Fix FreeBSD segfault by unlocking mutex before destruction

Root cause: FreeBSD's robust mutex implementation (libthr) maintains a per-thread
robust list of mutexes. The error 'rb error 14' (EFAULT - Bad address) indicates
that the robust list contained a dangling pointer to a destroyed mutex.

When a mutex object is destroyed (via close() or clear()), if the mutex is still
in the current thread's robust list, FreeBSD's libthr may try to access it later
and encounter an invalid pointer, causing a segmentation fault.

This happened in MutexTest.TryLockExceptionSafety because:
1. The test called try_lock() which successfully acquired the lock
2. The test ended without calling unlock()
3. The mutex destructor called close()
4. close() called pthread_mutex_destroy() on a mutex that was:
   - Still locked by the current thread, OR
   - Still in the thread's robust list

Solution:
Call pthread_mutex_unlock() before pthread_mutex_destroy() in both close()
and clear() methods. This ensures:
1. The mutex is unlocked if we hold the lock
2. The mutex is removed from the thread's robust list
3. Subsequent pthread_mutex_destroy() is safe

We ignore errors from pthread_mutex_unlock() because:
- If we don't hold the lock, EPERM is expected and harmless
- If the mutex is already unlocked, this is a no-op
- Even if there's an error, we still want to proceed with cleanup

This fix is platform-agnostic and should not affect Linux/QNX behavior,
as both also use pthread robust mutexes with similar semantics.

Fixes the segfault in MutexTest.TryLockExceptionSafety on FreeBSD 15.

Author: mutouyun

FREEBSD_SEGFAULT_ANALYSIS.md

@@ -0,0 +1,200 @@
+# FreeBSD Segmentation Fault Analysis
+
+## Problem Description
+The test `MutexTest.TryLockExceptionSafety` crashes with a segmentation fault on FreeBSD 15 with GCC 13.3.
+
+### Error Message
+```
+pid 2326 (test-ipc), jid 0, uid 0: exited on signal 11 (core dumped)
+core-test-ipc.pid-2326: handling rb error 14
+Segmentation fault (core dumped)
+```
+
+Key observations:
+- Signal 11 = SIGSEGV (Segmentation Fault)
+- `rb error 14` = likely "robust list error 14", where 14 = `EFAULT` (Bad address)
+- This suggests a problem with robust mutex list management in FreeBSD's libthr
+
+## Hypotheses
+
+### Hypothesis 1: Invalid Pointer in `pthread_mutex_timedlock`
+The `mutex_` pointer passed to `pthread_mutex_timedlock()` might be invalid or point to freed memory.
+
+**Why this could happen:**
+- The shared memory region might not be properly initialized
+- The `shm_->get()` might return an invalid pointer
+- There could be a race condition in `acquire_mutex()`
+
+### Hypothesis 2: Robust Mutex List Corruption
+FreeBSD's robust mutex implementation maintains a per-thread list of robust mutexes. The error `rb error 14 (EFAULT)` suggests that this list might be corrupted.
+
+**Why this could happen:**
+- After our previous fix removing `shm_->sub_ref()`, the robust list might not be properly maintained
+- There might be a dangling pointer in the robust list
+- The mutex might have been destroyed while still in the robust list
+
+### Hypothesis 3: `valid()` Check Failure
+The `valid()` method uses `std::memcmp()` to compare the mutex against a zero-initialized mutex. On FreeBSD, if the mutex contains internal pointers, this comparison might access invalid memory.
+
+### Hypothesis 4: Shared Memory Mapping Issue
+The shared memory region might not be properly mapped in all processes/threads, causing the mutex pointer to be invalid in some contexts.
+
+## Debugging Strategy
+
+### Step 1: Add Diagnostic Output
+Modify `try_lock()` to add detailed logging:
+
+```cpp
+bool try_lock() noexcept(false) {
+    ipc::error("[DEBUG] try_lock() called\n");
+    ipc::error("[DEBUG] valid() = %d, shm_ = %p, ref_ = %p, mutex_ = %p\n",
+               valid(), shm_, ref_, mutex_);
+    
+    if (!valid()) {
+        ipc::error("[DEBUG] try_lock() returning false (not valid)\n");
+        return false;
+    }
+    
+    ipc::error("[DEBUG] Calling make_timespec(0)\n");
+    auto ts = posix_::detail::make_timespec(0);
+    ipc::error("[DEBUG] ts.tv_sec = %ld, ts.tv_nsec = %ld\n", ts.tv_sec, ts.tv_nsec);
+    
+    ipc::error("[DEBUG] Calling pthread_mutex_timedlock()\n");
+    int eno = ::pthread_mutex_timedlock(mutex_, &ts);
+    ipc::error("[DEBUG] pthread_mutex_timedlock returned %d\n", eno);
+    
+    // ... rest of the function
+}
+```
+
+### Step 2: Verify Mutex Initialization
+Check if the mutex is properly initialized before use:
+
+```cpp
+bool open(char const *name) noexcept {
+    close();
+    if ((mutex_ = acquire_mutex(name)) == nullptr) {
+        ipc::error("[DEBUG] acquire_mutex returned nullptr\n");
+        return false;
+    }
+    ipc::error("[DEBUG] acquire_mutex returned %p\n", mutex_);
+    ipc::error("[DEBUG] shm_ = %p, ref_ = %p\n", shm_, ref_);
+    
+    auto self_ref = ref_->fetch_add(1, std::memory_order_relaxed);
+    ipc::error("[DEBUG] self_ref = %d, shm_->ref() = %d\n", self_ref, shm_->ref());
+    
+    if (shm_->ref() > 1 || self_ref > 0) {
+        ipc::error("[DEBUG] Mutex already initialized, returning\n");
+        return valid();
+    }
+    
+    // ... rest of initialization
+}
+```
+
+### Step 3: Check for Robust List Issues
+The `rb error 14` suggests that FreeBSD's robust mutex list might be corrupted. This could be caused by:
+
+1. **Improper destruction**: A robust mutex should not be destroyed while it's still locked or while it's in a thread's robust list.
+2. **Dangling pointers**: After destroying a mutex, its address might still be in the robust list.
+
+**Potential fix**: Ensure that mutexes are unlocked before being destroyed:
+
+```cpp
+~mutex() {
+    // Ensure the mutex is unlocked before destruction
+    if (valid()) {
+        try {
+            unlock();  // Try to unlock if we hold the lock
+        } catch (...) {
+            // Ignore errors during destruction
+        }
+    }
+    close();
+}
+```
+
+### Step 4: Test with Non-Robust Mutex
+To isolate whether the problem is related to robust mutexes specifically, we could temporarily disable the `PTHREAD_MUTEX_ROBUST` attribute:
+
+```cpp
+// In open() method, comment out:
+// if ((eno = ::pthread_mutexattr_setrobust(&mutex_attr, PTHREAD_MUTEX_ROBUST)) != 0) {
+//     ipc::error("fail pthread_mutexattr_setrobust[%d]\n", eno);
+//     return false;
+// }
+```
+
+If the crash disappears without robust mutexes, it confirms that the issue is in robust mutex handling.
+
+## Recommended Fix
+
+Based on the `rb error 14 (EFAULT)` message, I suspect the problem is that FreeBSD's robust mutex list contains a dangling pointer to a destroyed mutex.
+
+**Root cause**: When a mutex object is destroyed (in the destructor or `close()`), it calls `pthread_mutex_destroy()`, but if the current thread has this mutex in its robust list (even if it's not locked), FreeBSD might try to access it later and find an invalid pointer.
+
+**Proposed solution**:
+
+1. **Add explicit unlock before destruction**:
+   ```cpp
+   ~mutex() noexcept {
+       // Try to unlock if we might hold the lock
+       if (valid()) {
+           try {
+               ::pthread_mutex_unlock(mutex_);  // Ignore errors
+           } catch (...) {}
+       }
+       close();
+   }
+   ```
+
+2. **Ensure proper cleanup order in close()**:
+   ```cpp
+   void close() noexcept {
+       if ((ref_ != nullptr) && (shm_ != nullptr) && (mutex_ != nullptr)) {
+           // Try to unlock before destroying
+           ::pthread_mutex_unlock(mutex_);  // Ignore errors
+           
+           if (shm_->name() != nullptr) {
+               release_mutex(shm_->name(), [this] {
+                   auto self_ref = ref_->fetch_sub(1, std::memory_order_relaxed);
+                   if ((shm_->ref() <= 1) && (self_ref <= 1)) {
+                       int eno;
+                       if ((eno = ::pthread_mutex_destroy(mutex_)) != 0) {
+                           ipc::error("fail pthread_mutex_destroy[%d]\n", eno);
+                       }
+                       return true;
+                   }
+                   return false;
+               });
+           } else shm_->release();
+       }
+       shm_   = nullptr;
+       ref_   = nullptr;
+       mutex_ = nullptr;
+   }
+   ```
+
+3. **Alternatively, track lock state explicitly**:
+   Add a member variable to track whether we hold the lock:
+   ```cpp
+   std::atomic<bool> is_locked_{false};
+   
+   // In lock():
+   if (result) is_locked_.store(true);
+   
+   // In unlock():
+   if (result) is_locked_.store(false);
+   
+   // In destructor/close():
+   if (is_locked_.load()) {
+       ::pthread_mutex_unlock(mutex_);
+   }
+   ```
+
+## Next Steps
+
+1. Add diagnostic output to understand where exactly the crash occurs
+2. Implement one of the proposed fixes
+3. Test on FreeBSD 15 to verify the fix
+4. Ensure the fix doesn't break Linux/QNX compatibility

src/libipc/platform/posix/mutex.h

@@ -150,6 +150,17 @@ class mutex {
 
     void close() noexcept {
         if ((ref_ != nullptr) && (shm_ != nullptr) && (mutex_ != nullptr)) {
+            // Try to unlock the mutex before destroying it.
+            // This is important for robust mutexes on FreeBSD, which maintain
+            // a per-thread robust list. If we destroy a mutex while it's in
+            // the robust list (even if not locked), FreeBSD may encounter
+            // dangling pointers later, leading to segfaults.
+            // We ignore any errors from unlock() since:
+            // 1. If we don't hold the lock, EPERM is expected and harmless
+            // 2. If the mutex is already unlocked, this is a no-op
+            // 3. If there's an error, we still want to proceed with cleanup
+            ::pthread_mutex_unlock(mutex_);
+            
             if (shm_->name() != nullptr) {
                 release_mutex(shm_->name(), [this] {
                     auto self_ref = ref_->fetch_sub(1, std::memory_order_relaxed);
@@ -171,6 +182,9 @@ class mutex {
 
     void clear() noexcept {
         if ((shm_ != nullptr) && (mutex_ != nullptr)) {
+            // Try to unlock before destroying, same reasoning as in close()
+            ::pthread_mutex_unlock(mutex_);
+            
             if (shm_->name() != nullptr) {
                 release_mutex(shm_->name(), [this] {
                     int eno;