#10951: [libroot] double free in DestroyThreadLocalStorageValue
---------------------------------+----------------------------
Reporter: diver | Owner: zooey
Type: bug | Status: new
Priority: normal | Milestone: R1
Component: System/libroot.so | Version: R1/Development
Resolution: | Keywords:
Blocked By: | Blocking:
Has a Patch: 0 | Platform: All
---------------------------------+----------------------------
Comment (by korli):
I have tested two fix possibilities:
* uninstall the destructor, so it won't be called a second time.
* call !__cxa_finalize() before _thread_do_exit_work()
the first one sounds better.
{{{
diff --git a/src/system/libroot/posix/pthread/pthread_key.cpp
b/src/system/libroot/posix/pthread/pthread_key.cpp
index 431a4d4481..9777205fa3 100644
--- a/src/system/libroot/posix/pthread/pthread_key.cpp
+++ b/src/system/libroot/posix/pthread/pthread_key.cpp
@@ -30,6 +30,8 @@ get_key_destructor(uint32 key, int32& sequence)
destructor = sKeyTable[key].destructor;
} while (sKeyTable[key].sequence != sequence);
+ sKeyTable[key].destructor = NULL;
+
return destructor;
}
}}}
and
{{{
diff --git a/src/system/libroot/posix/stdlib/exit.cpp
b/src/system/libroot/posix/stdlib/exit.cpp
index 2bc67821e7..31a88fd5b3 100644
--- a/src/system/libroot/posix/stdlib/exit.cpp
+++ b/src/system/libroot/posix/stdlib/exit.cpp
@@ -310,12 +310,12 @@ atexit(void (*func)(void))
void
exit(int status)
{
- // BeOS on exit notification for the main thread
- _thread_do_exit_work();
-
// unwind the exit stack, calling the registered functions
__cxa_finalize(NULL);
+ // BeOS on exit notification for the main thread
+ _thread_do_exit_work();
+
// close all open files
_IO_cleanup();
}}}
--
Ticket URL: <https://dev.haiku-os.org/ticket/10951#comment:6>
Haiku <https://dev.haiku-os.org>
The Haiku operating system.
