lock user-mode and semantic-bugs

1 files changed, 60 insertions, 0 deletions

diff --git a/results/classifier/user-mode-bugs/1907969 b/results/classifier/user-mode-bugs/1907969
new file mode 100644
index 000000000..c7174ff92
--- /dev/null
+++ b/results/classifier/user-mode-bugs/1907969
@@ -0,0 +1,60 @@
+
+
+linux-user/i386: Segfault when mixing threads and signals
+
+Given the following C program, qemu-i386 will surely and certainly segfault when executing it.
+The problem is only noticeable if the program is statically linked to musl's libc and, as written
+in the title, it only manifests when targeting i386.
+
+Removing the pthread calls or the second raise() makes it not segfault.
+
+The crash is in some part of the TCG-generated code, right when it tries to perform a
+%gs-relative access.
+
+If you want a quick way of cross-compiling this binary:
+
+* Download a copy of the Zig compiler from https://ziglang.org/download/
+* Compile it with
+  `zig cc -target i386-linux-musl <C-FILE> -o <OUT>`
+
+```
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <asm/prctl.h>
+#include <sys/syscall.h>
+
+void sig_func(int sig)
+{
+    write(1, "hi!\n", strlen("hi!\n"));
+}
+
+void func(void *p) { }
+
+typedef void *(*F)(void *);
+
+int main()
+{
+    pthread_t tid;
+
+    struct sigaction action;
+    action.sa_flags = 0;
+    action.sa_handler = sig_func;
+
+    if (sigaction(SIGUSR1, &action, NULL) == -1) {
+        return 1;
+    }
+
+    // This works.
+    raise(SIGUSR1);
+
+    pthread_create(&tid, NULL, (F)func, NULL);
+    pthread_join(tid, NULL);
+
+    // This makes qemu segfault.
+    raise(SIGUSR1);
+}
+```
\ No newline at end of file