Bug 80816 - thread_local destructor on windows cause use-after-free
Summary: thread_local destructor on windows cause use-after-free
Status: UNCONFIRMED
Alias: None
Product: gcc
Classification: Unclassified
Component: libstdc++ (show other bugs)
Version: 6.3.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-18 14:57 UTC by Ennio Barbaro
Modified: 2025-10-28 17:16 UTC (History)
3 users (show)

See Also:
Host:
Target: mingw
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
self contained example (185 bytes, text/x-csrc)
2017-05-18 14:57 UTC, Ennio Barbaro 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ennio Barbaro 2017-05-18 14:57:18 UTC 
Created attachment 41382 [details]
self contained example

Use of C++11 thread_local on mingw64 seems to suffer a use-after-free when the thread_local object is destroyed.

The attached code prints "~foo():5" when executed normally. But if it is run through gdb it prints "~foo():feeefeee".

"feeefeee" seems to be magic number used by the windows CRT debug HeapFree() to mark deallocated blocks. It seems that the dynamic memory used to store the thread_local object is free'd before the thread_local destructor is called.


gcc --version

gcc.exe (Rev3, Built by MSYS2 project) 6.3.0
Comment 1 Konstantin Kompan 2025-10-28 17:16:26 UTC 
Can confirm for gcc 15.1.0, MSYS2.

Exiting a thread with static thread_local std::string variable seems to be randomly causing program termination in about half of cases. Backtrace shows that it's caused by destructing the string, which has __p = 0xfeeefeeefeeefeee, which means that this memory has been freed already.