#588004 libc6: abort segfaults under race condition with bsd_signal

Package:
libc6
Source:
glibc
Description:
GNU C Library: Shared libraries
Submitter:
"brian m. carlson"
Date:
2010-07-03 20:36:04 UTC
Severity:
normal
#588004#5
Date:
2010-07-03 20:34:01 UTC
From:
To:
In the attached source code, there is a race condition between
bsd_signal and abort.  In most instances when the program is run, abort
successfully terminates the program with a SIGABRT.  However, on a very
rare occasion, the program instead terminates with a SIGSEGV.  This
should not happen, as it contradicts both POSIX 1003.1-2008 and also the
abort(3) man page.

Since this condition is very hard to reproduce, I ran it as follows:

  for i in `seq 1 100000`; do (ulimit -c unlimited; ./testcase; if [ $? -eq 139 ]; then cp core core.segv; fi); done

"gdb ./testcase core.segv" then gives the following:

  (gdb) bt full
  #0  *__GI_abort () at abort.c:128
          act = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {18446744073709551615 <repeats 16 times>}},
            sa_flags = 0, sa_restorer = 0}
          sigs = {__val = {32, 0 <repeats 15 times>}}
  #1  0x000000000040067a in main () at testcase.c:23
          thrd = 140157473478416