From nobody Sun Apr 28 10:17:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1511794904321364.52490678466154; Mon, 27 Nov 2017 07:01:44 -0800 (PST) Received: from localhost ([::1]:33195 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJKug-0003pG-Hp for importer@patchew.org; Mon, 27 Nov 2017 10:01:38 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36955) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJKtB-0002yO-Th for qemu-devel@nongnu.org; Mon, 27 Nov 2017 10:00:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJKt7-0005oP-8U for qemu-devel@nongnu.org; Mon, 27 Nov 2017 10:00:05 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:2048 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJKt6-0005ku-NV for qemu-devel@nongnu.org; Mon, 27 Nov 2017 10:00:01 -0500 Received: from DGGEMS414-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id E1BE341F59385; Mon, 27 Nov 2017 22:59:51 +0800 (CST) Received: from localhost (10.177.131.80) by DGGEMS414-HUB.china.huawei.com (10.3.19.214) with Microsoft SMTP Server id 14.3.361.1; Mon, 27 Nov 2017 22:59:45 +0800 From: linzhecheng To: Date: Mon, 27 Nov 2017 22:59:36 +0800 Message-ID: <20171127145936.15676-1-linzhecheng@huawei.com> X-Mailer: git-send-email 2.12.2.windows.2 MIME-Version: 1.0 X-Originating-IP: [10.177.131.80] X-CFilter-Loop: Reflected X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 45.249.212.191 Subject: [Qemu-devel] [PATCH] thread: move detach_thread from creating thread to created thread X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pbonzini@redhat.com, aliguori@us.ibm.com, arei.gonglei@huawei.com, linzhecheng Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If we create a thread with QEMU_THREAD_DETACHED mode, QEMU may get a segfau= lt in a low probability. The backtrace is: #0 0x00007f46c60291d7 in __GI_raise (sig=3Dsig@entry=3D6) at ../nptl/sysde= ps/unix/sysv/linux/raise.c:56 #1 0x00007f46c602a8c8 in __GI_abort () at abort.c:90 #2 0x00000000008543c9 in PAT_abort () #3 0x000000000085140d in patchIllInsHandler () #4 #5 pthread_detach (th=3D139933037614848) at pthread_detach.c:50 #6 0x0000000000829759 in qemu_thread_create (thread=3Dthread@entry=3D0x7ff= daa8205e0, name=3Dname@entry=3D0x94d94a "io-task-worker", start_routine=3Ds= tart_routine@entry=3D0x7eb9a0 ,=20 arg=3Darg@entry=3D0x3f5cf70, mode=3Dmode@entry=3D1) at util/qemu_thread= _posix.c:512 #7 0x00000000007ebc96 in qio_task_run_in_thread (task=3D0x31db2c0, worker= =3Dworker@entry=3D0x7e7e40 , opaque=3D0x= cd23380, destroy=3D0x7f1180 ) at io/task.c:141 #8 0x00000000007e7f33 in qio_channel_socket_connect_async (ioc=3Dioc@entry= =3D0x626c0b0, addr=3D, callback=3Dcallback@entry=3D0x55e080 = , opaque=3Dopaque@entry=3D0x42862c0,=20 destroy=3Ddestroy@entry=3D0x0) at io/channel_socket.c:194 #9 0x000000000055bdd1 in socket_reconnect_timeout (opaque=3D0x42862c0) at = qemu_char.c:4744 #10 0x00007f46c72483b3 in g_timeout_dispatch () from /usr/lib64/libglib-2.0= .so.0 #11 0x00007f46c724799a in g_main_context_dispatch () from /usr/lib64/libgli= b-2.0.so.0 #12 0x000000000076c646 in glib_pollfds_poll () at main_loop.c:228 #13 0x000000000076c6eb in os_host_main_loop_wait (timeout=3D348000000) at m= ain_loop.c:273 #14 0x000000000076c815 in main_loop_wait (nonblocking=3Dnonblocking@entry= =3D0) at main_loop.c:521 #15 0x000000000056a511 in main_loop () at vl.c:2076 #16 0x0000000000420705 in main (argc=3D, argv=3D, envp=3D) at vl.c:4940 The root cause of this problem is a bug of glibc(version 2.17,the lastest v= ersion have the same bug), let's see what happened in glibc's code. Here is the code slice of pthread_detach.c 25 int 26 pthread_detach (pthread_t th) 27 { 28 struct pthread *pd =3D (struct pthread *) th; 29 30 /* Make sure the descriptor is valid. */ 31 if (INVALID_NOT_TERMINATED_TD_P (pd)) 32 /* Not a valid thread handle. */ 34 return ESRCH; 35 36 int result =3D 0; 37 /* Mark the thread as detached. */ 38 if (atomic_compare_and_exchange_bool_acq (&pd->joinid, pd, NULL)) 39 { 40 /* There are two possibilities here. First, the thread might 41 already be detached. In this case we return EINVAL. 42 Otherwise there might already be a waiter. The standard does 43 not mention what happens in this case. */ 44 if (IS_DETACHED (pd)) 45 result =3D EINVAL; 46 } 47 else 48 /* Check whether the thread terminated meanwhile. In this case we 49 will just free the TCB. */ 50 if ((pd->cancelhandling & EXITING_BITMASK) !=3D 0) 51 /* Note that the code in __free_tcb makes sure each thread 52 control block is freed only once. */ 53 __free_tcb (pd); 54 return result; 55} QEMU get a segfault at line 50, becasue pd is an invalid address. pd is still valid at line 38 when set pd->joinid =3D pd, at this moment, created thread is just exiting(only keeps runing for a short time),=20 created thread is running in code of start_thread: 404 /* If the thread is detached free the TCB. */ 405 if (IS_DETACHED (pd)) 406 /* Free the TCB. */ 407 __free_tcb (pd); created thread found that pd is detached, so it freed pd, in this case, pd became an invalid address. I rewrite qemu_thread_create to move detach_thread from creating thread to = created to avoid this concurrency problem. Signed-off-by: linzhecheng diff --git a/include/qemu/thread-posix.h b/include/qemu/thread-posix.h index f3f47e426f..d855c15dab 100644 --- a/include/qemu/thread-posix.h +++ b/include/qemu/thread-posix.h @@ -44,4 +44,12 @@ struct QemuThread { pthread_t thread; }; =20 +struct QemuThread_args { + void *(*start_routine)(void *); + void *arg; + char *name; + int mode; +}; + + #endif diff --git a/include/qemu/thread.h b/include/qemu/thread.h index 9910f49b3a..db365242da 100644 --- a/include/qemu/thread.h +++ b/include/qemu/thread.h @@ -10,6 +10,7 @@ typedef struct QemuSemaphore QemuSemaphore; typedef struct QemuEvent QemuEvent; typedef struct QemuLockCnt QemuLockCnt; typedef struct QemuThread QemuThread; +typedef struct QemuThread_args QemuThread_args; =20 #ifdef _WIN32 #include "qemu/thread-win32.h" diff --git a/util/qemu-thread-posix.c b/util/qemu-thread-posix.c index 7306475899..8c72fb12a8 100644 --- a/util/qemu-thread-posix.c +++ b/util/qemu-thread-posix.c @@ -482,13 +482,34 @@ static void __attribute__((constructor)) qemu_thread_= atexit_init(void) /* Attempt to set the threads name; note that this is for debug, so * we're not going to fail if we can't set it. */ -static void qemu_thread_set_name(QemuThread *thread, const char *name) +static void qemu_thread_set_name(pthread_t thread, const char *name) { #ifdef CONFIG_PTHREAD_SETNAME_NP - pthread_setname_np(thread->thread, name); + pthread_setname_np(thread, name); #endif } =20 +static void *qemu_thread_start(void *args) +{ + QemuThread_args *qemu_thread_args; + void *ret; + + qemu_thread_args =3D (QemuThread_args *)args; + if (qemu_thread_args->name) { + qemu_thread_set_name(pthread_self(), qemu_thread_args->name); + g_free(qemu_thread_args->name); + } + + if (qemu_thread_args->mode =3D=3D QEMU_THREAD_DETACHED) { + pthread_detach(pthread_self()); + } + ret =3D qemu_thread_args->start_routine(qemu_thread_args->arg); + + g_free(qemu_thread_args); + return ret; +} + + void qemu_thread_create(QemuThread *thread, const char *name, void *(*start_routine)(void*), void *arg, int mode) @@ -496,6 +517,7 @@ void qemu_thread_create(QemuThread *thread, const char = *name, sigset_t set, oldset; int err; pthread_attr_t attr; + QemuThread_args *qemu_thread_args; =20 err =3D pthread_attr_init(&attr); if (err) { @@ -505,7 +527,15 @@ void qemu_thread_create(QemuThread *thread, const char= *name, /* Leave signal handling to the iothread. */ sigfillset(&set); pthread_sigmask(SIG_SETMASK, &set, &oldset); - err =3D pthread_create(&thread->thread, &attr, start_routine, arg); + + qemu_thread_args =3D g_new0(QemuThread_args, 1); + qemu_thread_args->mode =3D mode; + qemu_thread_args->name =3D name_threads ? g_strdup_printf("%s", name) = : NULL; + qemu_thread_args->start_routine =3D start_routine; + qemu_thread_args->arg =3D arg; + + err =3D pthread_create(&thread->thread, &attr, + qemu_thread_start, qemu_thread_args); if (err) error_exit(err, __func__); =20 --=20 2.12.2.windows.2