<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/109742>109742</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            TSAN encountered segmentation fault at `__sanitizer::CombinedAllocatorTsan::Allocate` due to thread created by `glibc2.36 aio_write()`
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          JpengYounger
      </td>
    </tr>
</table>

<pre>
    The internal implementation of `glibc2.36 aio_write` calls the internal interface `__pthread_create` to create a thread. TSAN is unable to interceptor `__pthread_create`.
segmentation fault call trace:
0  0x0000000000462000 in __sanitizer::CombinedAllocatorTsan<__sanitizer::SizeClassAllocator64<__tsan::AP64>, __sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate(__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__tsan::AP64> >*, unsigned long, unsigned long) () 
#1  0x000000000045effa in __tsan::user_alloc_internal(__tsan::ThreadState*, unsigned long, unsigned long, unsigned long, bool) ()
#2  0x000000000045f128 in __tsan::user_alloc(__tsan::ThreadState*, unsigned long, unsigned long) ()
#3  0x000000000041d88e in malloc ()
#4  0x00007ffff7ab61b3 in __aio_notify_only () from /lib64/libc.so.6
#5  0x00007ffff7ab623b in __aio_notify () from /lib64/libc.so.6
#6  0x00007ffff7ab579b in handle_fildes_io () from /lib64/libc.so.6
#7  0x00007ffff7aacaa4 in start_thread () from /lib64/libc.so.6
#8  0x00007ffff7b29740 in clone ()

Test case to reproduce the bug.
`#define _GNU_SOURCE
#include <aio.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>

#define MY_SIVAL 27

volatile sig_atomic_t flag;


static void
callback (sigval_t s)
{
  flag = s.sival_int;
}

static int
wait_flag (void)
{
  while (flag == 0)
    {
      puts ("Sleeping...");
      sleep (1);
 }

  if (flag != MY_SIVAL)
    {
      printf ("signal handler received wrong signal, flag is %d\n", flag);
      return 1;
 }

  return 0;
}


static int
do_test (void)
{
 char name[] = "/tmp/aio5.XXXXXX";
  int fd;
  struct aiocb *arr[1];
  struct aiocb cb;
  static const char buf[] = "Hello World\n";
  struct sigevent ev;

  fd = mkstemp (name);
  if (fd == -1)
    {
      printf ("cannot open temp name: %m\n");
 return 1;
    }

  unlink (name);

  arr[0] = &cb;

 cb.aio_fildes = fd;
  cb.aio_lio_opcode = LIO_WRITE;
  cb.aio_reqprio = 0;
  cb.aio_buf = (void *) buf;
  cb.aio_nbytes = sizeof (buf) - 1;
 cb.aio_offset = 0;
  cb.aio_sigevent.sigev_notify = SIGEV_THREAD;
 cb.aio_sigevent.sigev_notify_function = callback;
 cb.aio_sigevent.sigev_notify_attributes = NULL;
 cb.aio_sigevent.sigev_value.sival_int = MY_SIVAL;

  ev.sigev_notify = SIGEV_THREAD;
  ev.sigev_notify_function = callback;
 ev.sigev_notify_attributes = NULL;
  ev.sigev_value.sival_int = MY_SIVAL;

  /* First use aio_write.  */
  if (aio_write (arr[0]) < 0)
    {
      if (errno == ENOSYS)
        {
          puts ("no aio support in this configuration");
          return 0;
 }
      printf ("aio_write failed: %m\n");
      return 1;
 }

  if (wait_flag ())
    return 1;

  puts ("aio_write OK");

  flag = 0;
  /* Again with lio_listio.  */
  if (lio_listio (LIO_NOWAIT, arr, 1, &ev) < 0)
    {
      printf ("lio_listio failed: %m\n");
      return 1;
    }

  if (wait_flag ())
    return 1;

  puts ("all OK");

  return 0;
}


int main(){
    do_test();
    return 0;
}`
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJysWEtz47gR_jXUpWtYJEi9DjpoJGvXidfeGnl2MicWSDYoZEBAAUA5nl-fAkg9qIdXyUYHyyK-_vpDd6MBghrDK4k4C4afg-FyQBu7UXr2ty3K6rtqZIV6kKvyffa6QeDSopZUAK-3AmuUllquJCgGwSiqBM8LEiYjoFxlb5pbDEYRFFQIA7Zn7v5htEBnlmVbu9FIy6zQSFsbq6D9ARTawRBe1_Nn4AYaSXOBDuJpCtxapW8QhUG0DKK5weooltFGWK8KrKYFBsm8RUUA0b-jwycdkSiKgEvIMkMlt_wnagdO5gtV51xiORdCFdQq_WqoDJLFBXDNf-JCUGMOyFHqcdYbOMj8d_foISCLSz9PVFf4W023B_PfrZ5rTd-X75LWvHCGLUsLwIBM7hLxpAoqFrTY4F-TDV763KlvpK-kEoSS1ZUHUwjIxH_5aAckic8CPkTGaBvwo6PGoM6o05Ht68dP8oh49UlfWz_9u6RceZArJY4aDxLJuUQWk8ltiX9Z2YWA5ExAXE4mbiVB7R2ew9M9fMwYY2Oaj-I8afW6RSmV5ew9U1K877PBtKohICvB81HafhehUeHowDm84CRJfs55P93onG44nnq6DZWlwIxxUaLJuLqfcnxGSQtKU0dpLNU2a7vC_XSTPl1OpuPUN4JCKIn9kPu_r2hcRzG-K2ncalU2BfqelzdV14SCURSQpETGJUL2y_PXbP3y9cvi4eCWy0I0JUKQLChX4cYtrStjrl6ouD1sy4-MbSl4fnO4kdzY8uYwai173HtMN6vfvmfrxz_mT0DGp4CdEtRygWB4lVGral5kFpigVZB87jG13do16gJ2ipftA9erc1r8cJE3vNpRkVkwxxyMOxLwnBAkSzCh4Q7HpT36GC-vuHEI__uNcpu1BGTinV9x8LZx8wjIZO_JOYsOSACAE7T7bBtr2pIha4G45bIKwzAgxBklPahx4w4b98bOdANwdlRAYqdgH_gPhWguLeuktEXULTkNGgvkOyzhTStZQTvq2pN3wt0EhmUwXEivu318qV-jbbSE-APpHSS6lZTrqSlVZt0Su52YYkM1SFpje4zxNeC1rmy9DciKcjUM_-E_7vFRN5cWWHnywFjdFNYdYYocAjKnWgfDz3EwXN4CFXlvxEsvlHQtwanKG9YX9SsKoeCb0uIQ0gtmwyvcobSAu7M1AsBKz1T_MBZrXy9-4r10dCVS7kv0U3x3aRRUSmVBbVGCd-DZk7mrgfpQAyfOLtPuPZxlvpGCyx_X1O4RbaSjY6RGJ5Hd5zkP3Z7T7hEe1kteNyy4ytS2UL5rLeHp8SX79uXx9eESqfFfW-22Gr-ML4bzhnVafOGB38WnPqUXWJm_206T4T9R-Xg6JJnCp9PodHjFmEF7y_O-AEL_z2GTTZawfvzl4Y_s9dcvD_PlBelVs4w1svBnX2e_76Z32lJrNc-b_dSevz49_ZnljooGjw0Yeh3qPOu4u3eK59A_m9Y5_MOZHNH_lfqArAIyhxXXxkJj8PjqE0JbLav-kjyM-x-Hivcnv2Tx8VbSMvhNeL-uH55f1t_XPaMrhmf7kFROJphmu1XauoON3XDjehbjVaP9a9LVDeqkyUdXmvyVZnKcLqNcYPlRH7l3D2nD0NuuHc9pDC5Y9kMnUThKe_n7mZSL48TpAu1SPq8ol_DG7QaEbznGcnUj6UeA--Xa0fPLt_njq9tKXQ2QBcTuT0BGuLurFHpBPqH_n6N8rWX_vwItxO0Q33cgcOuwplx2Ck5j0Z0NupHT-VylHkWDcpaU02RKBziLx2Qcp8l4Eg82s3gaJymLhlE6LMdjxHEaJyxPcMTotByy0YDPSETSaErSiETTNA5ZXqasTDEZI40nbBqkEdaUi1CIXR0qXQ24MQ3O4mg6TslA0ByF8TcthEh8Az_qAjNcDvTMGX3Km8oEaeTSaY40lluBM38DgrJQjXsRxhKu3GtQ216F3Hdj0bs6GEVQNv4Vpnthaq9RSsjfb13vtEEfRYNGi9nG2q1xnG6BrCpuN00eFqp271hit__6tNXqn1jYgKz89E1AVl18djPynwAAAP__bdJceQ">