You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I maintain the z3 package for the Fedora Linux distribution. Recently a user reported a segfault. A build with -fsanitize=thread revealed a data race. Two threads are executing parallel_tactic::report_sat. One thread holds m_mutex and is incrementing the reference count of an AST. The other thread does not hold m_mutex and is decrementing the reference count of the same AST. In some cases, this leads to a segfault down the road when a bad array access is attempted. See the linked bug report for details. This commit forces the thread that decrements the reference count to hold m_mutex so that the reference count manipulations are properly synchronized. With this change, the segfault is no longer reproducible.
Thanks a lot for pro-actively checking this out. The bug should have been filed against z3.
I need to look closer into this: the fix is at best a patch and doesn't seem to address the root cause. At first look it seems the parallel solver uses a main solver state that runs in parallel with other solvers. Other solvers copy into that main state under a lock, but the main solver performs other operations that are not protected.
This is a first look and typically such hypotheses are wrong, so I need to check this.
I pushed a fix: the root cause was along the lines I outlined above.
It was abusing shared state that was used by a designated thread. The shared state should have been treated symmetrically and under serialization.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I maintain the z3 package for the Fedora Linux distribution. Recently a user reported a segfault. A build with
-fsanitize=threadrevealed a data race. Two threads are executingparallel_tactic::report_sat. One thread holdsm_mutexand is incrementing the reference count of an AST. The other thread does not holdm_mutexand is decrementing the reference count of the same AST. In some cases, this leads to a segfault down the road when a bad array access is attempted. See the linked bug report for details. This commit forces the thread that decrements the reference count to holdm_mutexso that the reference count manipulations are properly synchronized. With this change, the segfault is no longer reproducible.