Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Jan 2016 17:59:21 -0800
From:      Mark Millard <markmi@dsl-only.net>
To:        Roman Divacky <rdivacky@vlakno.cz>
Cc:        FreeBSD PowerPC ML <freebsd-ppc@freebsd.org>, FreeBSD Toolchain <freebsd-toolchain@freebsd.org>
Subject:   Re: clang 3.8.0 based powerpc (32 bit) buildworld runs on a PowerMac! [problems found]
Message-ID:  <ED8F1D16-A097-40D9-AAFB-9134A36A9995@dsl-only.net>
In-Reply-To: <2CA42792-245D-48F3-9FC7-285C52D14A6A@dsl-only.net>
References:  <DEF41968-FFC4-417D-A31A-E392CB888C35@dsl-only.net> <55814789-0489-48B5-867C-F678AE4EA5FF@dsl-only.net> <20160130112913.GA7950@vlakno.cz> <E2771C4A-4CC9-4394-A2D7-10CCB5F13BDE@dsl-only.net> <2CA42792-245D-48F3-9FC7-285C52D14A6A@dsl-only.net>

next in thread | previous in thread | raw e-mail | index | archive | help
I have submitted a minor variation of this analysis text for the =
uninitialized pointer use in in libc/stdio "string output" routine =
implementations as Bug 206770.

If anyone finds that I missed the initialization let me know and I'll =
change the status of the bug.

=3D=3D=3D
Mark Millard
markmi at dsl-only.net

On 2016-Jan-30, at 5:13 PM, Mark Millard <markmi at dsl-only.net> wrote:

So far I'm unable to reproduce the problem with simple code replacing =
the library code.

And I expect that I have have a smoking gun for why.  Care to check the =
below and see if I missed something? As far as I can tell this is a =
FreeBSD libc/stdio defect, not a clang 3.8.0 one.

Unfortunately the reason is spread out in the code so it takes a bit to =
describe the context for the uninitialized pointer that I expect is =
involved.

To start the description I note the actual, low-level failure point:

> #0  0x419a89c8 in memcpy (dst0=3D0xffffd734, src0=3D<optimized out>, =
length=3D<optimized out>) at /usr/src/lib/libc/string/bcopy.c:124
> 124				TLOOP1(*--dst =3D *--src);

In the assembler code for this is the the *--src access that gets the =
segmentation violation. I do not justify that claim here but use that =
fact later.

So what leads up to that? Going the other way, starting from the use of =
snprintf. . .

snprintf(char * __restrict str, size_t n, char const * __restrict fmt, =
...) sets up its __vfprintf(FILE *fp, locale_t locale, const char *fmt0, =
va_list ap) use via:

>        va_list ap;
>        FILE f =3D FAKE_FILE;
. . .
>        va_start(ap, fmt);
>        f._flags =3D __SWR | __SSTR;
>        f._bf._base =3D f._p =3D (unsigned char *)str;
>        f._bf._size =3D f._w =3D n;
>        ret =3D __vfprintf(&f, __get_locale(), fmt, ap);

so at the __vfprintf call f._p reference the buffer that __vfprintf's =
str references. __vfprintf in turn does (in part):

>        struct io_state io;     /* I/O buffering state */
. . .
>        io_init(&io, fp);

where io is on-stack (not implicitly initialized). The io_init does:

> #define NIOV 8
> struct io_state {
>        FILE *fp;
>        struct __suio uio;      /* output information: summary */
>        struct __siov iov[NIOV];/* ... and individual io vectors */
> };
>=20
> static inline void
> io_init(struct io_state *iop, FILE *fp)
> {
>=20
>        iop->uio.uio_iov =3D iop->iov;
>        iop->uio.uio_resid =3D 0;
>        iop->uio.uio_iovcnt =3D 0;
>        iop->fp =3D fp;
> }

where (on stack as part of __vfprintf's io):

> struct __siov {
>        void    *iov_base;
>        size_t  iov_len;
> };
> struct __suio {
>        struct  __siov *uio_iov;
>        int     uio_iovcnt;
>        int     uio_resid;
> };

So via __vfprintf's io.fp->_p the str buffer is accessible for =
outputting to.

But in none of this or other code that I've looked at for this snprintf =
use case have I found code that initializes the involved =
io.uio.uio_iov->iov_base (i.e., io.iov[0].iov_base) to point to anything =
specific. (Nor is iov_base's matching iov_len initialized.)

Here is a stab at finding all the initializations of iov_base fields:

> # grep "iov_base.*=3D" /usr/src/lib/libc/stdio/*
> /usr/src/lib/libc/stdio/fputs.c:        iov.iov_base =3D (void *)s;
> /usr/src/lib/libc/stdio/fputws.c:       iov.iov_base =3D buf;
> /usr/src/lib/libc/stdio/fwrite.c:       iov.iov_base =3D (void *)buf;
> /usr/src/lib/libc/stdio/perror.c:               v->iov_base =3D (char =
*)s;
> /usr/src/lib/libc/stdio/perror.c:               v->iov_base =3D ": ";
> /usr/src/lib/libc/stdio/perror.c:       v->iov_base =3D msgbuf;
> /usr/src/lib/libc/stdio/perror.c:       v->iov_base =3D "\n";
> /usr/src/lib/libc/stdio/printfcommon.h: =
iop->iov[iop->uio.uio_iovcnt].iov_base =3D (char *)ptr;
> /usr/src/lib/libc/stdio/puts.c: iov[0].iov_base =3D (void *)s;
> /usr/src/lib/libc/stdio/puts.c: iov[1].iov_base =3D "\n";
> /usr/src/lib/libc/stdio/putw.c: iov.iov_base =3D &w;
> /usr/src/lib/libc/stdio/vfwprintf.c:    iov.iov_base =3D buf;
> /usr/src/lib/libc/stdio/xprintf.c:      io->iovp->iov_base =3D =
__DECONST(void *, ptr);

The only file above involved in common for this context turns out to be: =
/usr/src/lib/libc/stdio/printfcommon.h and the above assignment in that =
file is in io_print(struct io_state *iop, const CHAR * __restrict ptr, =
int len, locale_t locale), which is not in use for this context. Here is =
the assignment anyway (for reference):

> static inline int
> io_print(struct io_state *iop, const CHAR * __restrict ptr, int len, =
locale_t locale)
> {
>=20
>        iop->iov[iop->uio.uio_iovcnt].iov_base =3D (char *)ptr;
>        iop->iov[iop->uio.uio_iovcnt].iov_len =3D len;
>        iop->uio.uio_resid +=3D len;
. . .

In other words: The segmentation violation is for use of __vfprintf's =
uninitialized io.uio.uio_iov->iov_base .

Returning to tracing the actually used code for this context to support =
that claim some more. . .

The __vfprintf (FILE *fp, locale_t locale, const char *fmt0, va_list ap) =
eventually does:

       if (io_flush(&io, locale))

and io_flush(struct io_state *iop, locale_t locale) does:

       return (__sprint(iop->fp, &iop->uio, locale));

and _sprintf(FILE *fp, struct __suio *uio, locale_t locale) does:

       err =3D __sfvwrite(fp, uio);

and __sfvwrite(FILE *fp, struct __suio *uio) does:

       p =3D iov->iov_base;
       len =3D iov->iov_len;

where  iov->iov_base is another name for __vfprintf's =
io.uio.uio_iov->iov_base . __sfvwrite then uses:

#define COPY(n)   (void)memcpy((void *)fp->_p, (void *)p, (size_t)(n))

which fails dereferencing p (i.e., __vfprintf's io.uio.uio_iov->iov_base =
).=20

In other words (again): The segmentation violation is for use of the =
uninitialized iop->uio.uio_iov->iov_base.


=3D=3D=3D
Mark Millard
markmi at dsl-only.net

On 2016-Jan-30, at 5:58 AM, Mark Millard <markmi at dsl-only.net> wrote:

On 2016-Jan-30, at 3:29 AM, Roman Divacky <rdivacky at vlakno.cz> wrote:

> Can you file a bug in llvm bugzilla?

I could try for the example code. But I'd like to make the example more =
self contained first, avoiding snprintf from library code and hopefully =
with a much smaller, simpler implementation involved than the =
very-general library code.



Separately: I'm not sure any llvm folks are going to have a way to test =
unless someone shows the problem outside a FreeBSD context. =
powerpc-clang (32-bit) based FreeBSD buildworld's are not exactly a =
normal context at this point.

My files with powerpc (32-bit) tied differences from svn for =
projects/clang380-import -r294962 are:

Index: /media/usr/src/sys/boot/powerpc/Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- /media/usr/src/sys/boot/powerpc/Makefile	(revision 294962)
+++ /media/usr/src/sys/boot/powerpc/Makefile	(working copy)
@@ -1,5 +1,9 @@
# $FreeBSD$

-SUBDIR=3D		boot1.chrp kboot ofw ps3 uboot
+SUBDIR=3D		boot1.chrp
+.if ${MACHINE_ARCH} =3D=3D "powerpc64"
+SUBDIR+=3D		kboot
+.endif
+SUBDIR+=3D		ofw ps3 uboot

.include <bsd.subdir.mk>
Index: /media/usr/src/sys/conf/Makefile.powerpc
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- /media/usr/src/sys/conf/Makefile.powerpc	(revision 294962)
+++ /media/usr/src/sys/conf/Makefile.powerpc	(working copy)
@@ -35,7 +35,11 @@

INCLUDES+=3D -I$S/contrib/libfdt

+.if ${COMPILER_TYPE} =3D=3D "gcc"
CFLAGS+=3D -msoft-float -Wa,-many
+.else
+CFLAGS+=3D -msoft-float
+.endif

# Build position-independent kernel
CFLAGS+=3D -fPIC
Index: /media/usr/src/sys/conf/kern.mk
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- /media/usr/src/sys/conf/kern.mk	(revision 294962)
+++ /media/usr/src/sys/conf/kern.mk	(working copy)
@@ -144,7 +144,11 @@
#
.if ${MACHINE_CPUARCH} =3D=3D "powerpc"
CFLAGS+=3D	-mno-altivec
+.if ${COMPILER_TYPE} =3D=3D "clang" && ${COMPILER_VERSION} < 30800
CFLAGS.clang+=3D	-mllvm -disable-ppc-float-in-variadic=3Dtrue
+.else
+CFLAGS.clang+=3D	-msoft-float
+.endif
CFLAGS.gcc+=3D	-msoft-float
INLINE_LIMIT?=3D	15000
.endif
Index: /media/usr/src/sys/conf/kmod.mk
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- /media/usr/src/sys/conf/kmod.mk	(revision 294962)
+++ /media/usr/src/sys/conf/kmod.mk	(working copy)
@@ -137,8 +137,12 @@
.endif

.if ${MACHINE_CPUARCH} =3D=3D powerpc
+.if ${COMPILER_TYPE} =3D=3D "gcc"
CFLAGS+=3D	-mlongcall -fno-omit-frame-pointer
+.else
+CFLAGS+=3D	-fno-omit-frame-pointer
.endif
+.endif

.if ${MACHINE_CPUARCH} =3D=3D mips
CFLAGS+=3D	-G0 -fno-pic -mno-abicalls -mlong-calls


(I can not actually buildkernel for powerpc via clang 3.8.0. Still some =
of the above is for the kernel context.)

src.conf content:

KERNCONF=3DGENERICvtsc-NODEBUG
TARGET=3Dpowerpc
TARGET_ARCH=3Dpowerpc
#
WITH_FAST_DEPEND=3D
WITH_LIBCPLUSPLUS=3D
WITH_BOOT=3D
WITH_BINUTILS_BOOTSTRAP=3D
WITH_CLANG_BOOTSTRAP=3D
WITH_CLANG=3D
WITH_CLANG_IS_CC=3D
WITH_CLANG_FULL=3D
WITH_CLANG_EXTRAS=3D
#
# lldb requires missing atomic 8-byte operations for powerpc (non-64)
WITHOUT_LLDB=3D
#
WITHOUT_LIB32=3D
WITHOUT_GCC_BOOTSTRAP=3D
WITHOUT_GCC=3D
WITHOUT_GCC_IS_CC=3D
WITHOUT_GNUCXX=3D
#
NO_WERROR=3D
MALLOC_PRODUCTION=3D
#
WITH_DEBUG_FILES=3D


On Sat, Jan 30, 2016 at 03:00:26AM -0800, Mark Millard wrote:
> I got around to trying some more use of the 3.8.0 clang based world on =
powerpc (32 bit) (now -r294962 based) and ran into:
>=20
> A) Segmentation faults during signal handlers in syslogd, nfsd, =
mountd, and (for SIGNFO) make.
>=20
> B) ls sometimes segmentation faulting
>=20
> C) make -j 6 buildworld segmentation faulting in make eventually but =
make buildworld works.
>=20
> I have reduced (A) to a simple program that demonstrates the behavior:
>=20
>> # more sig_snprintf_use_test.c=20
>> #include <stdio.h>
>> #include <signal.h>
>>=20
>> volatile sig_atomic_t sat =3D 0;
>>=20
>> void
>> handler(int sig)
>> {
>>  char uidbuf[32];
>>  (void) snprintf(uidbuf, sizeof uidbuf, "%d", 10);
>>  sat =3D uidbuf[0];
>> }
>>=20
>> int
>> main(void)
>> {
>>  if (signal(SIGINT, handler) !=3D SIG_ERR) raise(SIGINT);
>>  return sat;
>> }
>=20
>> # ./a.out
>> Segmentation fault (core dumped)
>> # /usr/local/bin/gdb a.out /var/crash/a.out.1510.core
>> GNU gdb (GDB) 7.10 [GDB v7.10 for FreeBSD]
> . . .
>> warning: Unexpected size of section `.reg2/100167' in core file.
>> #0  0x419a89c8 in memcpy (dst0=3D0xffffd734, src0=3D<optimized out>, =
length=3D<optimized out>) at /usr/src/lib/libc/string/bcopy.c:124
>> 124				TLOOP1(*--dst =3D *--src);
>> (gdb) bt
>> #0  0x419a89c8 in memcpy (dst0=3D0xffffd734, src0=3D<optimized out>, =
length=3D<optimized out>) at /usr/src/lib/libc/string/bcopy.c:124
>> #1  0x419a3984 in __sfvwrite (fp=3D<optimized out>, uio=3D<optimized =
out>) at /usr/src/lib/libc/stdio/fvwrite.c:128
>> #2  0x41934468 in __sprint (fp=3D<optimized out>, uio=3D<optimized =
out>, locale=3D<optimized out>) at =
/usr/src/lib/libc/stdio/vfprintf.c:164
>> #3  io_flush (iop=3D<optimized out>, locale=3D<optimized out>) at =
/usr/src/lib/libc/stdio/printfcommon.h:155
>> #4  __vfprintf (fp=3D<optimized out>, locale=3D<optimized out>, =
fmt0=3D<optimized out>, ap=3D<optimized out>) at =
/usr/src/lib/libc/stdio/vfprintf.c:1020
>> #5  0x4199c644 in snprintf (str=3D0xffffd734 "", n=3D<optimized out>, =
fmt=3D0x1800850 "%d") at /usr/src/lib/libc/stdio/snprintf.c:72
>> #6  0x01800708 in handler ()
>> Backtrace stopped: Cannot access memory at address 0xffffd760
>=20
> (The "Unexpected size . . ." is a known problem in powerpc land at =
this point, not tied to clang 3.8.0 .)
>=20
> The syslogd, nfsd, mountd, and SIGINFO-related make backtraces are =
similar. I got the program above from simplifying the mountd failure =
context.
>=20
> A direct call, handler(0), does not get the segmentation fault.
>=20
> I'll note that in C the handler calling snprintf or other such is a =
no-no for the general case: only abort(), _Exit(), or signal() as of C99 =
as I understand. But the restriction is not true of use of raise so the =
small program is still valid C99 code. Of course it appears FreeBSD =
allows more than C99 does in this area.
>=20
> I've not yet investigated what the original signals are in syslogd, =
nfsd, or mountd. They may well indicate another problem.
>=20
>=20
> I've not gotten as far classifying (B) or (C) as well.
>=20
> (B) is a xo_emit context each time so far (so C elipsis use again, =
like (A)) but no signal handler seems to be active. It stops in =
xo_format_string_direct. My attempts at simpler code have not produced =
the problem so far.
>=20
> (C) is such that GDB 7.10 reports "previous frame to this frame =
(corrupt stack?)" or otherwise gives up. It shows Var_Value called by =
Make_Update before reporting that. gdb 6.1.1 shows more after that: =
JobFinish, JobReapChild, Job_CatchChildern, Job_CatchOutput, Make_Run, =
main). SIGCHLD or other such use may well be involved here.
>=20
>=20
> =3D=3D=3D
> Mark Millard
> markmi at dsl-only.net
>=20
> On 2016-Jan-19, at 2:35 AM, Mark Millard <markmi@dsl-only.net> wrote:
>=20
> I now have an SSD that contains:
>=20
> 0) installkernel material from a gcc 4.2.1 based buildkernel
>=20
> 1) installworld material from a clang 3.8.0 based buildworld
> (clang 3.8.0, libc++, etc.)
>=20
> It boots and seems to be operating fine after booting --in both a G5 =
and a G4 PowerMac.
>=20
> Apparently the clang code generation has been updated to not require =
an explicit -mlongcall. I had to remove those since clang rejects them =
on command lines. It linked without complaint (and later seems to be =
running fine). (I've seen llvm review notes mentioning the "medium =
model" or some phrase like that for powerpc.)
>=20
> (I've not been able to buildkernel yet for powerpc (non-64) from my =
amd64 environment: rejected command lines for other issues. Thus the =
current limitation to buildworld.)
>=20
>=20
>=20
> To get to (1) I did the following sort of sequence:
> (The first few steps deal with other issues in order to have =
sufficient context.)
>=20
>=20
> A) Started by installing the latest powerpc (non-64) snapshot.
> ( =
http://ftp1.freebsd.org/pub/FreeBSD/snapshots/ISO-IMAGES/11.0/FreeBSD-11.0=
-CURRENT-powerpc-20160113-r293801-disc1.iso )
>=20
> (I had to use a PowerMac with video hardware that vt would handle.)
> (Basic display, no X-windows involvement here.)
>=20
>=20
> B) Rebuild, including using my usual kernel configuration that has
> both vt and sc. I did this based on projects/clang380-import
> -r294201 /usr/src but still using gcc 4.2.1 (native on the
> PowerMac). The configuration turns off kernel debugging extras too.
>=20
>=20
> C) installkernel, installworld, etc., set to use sc instead of vt, and =
rebooted.
>=20
> (As of this I could use the SSD in more PowerMacs by using sc instead =
of vt via a /boot/loader.conf assignment.)
>=20
>=20
> D) dump/restore the file systems to another SSD (after partitioning =
it).
> Adjust the host name and the like on the copy.
>=20
> (This copy later ends up having new installworld materials overlaid.)
>=20
>=20
> E) In a projects/clang380-import -r294201 amd64 environment, =
buildworld for
> TARGET_ARCH=3Dpowerpc . WITH_LIBCPLUSPLUS=3D and clang related =
material built,
> gcc 4.2.1 related material not built. WITH_BOOT=3D as well. I choose
> WITHOUT_DEBUG=3D and WITHOUT_DEBUG_FILES=3D . (I've not tried enabling =
them yet.)
> binutils is not from ports.
>=20
>=20
> F) Use DESTDIR=3D with installworld to an initially empty directory =
tree. tar the tree.
>=20
>=20
> G) Transfer the tar file to the PowerMac. Mount the to-be-updated SSD =
to
> /mnt and /mnt/var. After chflags -R noschg on /mnt and /mnt/var use
> tar xpf to replace things from the buildworld on /mnt and /mnt/var.
>=20
> (This does leave older gcc 4.2.1 related materials in place.)
>=20
> H) Dismounts, shutdown, and then boot from the updated SSD.
>=20
>=20
>=20
> Note: I've never manage to get powerpc64-xtoolchain-gcc/powerpc64-gcc =
to produce working 32-bit code. So I've never gotten this far via that =
path.
>=20
>=20
> =3D=3D=3D
> Mark Millard
> markmi at dsl-only.net
>=20
>=20
> _______________________________________________
> freebsd-toolchain@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-toolchain
> To unsubscribe, send any mail to =
"freebsd-toolchain-unsubscribe@freebsd.org"

=3D=3D=3D
Mark Millard
markmi at dsl-only.net






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ED8F1D16-A097-40D9-AAFB-9134A36A9995>