Opened 7 years ago

Closed 7 years ago

#5590 closed defect (fixed)

CPLSetThreadLocalConfigOption causes crash upon thread termination in 32bit

Reported by: cleo Owned by: warmerdam
Priority: normal Milestone: 1.11.1
Component: default Version: 1.10.1
Severity: critical Keywords:

Description (last modified by cleo)

In 32bit mode, when compiling with STDCALL=YES in nmake.opt, the CPLSetThreadLocalConfigOption() function in port/cpl_conv.cpp sets a deletion callback with CPLSetTLSWithFreeFunc() by passing in a pointer to CSLDestroy. CSLDestroy was changed to STDCALL in 2005, but CPLSetTLSWithFreeFunc() only takes callbacks that are non-STDCALL. So when this callback is run, the stack is out of sync by 4 bytes because the callee removed the argument and so does the caller (resulting in one too many removals of the argument from the stack) and the thread promptly crashes upon return since the return address used is bogus.

This bug has caused us a significant amount of headaches and appears to have been there for quite a while.

I can provide a patch if need be, but basically, the fix is simply to call CPLSetTLSWithFreeFunc() with a non-stdcall wrapper function for CSLDestroy().

Someone familiar with this code should audit those callbacks. In 64-bit, there is only one calling convention, so there were no problems there.

Change History (3)

comment:1 Changed 7 years ago by cleo

correction: I meant to say both the caller and *callee* attempt to remove the same argument from the stack.

comment:2 Changed 7 years ago by cleo

Description: modified (diff)
Severity: normalcritical
Version: unspecified1.10.1

comment:3 Changed 7 years ago by Even Rouault

Milestone: 1.11.1
Resolution: fixed
Status: newclosed

Fixed in trunk (r27549) and branches/1.11 (r27550)

Note: See TracTickets for help on using tickets.