1*f7c5c0d8SMitch Phillips // RUN: %clang_scudo %s -O2 -o %t
2*f7c5c0d8SMitch Phillips // RUN: %env_scudo_opts="QuarantineChunksUpToSize=0" %run %t 2>&1
3*f7c5c0d8SMitch Phillips
4*f7c5c0d8SMitch Phillips // This test attempts to reproduce a race condition in the deallocation path
5*f7c5c0d8SMitch Phillips // when bypassing the Quarantine. The old behavior was to zero-out the chunk
6*f7c5c0d8SMitch Phillips // header after checking its checksum, state & various other things, but that
7*f7c5c0d8SMitch Phillips // left a window during which 2 (or more) threads could deallocate the same
8*f7c5c0d8SMitch Phillips // chunk, with a net result of having said chunk present in those distinct
9*f7c5c0d8SMitch Phillips // thread caches.
10*f7c5c0d8SMitch Phillips
11*f7c5c0d8SMitch Phillips // A passing test means all the children died with an error. The failing
12*f7c5c0d8SMitch Phillips // scenario involves winning a race, so repro can be scarce.
13*f7c5c0d8SMitch Phillips
14*f7c5c0d8SMitch Phillips #include <pthread.h>
15*f7c5c0d8SMitch Phillips #include <stdlib.h>
16*f7c5c0d8SMitch Phillips #include <sys/types.h>
17*f7c5c0d8SMitch Phillips #include <sys/wait.h>
18*f7c5c0d8SMitch Phillips #include <unistd.h>
19*f7c5c0d8SMitch Phillips
20*f7c5c0d8SMitch Phillips const int kNumThreads = 2;
21*f7c5c0d8SMitch Phillips pthread_t tid[kNumThreads];
22*f7c5c0d8SMitch Phillips
23*f7c5c0d8SMitch Phillips pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
24*f7c5c0d8SMitch Phillips pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
25*f7c5c0d8SMitch Phillips char go = 0;
26*f7c5c0d8SMitch Phillips
27*f7c5c0d8SMitch Phillips // Frees the pointer passed when signaled to.
thread_free(void * p)28*f7c5c0d8SMitch Phillips void *thread_free(void *p) {
29*f7c5c0d8SMitch Phillips pthread_mutex_lock(&mutex);
30*f7c5c0d8SMitch Phillips while (!go)
31*f7c5c0d8SMitch Phillips pthread_cond_wait(&cond, &mutex);
32*f7c5c0d8SMitch Phillips pthread_mutex_unlock(&mutex);
33*f7c5c0d8SMitch Phillips free(p);
34*f7c5c0d8SMitch Phillips return 0;
35*f7c5c0d8SMitch Phillips }
36*f7c5c0d8SMitch Phillips
37*f7c5c0d8SMitch Phillips // Allocates a chunk, and attempts to free it "simultaneously" by 2 threads.
child(void)38*f7c5c0d8SMitch Phillips void child(void) {
39*f7c5c0d8SMitch Phillips void *p = malloc(16);
40*f7c5c0d8SMitch Phillips for (int i = 0; i < kNumThreads; i++)
41*f7c5c0d8SMitch Phillips pthread_create(&tid[i], 0, thread_free, p);
42*f7c5c0d8SMitch Phillips pthread_mutex_lock(&mutex);
43*f7c5c0d8SMitch Phillips go = 1;
44*f7c5c0d8SMitch Phillips pthread_cond_broadcast(&cond);
45*f7c5c0d8SMitch Phillips pthread_mutex_unlock(&mutex);
46*f7c5c0d8SMitch Phillips for (int i = 0; i < kNumThreads; i++)
47*f7c5c0d8SMitch Phillips pthread_join(tid[i], 0);
48*f7c5c0d8SMitch Phillips }
49*f7c5c0d8SMitch Phillips
main(int argc,char ** argv)50*f7c5c0d8SMitch Phillips int main(int argc, char **argv) {
51*f7c5c0d8SMitch Phillips const int kChildren = 40;
52*f7c5c0d8SMitch Phillips pid_t pid;
53*f7c5c0d8SMitch Phillips for (int i = 0; i < kChildren; ++i) {
54*f7c5c0d8SMitch Phillips pid = fork();
55*f7c5c0d8SMitch Phillips if (pid < 0) {
56*f7c5c0d8SMitch Phillips exit(1);
57*f7c5c0d8SMitch Phillips } else if (pid == 0) {
58*f7c5c0d8SMitch Phillips child();
59*f7c5c0d8SMitch Phillips exit(0);
60*f7c5c0d8SMitch Phillips } else {
61*f7c5c0d8SMitch Phillips int status;
62*f7c5c0d8SMitch Phillips wait(&status);
63*f7c5c0d8SMitch Phillips // A 0 status means the child didn't die with an error. The race was won.
64*f7c5c0d8SMitch Phillips if (status == 0)
65*f7c5c0d8SMitch Phillips exit(1);
66*f7c5c0d8SMitch Phillips }
67*f7c5c0d8SMitch Phillips }
68*f7c5c0d8SMitch Phillips return 0;
69*f7c5c0d8SMitch Phillips }
70