Threading problems in (Win)DBus
Olivier Hochreutiner
olivier.hochreutiner at gmail.com
Mon Jul 9 08:00:09 PDT 2007
2007/7/9, Olivier Hochreutiner <olivier.hochreutiner at gmail.com>:
> 2007/7/7, Havoc Pennington <hp at redhat.com>:
> > Hi,
> >
> > From the traces, here two different threads take the lock at the same
> > time (apparently?):
> >
> > 10357: LOCK: _dbus_connection_acquire_dispatch [3082640272]
> > 10357: 10357: lock socket_do_iteration post poll
> > 10357: LOCK: _dbus_connection_lock [3082643152]
> >
> > And then here also:
> >
> > 11703: LOCK: dbus_connection_send_with_reply [3082446544]
> > 11703: Allocated slot 0 on allocator 0xb7eb583c total 1 slots allocated
> > 1 used
> > 11703: LOCK: dbus_connection_get_is_connected [3082443664]
> >
> > So that should not be possible, right? Unless the implementation of
> > locking is messed up somehow (which it may well be) or the locks are
> > no-ops since threads are for some reason not enabled.
>
> As of Christian's second post, threading was disabled in the traces
> above. Now that he enabled it, he has the exact same behaviour under
> Linux I have under Win32: when traces are enabled, no assert fails,
> and when traces are disabled, an assert fails after 10-100 iterations
> of the while loop in Paolo's example. The failing assert occurs in
> several different places, but it is always
> "connection->have_connection_lock" or "connection->io_path_acquired".
>
> I tried Peter's patch to test if threading is really enabled, and it
> is (in case you still doubted ;-)
>
> Also note that it seems the bug can be reproduced much easier (if not
> only ?) on fast CPUs. But that does not help much...
>
> All the facts we have till now makes me think that memory corruption /
> buffer overflow are involved in this problem, for the following
> reasons:
OK, the problem is memory corruption, I now have a proof:
if I insert:
char avoidoverflow[10000];
in the definition of "struct DBusConnection" anywhere between:
unsigned int io_path_acquired : 1;
and
unsigned int have_connection_lock : 1;
the problem disappears. I think this clearly means that
have_connection_lock (or sometimes io_path_acquired; see asserts I
reported) is overwritten by an overflow. Now the 1-billion-dollar
question: where does the overflow (or underflow, or corrupted pointer)
occur ?
Best,
Olivier
More information about the dbus
mailing list