lib/43005: ld.so needs locking

[Thomas Klausner <wiz%NetBSD.org@localhost>]

>Number:         43005
>Category:       lib
>Synopsis:       ld.so needs locking
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 18 21:15:00 +0000 2010
>Originator:     Thomas Klausner
>Release:        NetBSD 5.99.24
>Organization:
Curiosity is the very basis of education and if you tell me that 
curiosity killed the cat, I say only that the cat died nobly.
- Arnold Edinborough
>Environment:
        
        
System: NetBSD yt.nih.at 5.99.24 NetBSD 5.99.24 (YT) #40: Sun Mar 14 18:41:13 
CET 2010 wiz%yt.nih.at@localhost:/archive/cvs/src/sys/arch/amd64/compile/obj/YT 
amd64
Architecture: x86_64
Machine: amd64
>Description:
Since the introduction of the negative symbol cache, ld.so is less thread
friendly.

This affects e.g. gimp, which most of the time immediately coredumps for me.
>How-To-Repeat:
Update to -current in March, start gimp.

Backtrace with MALLOC_DEBUG in ld.elf_so shows that two threads meet
in imalloc in xmalloc.c:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f7ffdc06f1e in imalloc (nbytes=440) at xmalloc.c:242
242             nextf[bucket] = op->ov_next;
(gdb) bt
#0  0x00007f7ffdc06f1e in imalloc (nbytes=440) at xmalloc.c:242
#1  0x00007f7ffdc074a8 in xmalloc (size=440) at xmalloc.c:460
#2  0x00007f7ffdc06ac5 in _rtld_symlook_default (name=0x437f1a "gegl_config",
    hash=101315287, refobj=0x7f7ffdffa000, defobj_out=0x7f7fffffd0c0,
    in_plt=true) at symbol.c:415
#3  0x00007f7ffdc068c5 in _rtld_find_symdef (symnum=2862,
    refobj=0x7f7ffdffa000, defobj_out=0x7f7fffffd180, in_plt=true)
    at symbol.c:334
#4  0x00007f7ffdc069ce in _rtld_find_plt_symdef (symnum=2862,
    obj=0x7f7ffdffa000, defobj=0x7f7fffffd180, imm=true) at symbol.c:377
#5  0x00007f7ffdc04024 in _rtld_relocate_plt_object (obj=0x7f7ffdffa000,
    rela=0x458ba0, tp=0x7f7fffffd1d0)
    at /usr/src/libexec/ld.elf_so/arch/x86_64/mdreloc.c:266
#6  0x00007f7ffdc03fb6 in _rtld_bind (obj=0x7f7ffdffa000, reloff=931)
    at /usr/src/libexec/ld.elf_so/arch/x86_64/mdreloc.c:294
#7  0x00007f7ffdc03b11 in _rtld_bind_start () from /usr/libexec/ld.elg_so
#8  0x00007f7ff2e8bc55 in idalloc (ptr=<value optimized out>)
    at /archive/cvs/src/lib/libc/stdlib/jemalloc.c:2554
#9  0x0000000000696769 in gimp_gegl_init ()
#10 0x0000000000466ddc in app_run ()
#11 0x0000000000467c38 in main ()

(gdb) thread 6
[Switching to thread 6 (process 342059)]#0  0x00007f7ffdc06f1e in imalloc (
    nbytes=440) at xmalloc.c:242
242             nextf[bucket] = op->ov_next;
(gdb) bt
#0  0x00007f7ffdc06f1e in imalloc (nbytes=440) at xmalloc.c:242
#1  0x00007f7ffdc074a8 in xmalloc (size=440) at xmalloc.c:460
#2  0x00007f7ffdc06ac5 in _rtld_symlook_default (
    name=0x4324a2 "g_strdup_vprintf", hash=116781414, refobj=0x7f7ffdffa000,
    defobj_out=0x7f7fef7ff0a0, in_plt=true) at symbol.c:415
#3  0x00007f7ffdc068c5 in _rtld_find_symdef (symnum=2911,
    refobj=0x7f7ffdffa000, defobj_out=0x7f7fef7ff160, in_plt=true)
    at symbol.c:334
#4  0x00007f7ffdc069ce in _rtld_find_plt_symdef (symnum=2911,
    obj=0x7f7ffdffa000, defobj=0x7f7fef7ff160, imm=true) at symbol.c:377
#5  0x00007f7ffdc04024 in _rtld_relocate_plt_object (obj=0x7f7ffdffa000,
    rela=0x458cf0, tp=0x7f7fef7ff1b0)
    at /usr/src/libexec/ld.elf_so/arch/x86_64/mdreloc.c:266
#6  0x00007f7ffdc03fb6 in _rtld_bind (obj=0x7f7ffdffa000, reloff=945)
    at /usr/src/libexec/ld.elf_so/arch/x86_64/mdreloc.c:294
#7  0x00007f7ffdc03b11 in _rtld_bind_start () from /usr/libexec/ld.elg_so
#8  0x00007f7ffc713080 in ?? ()
#9  0x00007f7ffc713000 in ?? ()
#10 0x00000000000000ec in ?? ()
#11 0x0000000000000000 in ?? ()
>Fix:
Add locking to ld.so.

>Unformatted: