thr3ads.net - freebsd stable - Many core dumps in pthread

If this information is useful, please help other people find it:
Share via:

Konstantin Belousov

2015-Jul-19 20:57 UTC

Many core dumps in pthread_getspecific.

On Wed, Jul 15, 2015 at 06:32:13PM +0200, Andre Meiser
wrote:> Hi,
> 
> no crash from vim or Xorg but from xterm and again at getcontext(uc) after
alloca:
> 
> % readelf -d xterm | grep NEEDED
>  0x0000000000000001 (NEEDED)             Shared library: [libXinerama.so.1]
>  0x0000000000000001 (NEEDED)             Shared library: [libXft.so.2]
>  0x0000000000000001 (NEEDED)             Shared library:
[libfontconfig.so.1]
>  0x0000000000000001 (NEEDED)             Shared library: [libutil.so.9]
>  0x0000000000000001 (NEEDED)             Shared library: [libXaw.so.7]
>  0x0000000000000001 (NEEDED)             Shared library: [libXmu.so.6]
>  0x0000000000000001 (NEEDED)             Shared library: [libXt.so.6]
>  0x0000000000000001 (NEEDED)             Shared library: [libX11.so.6]
>  0x0000000000000001 (NEEDED)             Shared library: [libXpm.so.4]
>  0x0000000000000001 (NEEDED)             Shared library: [libICE.so.6]
>  0x0000000000000001 (NEEDED)             Shared library: [libulog.so.0]
>  0x0000000000000001 (NEEDED)             Shared library: [libncurses.so.8]
>  0x0000000000000001 (NEEDED)             Shared library: [libc.so.7]
> 
> 
> 
> (gdb) bt
> #0  0x0000000803038642 in check_deferred_signal (curthread=0x805006400)
>     at /usr/src/lib/libthr/thread/thr_sig.c:332
> #1  0x000000080303858d in _thr_ast (curthread=0x805006400)
>     at /usr/src/lib/libthr/thread/thr_sig.c:265
> #2  0x000000080303d367 in _thr_rtld_lock_release (lock=<value optimized
out>)
>     at /usr/src/lib/libthr/thread/thr_rtld.c:162
> #3  0x000000080067d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
> #4  0x000000080067b15d in .text () from /libexec/ld-elf.so.1
> #5  0x0000000000438007 in ?? ()
> #6  0x000000000043fe77 in ?? ()
> #7  0x000000000041808b in ?? ()
> #8  0x0000000000417e0a in ?? ()
> #9  0x000000000042e04a in ?? ()
> #10 0x000000000040823f in ?? ()
> #11 0x0000000800697000 in ?? ()
> #12 0x0000000000000000 in ?? ()
> 
> 
> 
> (gdb) info locals
> act = {__sigaction_u = {__sa_handler = 0x7fff00000001, 
>     __sa_sigaction = 0x7fff00000001}, sa_flags = -6472, sa_mask = {__bits =
{
>       32767, 4198068, 0, 54936355}}}
> info = {si_signo = 0, si_errno = 0, si_code = -6472, si_pid = 32767, 
>   si_uid = 4294960256, si_status = 32767, si_addr = 0x800000021, si_value =
{
>     sival_int = -6368, sival_ptr = 0x7fffffffe720, sigval_int = -6368, 
>     sigval_ptr = 0x7fffffffe720}, _reason = {_fault = {_trapno = 15}, 
>     _timer = {_timerid = 15, _overrun = 0}, _mesgq = {_mqd = 15}, _poll = {
>       _band = 15}, __spare__ = {__spare1__ = 15, __spare2__ = {0, 0,
6909952,
>         8, -6496, 32767, 6806459}}}}
> 
> 
> 
> (gdb) info registers
> rax            0xf0b470 15774832
> rbx            0x805006400      34443650048
> rcx            0x0      0
> rdx            0xca0000 13238272
> rsi            0x7fffffffe6b8   140737488348856
> rdi            0x7fffff0f3150   140737472573776
> rbp            0x7fffffffe650   0x7fffffffe650
> rsp            0x7fffff0f3150   0x7fffff0f3150
> r8             0x12     18
> r9             0x7fffffffe720   140737488348960
> r10            0x4030d0 4206800
> r11            0x261    609
> r12            0x1      1
> r13            0x679320 6787872
> r14            0x7fffff0f3150   140737472573776
> r15            0x23     35
> rip            0x803038642      0x803038642
<check_deferred_signal+82>
> eflags         0x10206  66054
> cs             0x43     67
> ss             0x3b     59
> ds             0x0      0
> es             0x0      0
> fs             0x0      0
> gs             0x0      0
> 
> 
> 
> (gdb) disassemble
> Dump of assembler code for function check_deferred_signal:
> 0x00000008030385f0 <check_deferred_signal+0>:   push   %rbp
> 0x00000008030385f1 <check_deferred_signal+1>:   mov    %rsp,%rbp
> 0x00000008030385f4 <check_deferred_signal+4>:   push   %r15
> 0x00000008030385f6 <check_deferred_signal+6>:   push   %r14
> 0x00000008030385f8 <check_deferred_signal+8>:   push   %rbx
> 0x00000008030385f9 <check_deferred_signal+9>:   sub    $0x78,%rsp
> 0x00000008030385fd <check_deferred_signal+13>:  mov    %rdi,%rbx
> 0x0000000803038600 <check_deferred_signal+16>:  cmpl  
$0x0,0x100(%rbx)
> 0x0000000803038607 <check_deferred_signal+23>:  je     0x803038612
<check_deferred_signal+34>
> 0x0000000803038609 <check_deferred_signal+25>:  cmpl  
$0x0,0x180(%rbx)
> 0x0000000803038610 <check_deferred_signal+32>:  je     0x80303861d
<check_deferred_signal+45>
> 0x0000000803038612 <check_deferred_signal+34>:  lea   
-0x18(%rbp),%rsp
> 0x0000000803038616 <check_deferred_signal+38>:  pop    %rbx
> 0x0000000803038617 <check_deferred_signal+39>:  pop    %r14
> 0x0000000803038619 <check_deferred_signal+41>:  pop    %r15
> 0x000000080303861b <check_deferred_signal+43>:  pop    %rbp
> 0x000000080303861c <check_deferred_signal+44>:  retq   
> 0x000000080303861d <check_deferred_signal+45>:  movl  
$0x1,0x180(%rbx)
> 0x0000000803038627 <check_deferred_signal+55>:  callq  0x803032dfc
<__getcontextx_size at plt>
> 0x000000080303862c <check_deferred_signal+60>:  cltq   
> 0x000000080303862e <check_deferred_signal+62>:  mov    %rsp,%r14
> 0x0000000803038631 <check_deferred_signal+65>:  add    $0xf,%rax
> 0x0000000803038635 <check_deferred_signal+69>:  and   
$0xfffffffffffffff0,%rax
> 0x0000000803038639 <check_deferred_signal+73>:  sub    %rax,%r14
> 0x000000080303863c <check_deferred_signal+76>:  mov    %r14,%rsp
> 0x000000080303863f <check_deferred_signal+79>:  mov    %r14,%rdi
> 0x0000000803038642 <check_deferred_signal+82>:  callq  0x8030331cc
<getcontext at plt>
> 0x0000000803038647 <check_deferred_signal+87>:  cmpl  
$0x0,0x100(%rbx)
> 0x000000080303864e <check_deferred_signal+94>:  je     0x8030386db
<check_deferred_signal+235>
> 0x0000000803038654 <check_deferred_signal+100>: lea   
0x100(%rbx),%r15
> 0x000000080303865b <check_deferred_signal+107>: mov    %r14,%rdi
> 0x000000080303865e <check_deferred_signal+110>: callq  0x80303301c
<__fillcontextx2 at plt>
> 0x0000000803038663 <check_deferred_signal+115>: movups
0x160(%rbx),%xmm0
> 0x000000080303866a <check_deferred_signal+122>: movups
0x170(%rbx),%xmm1
> 0x0000000803038671 <check_deferred_signal+129>: movaps
%xmm1,-0x30(%rbp)
> 0x0000000803038675 <check_deferred_signal+133>: movaps
%xmm0,-0x40(%rbp)
> 0x0000000803038679 <check_deferred_signal+137>: movups
0x150(%rbx),%xmm0
> 0x0000000803038680 <check_deferred_signal+144>: movups %xmm0,(%r14)
> 0x0000000803038684 <check_deferred_signal+148>: movups
0x40(%r15),%xmm0
> 0x0000000803038689 <check_deferred_signal+153>: movaps
%xmm0,-0x50(%rbp)
> 0x000000080303868d <check_deferred_signal+157>: movups (%r15),%xmm0
> 0x0000000803038691 <check_deferred_signal+161>: movups
0x10(%r15),%xmm1
> 0x0000000803038696 <check_deferred_signal+166>: movups
0x20(%r15),%xmm2
> 0x000000080303869b <check_deferred_signal+171>: movups
0x30(%r15),%xmm3
> 0x00000008030386a0 <check_deferred_signal+176>: movaps
%xmm3,-0x60(%rbp)
> 0x00000008030386a4 <check_deferred_signal+180>: movaps
%xmm2,-0x70(%rbp)
> 0x00000008030386a8 <check_deferred_signal+184>: movaps
%xmm1,-0x80(%rbp)
> 0x00000008030386ac <check_deferred_signal+188>: movaps
%xmm0,-0x90(%rbp)
> 0x00000008030386b3 <check_deferred_signal+195>: movl  
$0x0,0x100(%rbx)
> 0x00000008030386bd <check_deferred_signal+205>: mov   
-0x90(%rbp),%esi
> 0x00000008030386c3 <check_deferred_signal+211>: lea   
-0x40(%rbp),%rdi
> 0x00000008030386c7 <check_deferred_signal+215>: lea   
-0x90(%rbp),%rdx
> 0x00000008030386ce <check_deferred_signal+222>: mov    %r14,%rcx
> 0x00000008030386d1 <check_deferred_signal+225>: callq  0x803039330
<handle_signal>
> 0x00000008030386d6 <check_deferred_signal+230>: jmpq   0x803038612
<check_deferred_signal+34>
> 0x00000008030386db <check_deferred_signal+235>: movl  
$0x0,0x180(%rbx)
> 0x00000008030386e5 <check_deferred_signal+245>: jmpq   0x803038612
<check_deferred_signal+34>
> End of assembler dump.
> 
> 
> I like the system, but this thread library smells fishy... :(
It seems that besides sigreturn(), ucontext symbols must be pre-resolved
as well.  Try this update (it includes the previous change).

diff --git a/lib/libthr/thread/thr_rtld.c b/lib/libthr/thread/thr_rtld.c
index 5d89988..cb20098 100644
--- a/lib/libthr/thread/thr_rtld.c
+++ b/lib/libthr/thread/thr_rtld.c
@@ -185,7 +185,9 @@ _thr_rtld_init(void)
 {
 	struct RtldLockInfo	li;
 	struct pthread		*curthread;
+	ucontext_t *uc;
 	long dummy = -1;
+	int uc_len;
 
 	curthread = _get_curthread();
 
@@ -231,4 +233,9 @@ _thr_rtld_init(void)
 	_thr_signal_block(curthread);
 	_rtld_thread_init(&li);
 	_thr_signal_unblock(curthread);
+
+	uc_len = __getcontextx_size();
+	uc = alloca(uc_len);
+	getcontext(uc);
+	__fillcontextx2((char *)uc);
 }
diff --git a/lib/libthr/thread/thr_sig.c b/lib/libthr/thread/thr_sig.c
index a6d021f..ebb6c58 100644
--- a/lib/libthr/thread/thr_sig.c
+++ b/lib/libthr/thread/thr_sig.c
@@ -30,6 +30,7 @@
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/signalvar.h>
+#include <sys/syscall.h>
 #include <signal.h>
 #include <errno.h>
 #include <stdlib.h>
@@ -257,7 +258,7 @@ handle_signal(struct sigaction *actp, int sig, siginfo_t
*info, ucontext_t *ucp)
 	/* reschedule cancellation */
 	check_cancel(curthread, &uc2);
 	errno = err;
-	__sys_sigreturn(&uc2);
+	syscall(SYS_sigreturn, &uc2);
 }
 
 void

Andre Meiser

2015-Jul-22 09:46 UTC

head link

Many core dumps in pthread_getspecific.

On Sun, Jul 19, 2015 at 22:57 +0200, Konstantin Belousov
wrote:> It seems that besides sigreturn(), ucontext symbols must be pre-resolved
> as well.  Try this update (it includes the previous change).
thanks for looking into this, but this patch wasn't funny at all.  Did you
tested your patch?  Almost every programme crashed with a core dump.  Here the
example for simply starting vim:

% readelf -d vim | grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libm.so.5]
 0x0000000000000001 (NEEDED)             Shared library: [libncurses.so.8]
 0x0000000000000001 (NEEDED)             Shared library: [libintl.so.8]
 0x0000000000000001 (NEEDED)             Shared library: [libpython2.7.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libthr.so.3]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.7]


(gdb) bt
#0  0x00000008014a30d4 in _thr_rtld_init () at
/usr/src/lib/libthr/thread/thr_rtld.c:239
#1  0x00000008014a2f03 in _libpthread_init (curthread=<value optimized
out>) at /usr/src/lib/libthr/thread/thr_init.c:372
#2  0x00000008014a5c22 in _thread_printf () from /lib/libthr.so.3
#3  0x0000000801498d06 in _init () from /lib/libthr.so.3
#4  0x00007fffffffe000 in ?? ()
#5  0x000000080083d6bf in r_debug_state () from /libexec/ld-elf.so.1
#6  0x000000080083cd17 in __tls_get_addr () from /libexec/ld-elf.so.1
#7  0x000000080083b129 in .text () from /libexec/ld-elf.so.1
#8  0x0000000000000000 in ?? ()


(gdb) info locals
li = {rtli_version = 0, lock_create = 0x8014a30f0 <_thr_rtld_lock_create>,
lock_destroy = 0x8014a3160 <_thr_rtld_lock_destroy>,
  rlock_acquire = 0x8014a31b0 <_thr_rtld_rlock_acquire>, wlock_acquire =
0x8014a3270 <_thr_rtld_wlock_acquire>,
  lock_release = 0x8014a3300 <_thr_rtld_lock_release>, thread_set_flag =
0x8014a33c0 <_thr_rtld_set_flag>,
  thread_clr_flag = 0x8014a33d0 <_thr_rtld_clr_flag>, at_fork = 0}
dummy = -1
curthread = (struct pthread *) 0x7fffff0f2650
uc_len = <value optimized out


(gdb) info registers
rax            0xf0b470 15774832
rbx            0x7fffff0f2650   140737472570960
rcx            0x0  0
rdx            0xca0000 13238272
rsi            0x8024064e8  34397512936
rdi            0x7fffff0f2650   140737472570960
rbp            0x7fffffffdb20   0x7fffffffdb20
rsp            0x7fffff0f2650   0x7fffff0f2650
r8             0x0  0
r9             0xfffff8000e35f4c0   -8795854605120
r10            0x0  0
r11            0x246    582
r12            0x800a54a28  34370570792
r13            0x800a545b0  34370569648
r14            0x1  1
r15            0x800855420  34368476192
rip            0x8014a30d4  0x8014a30d4 <_thr_rtld_init+244>
eflags         0x10206  66054
cs             0x43 67
ss             0x3b 59
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0


(gdb) disassemble
Dump of assembler code for function _thr_rtld_init:
0x00000008014a2fe0 <_thr_rtld_init+0>:  push   %rbp
0x00000008014a2fe1 <_thr_rtld_init+1>:  mov    %rsp,%rbp
0x00000008014a2fe4 <_thr_rtld_init+4>:  push   %rbx
0x00000008014a2fe5 <_thr_rtld_init+5>:  sub    $0x58,%rsp
0x00000008014a2fe9 <_thr_rtld_init+9>:  movq  
$0xffffffffffffffff,-0x58(%rbp)
0x00000008014a2ff1 <_thr_rtld_init+17>: mov    %fs:0x10,%rbx
0x00000008014a2ffa <_thr_rtld_init+26>: lea    -0x58(%rbp),%rdi
0x00000008014a2ffe <_thr_rtld_init+30>: mov    $0x3,%esi
0x00000008014a3003 <_thr_rtld_init+35>: mov    $0x1,%edx
0x00000008014a3008 <_thr_rtld_init+40>: xor    %ecx,%ecx
0x00000008014a300a <_thr_rtld_init+42>: xor    %r8d,%r8d
0x00000008014a300d <_thr_rtld_init+45>: callq  0x8014a5890
<_umtx_op_err>
0x00000008014a3012 <_thr_rtld_init+50>: callq  0x80149916c <__error at
plt>
0x00000008014a3017 <_thr_rtld_init+55>: xor    %edi,%edi
0x00000008014a3019 <_thr_rtld_init+57>: xor    %esi,%esi
0x00000008014a301b <_thr_rtld_init+59>: xor    %edx,%edx
0x00000008014a301d <_thr_rtld_init+61>: callq  0x8014990ac <mprotect at
plt>
0x00000008014a3022 <_thr_rtld_init+66>: callq  0x8014991ac
<_rtld_get_stack_prot at plt>
0x00000008014a3027 <_thr_rtld_init+71>: lea    0xc2(%rip),%rax        #
0x8014a30f0 <_thr_rtld_lock_create>
0x00000008014a302e <_thr_rtld_init+78>: mov    %rax,-0x48(%rbp)
0x00000008014a3032 <_thr_rtld_init+82>: lea    0x127(%rip),%rax        #
0x8014a3160 <_thr_rtld_lock_destroy>
0x00000008014a3039 <_thr_rtld_init+89>: mov    %rax,-0x40(%rbp)
0x00000008014a303d <_thr_rtld_init+93>: lea    0x16c(%rip),%rax        #
0x8014a31b0 <_thr_rtld_rlock_acquire>
0x00000008014a3044 <_thr_rtld_init+100>:    mov    %rax,-0x38(%rbp)
0x00000008014a3048 <_thr_rtld_init+104>:    lea    0x221(%rip),%rax       
# 0x8014a3270 <_thr_rtld_wlock_acquire>
0x00000008014a304f <_thr_rtld_init+111>:    mov    %rax,-0x30(%rbp)
0x00000008014a3053 <_thr_rtld_init+115>:    lea    0x2a6(%rip),%rax       
# 0x8014a3300 <_thr_rtld_lock_release>
0x00000008014a305a <_thr_rtld_init+122>:    mov    %rax,-0x28(%rbp)
0x00000008014a305e <_thr_rtld_init+126>:    lea    0x35b(%rip),%rax       
# 0x8014a33c0 <_thr_rtld_set_flag>
0x00000008014a3065 <_thr_rtld_init+133>:    mov    %rax,-0x20(%rbp)
0x00000008014a3069 <_thr_rtld_init+137>:    lea    0x360(%rip),%rax       
# 0x8014a33d0 <_thr_rtld_clr_flag>
0x00000008014a3070 <_thr_rtld_init+144>:    mov    %rax,-0x18(%rbp)
0x00000008014a3074 <_thr_rtld_init+148>:    movq   $0x0,-0x10(%rbp)
0x00000008014a307c <_thr_rtld_init+156>:    xor    %edi,%edi
0x00000008014a307e <_thr_rtld_init+158>:    callq  0x8014991dc
<_rtld_atfork_pre at plt>
0x00000008014a3083 <_thr_rtld_init+163>:    xor    %edi,%edi
0x00000008014a3085 <_thr_rtld_init+165>:    callq  0x801498dbc
<_rtld_atfork_post at plt>
0x00000008014a308a <_thr_rtld_init+170>:    callq  0x801498e3c
<_malloc_prefork at plt>
0x00000008014a308f <_thr_rtld_init+175>:    callq  0x80149919c
<_malloc_postfork at plt>
0x00000008014a3094 <_thr_rtld_init+180>:    mov    $0x14,%edi
0x00000008014a3099 <_thr_rtld_init+185>:    xor    %eax,%eax
0x00000008014a309b <_thr_rtld_init+187>:    callq  0x8014990fc <syscall
at plt>
0x00000008014a30a0 <_thr_rtld_init+192>:    mov    %rbx,%rdi
0x00000008014a30a3 <_thr_rtld_init+195>:    callq  0x80149e4f0
<_thr_signal_block>
0x00000008014a30a8 <_thr_rtld_init+200>:    lea    -0x50(%rbp),%rdi
0x00000008014a30ac <_thr_rtld_init+204>:    callq  0x801498f3c
<_rtld_thread_init at plt>
0x00000008014a30b1 <_thr_rtld_init+209>:    mov    %rbx,%rdi
0x00000008014a30b4 <_thr_rtld_init+212>:    callq  0x80149e530
<_thr_signal_unblock>
0x00000008014a30b9 <_thr_rtld_init+217>:    callq  0x801498dfc
<__getcontextx_size at plt>
0x00000008014a30be <_thr_rtld_init+222>:    cltq
0x00000008014a30c0 <_thr_rtld_init+224>:    mov    %rsp,%rbx
0x00000008014a30c3 <_thr_rtld_init+227>:    add    $0xf,%rax
0x00000008014a30c7 <_thr_rtld_init+231>:    and   
$0xfffffffffffffff0,%rax
0x00000008014a30cb <_thr_rtld_init+235>:    sub    %rax,%rbx
0x00000008014a30ce <_thr_rtld_init+238>:    mov    %rbx,%rsp
0x00000008014a30d1 <_thr_rtld_init+241>:    mov    %rbx,%rdi
0x00000008014a30d4 <_thr_rtld_init+244>:    callq  0x8014991cc
<getcontext at plt>
0x00000008014a30d9 <_thr_rtld_init+249>:    mov    %rbx,%rdi
0x00000008014a30dc <_thr_rtld_init+252>:    callq  0x80149901c
<__fillcontextx2 at plt>
0x00000008014a30e1 <_thr_rtld_init+257>:    lea    -0x8(%rbp),%rsp
0x00000008014a30e5 <_thr_rtld_init+261>:    pop    %rbx
0x00000008014a30e6 <_thr_rtld_init+262>:    pop    %rbp
0x00000008014a30e7 <_thr_rtld_init+263>:    retq
End of assembler dump.


Sincerely yours Andre.

freebsd stable - Jul 2015 - Many core dumps in pthread_getspecific.

Many core dumps in pthread_getspecific.

Many core dumps in pthread_getspecific.