src/thread/pthread

Bug Summary

File:	thread/pthread_create.c
Location:	line 232, column 7
Description:	Branch condition evaluates to a garbage value

Annotated Source Code

#define _GNU_SOURCE

#include "pthread_impl.h"

#include "stdio_impl.h"

#include "libc.h"

#include <sys/mman.h>

#include <string.h>

#include <stddef.h>

void *__mmap(void *, size_t, int, int, int, off_t);

int __munmap(void *, size_t);

int __mprotect(void *, size_t, int);

static void dummy_0()

{

}

weak_alias(dummy_0, __acquire_ptc)extern __typeof(dummy_0) __acquire_ptc __attribute__((weak, alias
("dummy_0")));

weak_alias(dummy_0, __release_ptc)extern __typeof(dummy_0) __release_ptc __attribute__((weak, alias
("dummy_0")));

weak_alias(dummy_0, __pthread_tsd_run_dtors)extern __typeof(dummy_0) __pthread_tsd_run_dtors __attribute__
((weak, alias("dummy_0")));

weak_alias(dummy_0, __do_orphaned_stdio_locks)extern __typeof(dummy_0) __do_orphaned_stdio_locks __attribute__
((weak, alias("dummy_0")));

weak_alias(dummy_0, __dl_thread_cleanup)extern __typeof(dummy_0) __dl_thread_cleanup __attribute__((weak
, alias("dummy_0")));

_Noreturn__attribute__((__noreturn__)) void __pthread_exit(void *result)

{

pthread_t self = __pthread_self();

sigset_t set;

self->canceldisable = 1;

self->cancelasync = 0;

self->result = result;

while (self->cancelbuf) {

void (*f)(void *) = self->cancelbuf->__f;

void *x = self->cancelbuf->__x;

self->cancelbuf = self->cancelbuf->__next;

f(x);

}

__pthread_tsd_run_dtors();

__lock(self->exitlock);

/* Mark this thread dead before decrementing count */

__lock(self->killlock);

self->dead = 1;

/* Block all signals before decrementing the live thread count.

* This is important to ensure that dynamically allocated TLS

* is not under-allocated/over-committed, and possibly for other

* reasons as well. */

__block_all_sigs(&set);

/* Wait to unlock the kill lock, which governs functions like

* pthread_kill which target a thread id, until signals have

* been blocked. This precludes observation of the thread id

* as a live thread (with application code running in it) after

* the thread was reported dead by ESRCH being returned. */

__unlock(self->killlock);

/* It's impossible to determine whether this is "the last thread"

* until performing the atomic decrement, since multiple threads

* could exit at the same time. For the last thread, revert the

* decrement and unblock signals to give the atexit handlers and

* stdio cleanup code a consistent state. */

if (a_fetch_add(&libc__libc.threads_minus_1, -1)==0) {

libc__libc.threads_minus_1 = 0;

__restore_sigs(&set);

exit(0);

}

/* Process robust list in userspace to handle non-pshared mutexes

* and the detached thread case where the robust list head will

* be invalid when the kernel would process it. */

__vm_lock();

volatile void *volatile *rp;

while ((rp=self->robust_list.head) && rp != &self->robust_list.head) {

pthread_mutex_t *m = (void *)((char *)rp

- offsetof(pthread_mutex_t, _m_next)__builtin_offsetof(pthread_mutex_t, __u.__p[4]));

int waiters = m->_m_waiters__u.__vi[2];

int priv = (m->_m_type__u.__i[0] & 128) ^ 128;

self->robust_list.pending = rp;

self->robust_list.head = *rp;

int cont = a_swap(&m->_m_lock__u.__vi[1], self->tid|0x40000000);

self->robust_list.pending = 0;

if (cont < 0 || waiters)

__wake(&m->_m_lock__u.__vi[1], 1, priv);

}

__vm_unlock();

__do_orphaned_stdio_locks();

__dl_thread_cleanup();

if (self->detached && self->map_base) {

/* Detached threads must avoid the kernel clear_child_tid

* feature, since the virtual address will have been

* unmapped and possibly already reused by a new mapping

* at the time the kernel would perform the write. In

* the case of threads that started out detached, the

* initial clone flags are correct, but if the thread was

* detached later (== 2), we need to clear it here. */

100

if (self->detached == 2) __syscall(SYS_set_tid_address, 0)__syscall1(218,((long) (0)));

101

102

/* Robust list will no longer be valid, and was already

103

* processed above, so unregister it with the kernel. */

104

if (self->robust_list.off)

105

__syscall(SYS_set_robust_list, 0, 3*sizeof(long))__syscall2(273,((long) (0)),((long) (3*sizeof(long))));

106

107

/* Since __unmapself bypasses the normal munmap code path,

108

* explicitly wait for vmlock holders first. */

109

__vm_wait();

110

111

/* The following call unmaps the thread's stack mapping

112

* and then exits without touching the stack. */

113

__unmapself(self->map_base, self->map_size);

114

}

115

116

for (;;) __syscall(SYS_exit, 0)__syscall1(60,((long) (0)));

117

}

118

119

void __do_cleanup_push(struct __ptcb *cb)

120

{

121

struct pthread__pthread *self = __pthread_self();

122

cb->__next = self->cancelbuf;

123

self->cancelbuf = cb;

124

}

125

126

void __do_cleanup_pop(struct __ptcb *cb)

127

{

128

__pthread_self()->cancelbuf = cb->__next;

129

}

130

131

static int start(void *p)

132

{

133

pthread_t self = p;

134

if (self->startlock[0]) {

135

__wait(self->startlock, 0, 1, 1);

136

if (self->startlock[0]) {

137

self->detached = 2;

138

pthread_exit(0);

139

}

140

__restore_sigs(self->sigmask);

141

}

142

if (self->unblock_cancel)

143

__syscall(SYS_rt_sigprocmask, SIG_UNBLOCK,__syscall4(14,((long) (1)),((long) (((sigset_t *)(const unsigned
long [65/8/sizeof(long)]){ [sizeof(long)==4] = 3UL<<(32
*(sizeof(long)>4)) }))),((long) (0)),((long) (65/8)))

144

SIGPT_SET, 0, _NSIG/8)__syscall4(14,((long) (1)),((long) (((sigset_t *)(const unsigned
long [65/8/sizeof(long)]){ [sizeof(long)==4] = 3UL<<(32
*(sizeof(long)>4)) }))),((long) (0)),((long) (65/8)));

145

__pthread_exit(self->start(self->start_arg));

146

return 0;

147

}

148

149

static int start_c11(void *p)

150

{

151

pthread_t self = p;

152

int (*start)(void*) = (int(*)(void*)) self->start;

153

__pthread_exit((void *)(uintptr_t)start(self->start_arg));

154

return 0;

155

}

156

157

#define ROUND(x)(((x)+4096 -1)&-4096) (((x)+PAGE_SIZE4096-1)&-PAGE_SIZE4096)

158

159

/* pthread_key_create.c overrides this */

160

static volatile size_t dummy = 0;

161

weak_alias(dummy, __pthread_tsd_size)extern __typeof(dummy) __pthread_tsd_size __attribute__((weak
, alias("dummy")));

162

static void *dummy_tsd[1] = { 0 };

163

weak_alias(dummy_tsd, __pthread_tsd_main)extern __typeof(dummy_tsd) __pthread_tsd_main __attribute__((
weak, alias("dummy_tsd")));

164

165

volatile int __block_new_threads = 0;

166

167

static FILE *volatile dummy_file = 0;

168

weak_alias(dummy_file, __stdin_used)extern __typeof(dummy_file) __stdin_used __attribute__((weak,
alias("dummy_file")));

169

weak_alias(dummy_file, __stdout_used)extern __typeof(dummy_file) __stdout_used __attribute__((weak
, alias("dummy_file")));

170

weak_alias(dummy_file, __stderr_used)extern __typeof(dummy_file) __stderr_used __attribute__((weak
, alias("dummy_file")));

171

172

static void init_file_lock(FILE *f)

173

{

174

if (f && f->lock<0) f->lock = 0;

175

}

176

177

void *__copy_tls(unsigned char *);

178

179

int __pthread_create(pthread_t *restrict res, const pthread_attr_t *restrict attrp, void *(*entry)(void *), void *restrict arg)

180

{

181

int ret, c11 = (attrp == __ATTRP_C11_THREAD((void*)(uintptr_t)-1));

182

size_t size, guard;

'guard' declared without an initial value

→

183

struct pthread__pthread *self, *new;

184

unsigned char *map = 0, *stack = 0, *tsd = 0, *stack_limit;

185

unsigned flags = CLONE_VM0x00000100 | CLONE_FS0x00000200 | CLONE_FILES0x00000400 | CLONE_SIGHAND0x00000800

186

| CLONE_THREAD0x00010000 | CLONE_SYSVSEM0x00040000 | CLONE_SETTLS0x00080000

187

| CLONE_PARENT_SETTID0x00100000 | CLONE_CHILD_CLEARTID0x00200000 | CLONE_DETACHED0x00400000;

188

int do_sched = 0;

189

pthread_attr_t attr = {0};

190

191

if (!libc__libc.can_do_threads) return ENOSYS38;

←

Taking false branch

→

192

self = __pthread_self();

193

if (!libc__libc.threaded) {

←

Taking false branch

→

194

for (FILE *f=*__ofl_lock(); f; f=f->next)

195

init_file_lock(f);

196

__ofl_unlock();

197

init_file_lock(__stdin_used);

198

init_file_lock(__stdout_used);

199

init_file_lock(__stderr_used);

200

__syscall(SYS_rt_sigprocmask, SIG_UNBLOCK, SIGPT_SET, 0, _NSIG/8)__syscall4(14,((long) (1)),((long) (((sigset_t *)(const unsigned
long [65/8/sizeof(long)]){ [sizeof(long)==4] = 3UL<<(32
*(sizeof(long)>4)) }))),((long) (0)),((long) (65/8)));

201

self->tsd = (void **)__pthread_tsd_main;

202

libc__libc.threaded = 1;

203

}

204

if (attrp && !c11) attr = *attrp;

205

206

__acquire_ptc();

207

if (__block_new_threads) __wait(&__block_new_threads, 0, 1, 1);

←

Assuming '__block_new_threads' is 0

→

←

Taking false branch

→

208

209

if (attr._a_stackaddr__u.__s[2]) {

←

Taking true branch

→

210

size_t need = libc__libc.tls_size + __pthread_tsd_size;

211

size = attr._a_stacksize__u.__s[0] + DEFAULT_STACK_SIZE81920;

212

stack = (void *)(attr._a_stackaddr__u.__s[2] & -16);

213

stack_limit = (void *)(attr._a_stackaddr__u.__s[2] - size);

214

/* Use application-provided stack for TLS only when

215

* it does not take more than ~12% or 2k of the

216

* application's stack space. */

217

if (need < size/8 && need < 2048) {

←

Assuming 'need' is < 2048

→

←

Taking true branch

→

218

tsd = stack - __pthread_tsd_size;

219

stack = tsd - libc__libc.tls_size;

220

memset(stack, 0, need);

221

} else {

222

size = ROUND(need)(((need)+4096 -1)&-4096);

223

guard = 0;

224

}

225

} else {

226

guard = ROUND(DEFAULT_GUARD_SIZE + attr._a_guardsize)(((4096 + attr.__u.__s[1])+4096 -1)&-4096);

227

size = guard + ROUND(DEFAULT_STACK_SIZE + attr._a_stacksize(((81920 + attr.__u.__s[0] + __libc.tls_size + __pthread_tsd_size
)+4096 -1)&-4096)

228

+ libc.tls_size + __pthread_tsd_size)(((81920 + attr.__u.__s[0] + __libc.tls_size + __pthread_tsd_size
)+4096 -1)&-4096);

229

}

230

231

if (!tsd) {

←

Assuming 'tsd' is null

→

←

Taking true branch

→

232

if (guard) {

←

Branch condition evaluates to a garbage value

233

map = __mmap(0, size, PROT_NONE0, MAP_PRIVATE0x02|MAP_ANON0x20, -1, 0);

234

if (map == MAP_FAILED((void *) -1)) goto fail;

235

if (__mprotect(map+guard, size-guard, PROT_READ1|PROT_WRITE2)

236

&& errno(*__errno_location()) != ENOSYS38) {

237

__munmap(map, size);

238

goto fail;

239

}

240

} else {

241

map = __mmap(0, size, PROT_READ1|PROT_WRITE2, MAP_PRIVATE0x02|MAP_ANON0x20, -1, 0);

242

if (map == MAP_FAILED((void *) -1)) goto fail;

243

}

244

tsd = map + size - __pthread_tsd_size;

245

if (!stack) {

246

stack = tsd - libc__libc.tls_size;

247

stack_limit = map + guard;

248

}

249

}

250

251

new = __copy_tls(tsd - libc__libc.tls_size);

252

new->map_base = map;

253

new->map_size = size;

254

new->stack = stack;

255

new->stack_size = stack - stack_limit;

256

new->start = entry;

257

new->start_arg = arg;

258

new->self = new;

259

new->tsd = (void *)tsd;

260

new->locale = &libc__libc.global_locale;

261

if (attr._a_detach__u.__i[3*(sizeof(size_t)/sizeof(int))+0]) {

262

new->detached = 1;

263

flags -= CLONE_CHILD_CLEARTID0x00200000;

264

}

265

if (attr._a_sched__u.__i[3*(sizeof(size_t)/sizeof(int))+1]) {

266

do_sched = new->startlock[0] = 1;

267

__block_app_sigs(new->sigmask);

268

}

269

new->robust_list.head = &new->robust_list.head;

270

new->unblock_cancel = self->cancel;

271

new->CANARYcanary = self->CANARYcanary;

272

273

a_inc(&libc__libc.threads_minus_1);

274

ret = __clone((c11 ? start_c11 : start), stack, flags, new, &new->tid, TP_ADJ(new)(new), &new->tid);

275

276

__release_ptc();

277

278

if (do_sched) {

279

__restore_sigs(new->sigmask);

280

}

281

282

if (ret < 0) {

283

a_dec(&libc__libc.threads_minus_1);

284

if (map) __munmap(map, size);

285

return EAGAIN11;

286

}

287

288

if (do_sched) {

289

ret = __syscall(SYS_sched_setscheduler, new->tid,__syscall3(144,((long) (new->tid)),((long) (attr.__u.__i[3
*(sizeof(size_t)/sizeof(int))+2])),((long) (&attr.__u.__i
[3*(sizeof(size_t)/sizeof(int))+3])))

290

attr._a_policy, &attr._a_prio)__syscall3(144,((long) (new->tid)),((long) (attr.__u.__i[3
*(sizeof(size_t)/sizeof(int))+2])),((long) (&attr.__u.__i
[3*(sizeof(size_t)/sizeof(int))+3])));

291

a_store(new->startlock, ret<0 ? 2 : 0);

292

__wake(new->startlock, 1, 1);

293

if (ret < 0) return -ret;

294

}

295

296

*res = new;

297

return 0;

298

fail:

299

__release_ptc();

300

return EAGAIN11;

301

}

302

303

weak_alias(__pthread_exit, pthread_exit)extern __typeof(__pthread_exit) pthread_exit __attribute__((weak
, alias("__pthread_exit")));

304

weak_alias(__pthread_create, pthread_create)extern __typeof(__pthread_create) pthread_create __attribute__
((weak, alias("__pthread_create")));