Deadlock (fork + malloc) libc (glibc-2.17, glibc-2.23)

Question

Im running into a pretty annoying problem : I have a program which creates one thread at the start, this thread will launch other stuff during its execution (fork() immediatly followed by execve()).

Here is the bt of both threads at the point where my program reached (I think) the deadlock :

Thread 2 (LWP 8839):

#0 0x00007ffff6cdf736 in __libc_fork () at ../sysdeps/nptl/fork.c:125

#1 0x00007ffff6c8f8c0 in _IO_new_proc_open (fp=fp@entry=0x7ffff00031d0, command=command@entry=0x7ffff6c26e20 "ps -u brejon | grep \"cvc\"

#2 0x00007ffff6c8fbcc in _IO_new_popen (command=0x7ffff6c26e20 "ps -u user | grep \"cvc\" | wc -l", mode=0x42c7fd "r") at iopopen.c:296

#3-4 ...

#5 0x00007ffff74d9434 in start_thread (arg=0x7ffff6c27700) at pthread_create.c:333

#6 0x00007ffff6d0fcfd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 1 (LWP 8835):

#0 __lll_lock_wait_private () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95

#1 0x00007ffff6ca0ad9 in malloc_atfork (sz=140737337120848, caller=) at arena.c:179

#2 0x00007ffff6c8d875 in __GI__IO_file_doallocate (fp=0x17a72230) at filedoalloc.c:127

#3 0x00007ffff6c9a964 in __GI__IO_doallocbuf (fp=fp@entry=0x17a72230) at genops.c:398

#4 0x00007ffff6c99de8 in _IO_new_file_overflow (f=0x17a72230, ch=-1) at fileops.c:820

#5 0x00007ffff6c98f8a in _IO_new_file_xsputn (f=0x17a72230, data=0x17a16420, n=682) at fileops.c:1331

#6 0x00007ffff6c6fcb2 in _IO_vfprintf_internal (s=0x17a72230, format=, ap=ap@entry=0x7fffffffcf18) at vfprintf.c:1632

#7 0x00007ffff6c76a97 in __fprintf (stream=, format=) at fprintf.c:32

#8-11 ...

#12 0x000000000042706e in main (argc=3, argv=0x7fffffffd698, envp=0x7fffffffd6b8) at mains/ignore/.c:146

Both stays stuck here forever with both glibc-2.17 and glibc-2.23

Any help is welcomed :'D

EDIT :

Here is a minimal example :

  1 #include <stdlib.h>
  2 #include <pthread.h>
  3 #include <unistd.h>
  4 
  5 void * thread_handler(void * args)
  6 {
  7         char * argv[] = { "/usr/bin/ls" };
  8         char * newargv[] = { "/usr/bin/ls", NULL };
  9         char * newenviron[] = { NULL };
 10         while (1) {
 11                 if (vfork() == 0) {
 12                         execve(argv[0], newargv, newenviron);
 13                 }
 14         }
 15 
 16         return 0;
 17 }
 18 
 19 int main(void)
 20 {
 21         pthread_t thread;
 22         pthread_create(&thread, NULL, thread_handler, NULL);
 23 
 24         int * dummy_alloc;
 25 
 26         while (1) {
 27                 dummy_alloc = malloc(sizeof(int));
 28                 free(dummy_alloc);
 29         }
 30 
 31         return 0;
 32 }

Environment : user:deadlock$ cat /etc/redhat-release

Scientific Linux release 7.3 (Nitrogen)

user:deadlock$ ldd --version

ldd (GNU libc) 2.17

EDIT 2 : The rpm package version is : glibc-2.17-196.el7.x86_64

I can not get the line numbers using the rpm package. Here is the BT using the glibc given with the distribution : solved with debuginfo.

(gdb) thread apply all bt

Thread 2 (Thread 0x7ffff77fb700 (LWP 59753)):

#0 vfork () at ../sysdeps/unix/sysv/linux/x86_64/vfork.S:44

#1 0x000000000040074e in thread_handler (args=0x0) at deadlock.c:11

#2 0x00007ffff7bc6e25 in start_thread (arg=0x7ffff77fb700) at pthread_create.c:308

#3 0x00007ffff78f434d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 1 (Thread 0x7ffff7fba740 (LWP 59746)):

#0 0x00007ffff7878226 in _int_free (av=0x7ffff7bb8760 , p=0x602240, have_lock=0) at malloc.c:3927

#1 0x00000000004007aa in main () at deadlock.c:28

Answer 1

This is a custom-compiled glibc. It is possible that something went wrong with the installation. Note that Red Hat Enterprise Linux 7.4 backports a fix for a deadlock between malloc and fork, and you are missing that because you compiled your own glibc. The fix for the upstream bug went only into upstream version 2.24, so if you are basing your custom build on that, you may not have this fix. (Although the backtrace would look differently for that one.)

I think we fixed at least another post-2.17 libio-related deadlock bug.

EDIT I have been dealing with fork-related deadlocks for too long. There are multiple issues with the reproducer as posted:

• There is no waitpid call for the PID. As a result, the process table will be quickly filled with zombies.
• No error checking for execve. If the /usr/bin/ls pathname does not exist (for example, on a system which did not undergo UsrMove), execve will return, and the next iteration of the loop will launch another vfork call.

I fixed both issues (because debugging what is approaching a fork bomb is not fun at all), but I can't reproduce a hang with glibc-2.17-196.el7.x86_64.