Real-time Sanitizer causes pthread_cond_signal to segfault when a thread is doing a timed wait on a condition variable

[adrew0809]

A simple std::condition_variable usage leads to segfault when building with clang 20, -fsanitizer=realtime.
Nothing is annotated as non-blocking.

#include <condition_variable>
#include <future>
#include <mutex>
#include <thread>

int main() {
  std::mutex mut;
  std::condition_variable cv;
  bool go{false};

  const auto fut = std::async(std::launch::async, [&] {
    std::this_thread::sleep_for(std::chrono::milliseconds(100));
    {
      std::unique_lock<std::mutex> lock(mut);
      go = true;
    }
    cv.notify_one();
  });

  std::unique_lock<std::mutex> lock(mut);
  // normal wait is fine
  // cv.wait(lock, [&] { return go; });
  // but timed wait segfaults
  cv.wait_for(lock, std::chrono::milliseconds(200), [&] { return go; });
}

(gdb) r
Starting program: /app/iplatform/rsan_bug_build/rsan_bug 
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f05071ff640 (LWP 254606)]

Thread 2 "rsan_bug" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f05071ff640 (LWP 254606)]
0x00007f0507c85233 in pthread_cond_signal () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f0507c85233 in pthread_cond_signal () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x000058e1f2851b92 in main::$_0::operator()() const ()

If the condition_variable is not yet waited on, there is no segfault. If it is not a timed wait, there is no segfault.

CMakeLists.txt

[cjappl]

Thanks for the report @adrew0809 , checking it out.

[cjappl]

So far, I'm unable to reproduce. Can you provide more details on your setup? Or provide a docker container that is exhibiting the issue?

I'm trying from within an Ubuntu docker container with a freshly built tip-of-tree clang++. This is a modified version of your script that only adds prints:

#include <condition_variable>
#include <future>
#include <mutex>
#include <thread>

#include <iostream>

int main() {
  std::cout << "Entry to main!" << std::endl;
  std::mutex mut;
  std::condition_variable cv;
  bool go{false};

  const auto fut = std::async(std::launch::async, [&] {
    std::this_thread::sleep_for(std::chrono::milliseconds(100));
    {
      std::unique_lock<std::mutex> lock(mut);
      go = true;
    }
    cv.notify_one();
  });

  std::unique_lock<std::mutex> lock(mut);
  // normal wait is fine
  // cv.wait(lock, [&] { return go; });
  // but timed wait segfaults
  cv.wait_for(lock, std::chrono::milliseconds(200), [&] { return go; });

  std::cout << "Exit from main!" << std::endl;
}

When I compile (just from the command line, to simplify away from cmake):

> ../build_debug_ubuntu/bin/clang++ main.cpp -fsanitize=realtime
> ./a.out
Entry to main!
Exit from main!

[adrew0809]

# uname -a
Linux WLLNXPW08MARM 6.8.0-60-generic #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
# clang++-20 --version
Ubuntu clang version 20.1.6 (++20250517123235+5befd1fb3c97-1~exp1~20250517003357.117)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-20/bin

Let me see if I can reproduce outside of this specific setup. It may be something weird in our environment.

[adrew0809]

Another data point. I see the same behavior (segfault) on compiler explorer: https://godbolt.org/z/GbnqPxfY6

[cjappl]

Great info.

I am wondering if this has to do with x86 somehow? The computers I am testing with are all arm.

If you run this program that experiences the SIGSEGV with a debugger attached, can you print the stack trace for me here? Trying to figure out where in our code it's dying.

For future records, your godbolt link ALSO crashes on clang trunk, so it isn't magically fixed in llvm 21 (yet)