp>
* sysdeps/generic/crypt-entry.c (crypt_r): Use __set_errno.
(crypt): Likewise.
* resolv/gethnamaddr.c (gethostbyname2): Likewise.
* sysdeps/generic/uname.c: Likewise.
* sysdeps/posix/rename.c: Likewise.
* sysdeps/stub/setrlimit.c: Likewise.
* nss/nss_db/db-netgrp.c (_nss_db_setnetgrent): Fix typo.
Sun Oct 27 11:12:50 1996 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* locale/programs/ld-collate.c (collate_order_elem): Fix format
string.
(collate_element_to): Cast field width argument to `int' for
format string.
(collate_symbol): Likewise.
(collate_order_elem): Likewise.
(collate_weight_bsymbol): Likewise.
(collate_simple_weight): Likewise.
* locale/programs/ld-time.c (STRARR_ELEM): Fix format string.
* locale/programs/ld-ctype.c (ctype_class_newP): Add missing
argument for format string.
(ctype_map_newP): Likewise.
(set_class_defaults): Fix format string.
* locale/programs/localedef.c (construct_output_path): Putting an
explicit \0 into the format string does not work, use %c.
Sat Oct 26 20:38:36 1996 Richard Henderson <rth@tamu.edu>
* Makerules: Install all shared libraries in $(slibdir).
* login/Makefile: Build libutil.so in others pass after
libc.so is created.
* misc/mntent.h: Include <paths.h> for _PATH_MNTTAB & _PATH_MOUNTED.
* string/stratcliff.c: Allocate 3 pages instead of one, then use
mprotect so that we know that the adjacent pages are inaccessible.
* resource/sys/resource.h: Move all structures and enums to ...
* sysdeps/generic/resourcebits.h: ... here ...
* sysdeps/unix/bsd/sun/sunos4/resourcebits.h: ... and here.
* sysdeps/unix/sysv/linux/alpha/resourcebits.h: Remove.
* sysdeps/unix/sysv/linux/i386/resourcebits.h: Remove.
* sysdeps/unix/sysv/linux/m68k/resourcebits.h: Remove.
* sysdeps/unix/sysv/linux/mips/resourcebits.h: Remove.
* sysdeps/unix/sysv/linux/resourcebits.h: New file. Use kernel
header for RLIMIT_* definitions. The members of struct rlimit
are longs.
Thu Oct 24 17:43:34 1996 Andreas Schwab <schwab@issan.informatik.uni-dortmund.de>
* MakeTAGS (sysdep-dirs): Fix typo.
Wed Oct 23 03:45:22 1996 Ulrich Drepper <drepper@cygnus.com>
* Makefile (headers): Don't mention libc-version.h.
(install-others): ...but here.
* time/strptime.c: Recognize %s, %u, %g, and %G format.
nothing is found. This guarantees all subsequent calls behave
* sysdeps/unix/sysv/linux/syscalls.list: Change function name for
* io/getwd.c (getwd) [! PATH_MAX]: Don't assume that the user's
buffer is any longer than the amount necessary to hold the
filename; the Hurd getcwd uses the *entire* contents of the
buffer, however long it is specified to be.
* posix/getconf.c: De-ANSI-fy. Recognize POSIX.2 constant names.
since these do not depend on the platform.