[cfe-dev] libc++: Race condition in facets initialization?
Andrew Parker
andrew.j.c.parker at gmail.com
Wed Jul 8 02:26:57 PDT 2015
I'm currently porting libc++ to work with MSVC. I'm seeing a crash when I
call the insertion operator on std::err. I've traced the problem down to
static initialization order of the static locale::id member of
the ctype<char> facet.
I've looked over the code several times and am convinced that there's a
genuine issue here. It's entirely possible that the changes I've made for
MSVC (or just the use of MSVC itself) may be causing unexpected problems.
Hence the need for a second opinion.
Here's a rough overview of the chain of events:
- static constructors for my binary are called.
- ios_base::Init::Init() called to initialize std::cout, std::cerr etc..
- const locale& locale::__imp::make_classic() called during initialization
of first basic_streambuf.
- Enter locale::__imp::__imp(size_t refs) to start constructing and
installing facets into the locale.
The cause of my particular crash is when we install ctype<char>, i.e.
install(&make<_VSTD::ctype<char> >(nullptr, false, 1u));
The install member of locale::__imp looks like:
template <class F> void install(F* f) {install(f, f->id.__get());}
The thing to note here is that the id member of *f is actually a static
member of ctype<char> (the template param F is resolving to ctype<char>
here). The call to get() looks at the once flag member of ctype<char>::id,
which is zero as the id variable is static an zero initialized. This means
the member __id_ of id is set to the next available id (__next_id) and
installed at that index in the locale.
Things go wrong later when the static ctr for locale::id ctype<char>::id is
called. This effectively zero initializes the id again. Later on when
use_facet is called (during my call to the std::cerr insertion operator)
the id gets set again (to __next_id). This index is invalid and causes a
crash when looked up in the locale.
It seems to me that this issue would affect all of the static id members of
the various facets. Any thoughts anyone? How could this have never been
seen before? Is it possible GCC/clang somehow skirt around this bug?
I want to be sure it's not me stuffing things up before I start writing
patches.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150708/7cd33472/attachment.html>
More information about the cfe-dev
mailing list