From owner-freebsd-stable@freebsd.org  Fri Jul  3 15:21:59 2015
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E02109937E6
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Fri,  3 Jul 2015 15:21:59 +0000 (UTC) (envelope-from ortadur@web.de)
Received: from mout.web.de (mout.web.de [212.227.15.4])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mout.web.de", Issuer "TeleSec ServerPass DE-1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6FE2D101F
 for <freebsd-stable@freebsd.org>; Fri,  3 Jul 2015 15:21:59 +0000 (UTC)
 (envelope-from ortadur@web.de)
Received: from [131.169.214.139] by 3capp-webde-bs27.server.lan (via HTTP);
 Fri, 3 Jul 2015 17:21:50 +0200
MIME-Version: 1.0
Message-ID: <trinity-9d219acd-7aa9-4574-a9ad-458b52374069-1435936910016@3capp-webde-bs27>
From: "Andre Meiser" <ortadur@web.de>
To: "Konstantin Belousov" <kostikbel@gmail.com>
Cc: freebsd-stable@freebsd.org
Subject: Re: Many core dumps in pthread_getspecific.
Content-Type: text/plain; charset=UTF-8
Date: Fri, 3 Jul 2015 17:21:50 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <20150616073637.GO2080@kib.kiev.ua>
References: <trinity-d3a62468-a8fd-44c3-ab9c-8b177ca8a366-1433331244003@3capp-webde-bs60>
 <20150603145838.GX2499@kib.kiev.ua>
 <trinity-15fcacbd-871c-4ea8-9257-5d11e7862ec0-1434103396559@3capp-webde-bs41>
 <20150614190504.GT2080@kib.kiev.ua>
 <trinity-e44527ae-e511-4ff3-bcdf-ee8426fc8a94-1434438565708@3capp-webde-bs53>, 
 <20150616073637.GO2080@kib.kiev.ua>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:GtPYmbS1gIQrxj6+M64JwiopnyfIhERUMZobDpfPcHR
 b6kbNiF6ovO+7aAwhfcMFIxSgnq8OIUwlN9g8B0WlYz6tGVFOf
 4swv5yajOzDFqSBKaXwK1/Xz2H0M/L+QdNUxpEdwq6zFJtnn72
 lLNJRk+NR6ZrOz+w+QR8Q+wPbaREfh1oyGCjxFMaAeDx/cwbSl
 E2n0nmv5EynyOitLW2sholb0sFEfwPwayt/BR7ZUuKV2WL3C3y
 r97nQBgLx3hSlf6XNqQLz+WoH852nUxPcoW1GaSgyA2GxkGk9d K3DzfQ=
X-UI-Out-Filterresults: notjunk:1;V01:K0:KhJD5V/dwgE=:keAM9J4vu0Jhkn/HKEkWDS
 II4XnmrheEu1OeGDCro2aQ7zTGfEUYscxfa9cBqXgSOzV01wbTrcDCkGi4gVb4w470W7iL1L5
 pib3YGLb5hEGF6CIxTyQ/jHQSE/r7+iOU0fTCjb6bSNwoGaOGzKaaiTxKNFvuVrgejn7NdgSF
 Y2PUT+Sq+1NEQmOvBIwKoxN3dx63SKxeBx4ziwgTaxeZauyPHsgJLZt8omoy+7ABvA1n84g5E
 q6//8qhqVkix6T2c+zolvp64fmLdlvQwazvTud0rkeC1sNteiIyVIJB78zwvZQVyJ5UL5c3LC
 /WtuyNuXwFmN2LtoMahBhEgqRzlGPmIirM5jqGmqNssUsdt3EqjymynEt6TLV/T2XqoBOfVKg
 qNCRlT8zd3XqQrm4yeDPr8rkgJil1jZGuyjannOygLnxyT5sOvjQbdhjuzx36j7IbO6KXQsVU
 gglEDQabvfMpKQ5abxJFu4qypuJv1V0CsCg/NIcSRcOIE3g7KlhFpEQpXrPT0E3VBHy2DzObp
 ahXLrPQGxMBQhjY6Mw8J1c=
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2015 15:22:00 -0000

Hi,

back again. Sorry, I accidently deleted the core file and I'd to wait two weeks until vim crashed again. Xorg didn't crashed so far with the debug libs.

On Tue, Jun 16, 2015 at 09:36 +0200, Konstantin Belousov wrote:
> Ok, so the vim fault is reproducable, I suppose ?

No, I tried, but no chance to do it on purpose. But so far it always happens while resizing the xterm.

Now the entire info you asked for (out of the new core file):


% readelf -d vim | grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libm.so.5]
 0x0000000000000001 (NEEDED)             Shared library: [libncurses.so.8]
 0x0000000000000001 (NEEDED)             Shared library: [libintl.so.8]
 0x0000000000000001 (NEEDED)             Shared library: [libpython2.7.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libthr.so.3]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.7]

(gdb) bt
#0  0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
#1  0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
#2  0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
#3  0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
#4  0x000000080083b15d in .text () from /libexec/ld-elf.so.1
#5  0x00000000004e4163 in preserve_exit ()
#6  0x000000000051f118 in mch_libcall ()
#7  0x000000080149f47a in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:240
#8  0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
#9  <signal handler called>
#10 0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
#11 0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
#12 0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
#13 0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
#14 0x000000080083b15d in .text () from /libexec/ld-elf.so.1
#15 0x000000080149f4e2 in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:256
#16 0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
#17 <signal handler called>
#18 select () at select.S:3
#19 0x000000080149cb32 in __select (numfds=1, readfds=0x7fffffffdfb0, writefds=0x0, exceptfds=0x7fffffffdf30, timeout=0x7fffffffe038) at /usr/src/lib/libthr/thread/thr_syscalls.c:561
#20 0x000000000051ac4b in mch_write ()
#21 0x000000000051ae0f in mch_inchar ()
#22 0x00000000005b8647 in ui_inchar ()
#23 0x00000000004aeb8a in inchar ()
#24 0x00000000004b1ffb in vgetc ()
#25 0x00000000004b0efa in vgetc ()
#26 0x00000000004b27b9 in safe_vgetc ()
#27 0x00000000004f59ef in normal_cmd ()
#28 0x00000000005dfec7 in main_loop ()
#29 0x00000000005df538 in main ()


(gdb) info locals
act = {__sigaction_u = {__sa_handler = 0, __sa_sigaction = 0}, sa_flags = 37875000, sa_mask = {__bits = {8, 4239276, 0, 0}}}
info = {si_signo = 0, si_errno = 0, si_code = 37875000, si_pid = 8, si_uid = 37874640, si_status = 8, si_addr = 0x700000008, si_value = {sival_int = 37875104, sival_ptr = 0x80241eda0, sigval_int = 37875104, sigval_ptr = 0x80241eda0}, _reason = {_fault = {_trapno = 141}, 
    _timer = {_timerid = 141, _overrun = 0}, _mesgq = {_mqd = 141}, _poll = {_band = 141}, __spare__ = {__spare1__ = 141, __spare2__ = {0, 0, 8744960, 8, 37874976, 8, 8641467}}}}


(gdb) info registers
rax            0xf0b470 15774832
rbx            0x802406400      34397512704
rcx            0x1      1
rdx            0x80085b800      34368501760
rsi            0x80241ed38      34397613368
rdi            0x8015137d0      34381838288
rbp            0x80241ecd0      0x80241ecd0
rsp            0x8015137d0      0x8015137d0
r8             0x800856600      34368480768
r9             0x8080808080808080       -9187201950435737472
r10            0x41b778 4306808
r11            0x5262   21090
r12            0x1      1
r13            0x839888 8624264
r14            0x8015137d0      34381838288
r15            0x2      2
rip            0x80149e6a2      0x80149e6a2 <check_deferred_signal+82>
eflags         0x10202  66050
cs             0x43     67
ss             0x3b     59
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0


(gdb) disassemble
Dump of assembler code for function check_deferred_signal:
0x000000080149e650 <check_deferred_signal+0>:   push   %rbp
0x000000080149e651 <check_deferred_signal+1>:   mov    %rsp,%rbp
0x000000080149e654 <check_deferred_signal+4>:   push   %r15
0x000000080149e656 <check_deferred_signal+6>:   push   %r14
0x000000080149e658 <check_deferred_signal+8>:   push   %rbx
0x000000080149e659 <check_deferred_signal+9>:   sub    $0x78,%rsp
0x000000080149e65d <check_deferred_signal+13>:  mov    %rdi,%rbx
0x000000080149e660 <check_deferred_signal+16>:  cmpl   $0x0,0x100(%rbx)
0x000000080149e667 <check_deferred_signal+23>:  je     0x80149e672 <check_deferred_signal+34>
0x000000080149e669 <check_deferred_signal+25>:  cmpl   $0x0,0x180(%rbx)
0x000000080149e670 <check_deferred_signal+32>:  je     0x80149e67d <check_deferred_signal+45>
0x000000080149e672 <check_deferred_signal+34>:  lea    -0x18(%rbp),%rsp
0x000000080149e676 <check_deferred_signal+38>:  pop    %rbx
0x000000080149e677 <check_deferred_signal+39>:  pop    %r14
0x000000080149e679 <check_deferred_signal+41>:  pop    %r15
0x000000080149e67b <check_deferred_signal+43>:  pop    %rbp
0x000000080149e67c <check_deferred_signal+44>:  retq   
0x000000080149e67d <check_deferred_signal+45>:  movl   $0x1,0x180(%rbx)
0x000000080149e687 <check_deferred_signal+55>:  callq  0x801498e44 <__getcontextx_size@plt>
0x000000080149e68c <check_deferred_signal+60>:  cltq   
0x000000080149e68e <check_deferred_signal+62>:  mov    %rsp,%r14
0x000000080149e691 <check_deferred_signal+65>:  add    $0xf,%rax
0x000000080149e695 <check_deferred_signal+69>:  and    $0xfffffffffffffff0,%rax
0x000000080149e699 <check_deferred_signal+73>:  sub    %rax,%r14
0x000000080149e69c <check_deferred_signal+76>:  mov    %r14,%rsp
0x000000080149e69f <check_deferred_signal+79>:  mov    %r14,%rdi
0x000000080149e6a2 <check_deferred_signal+82>:  callq  0x801499214 <getcontext@plt>
0x000000080149e6a7 <check_deferred_signal+87>:  cmpl   $0x0,0x100(%rbx)
0x000000080149e6ae <check_deferred_signal+94>:  je     0x80149e73b <check_deferred_signal+235>
0x000000080149e6b4 <check_deferred_signal+100>: lea    0x100(%rbx),%r15
0x000000080149e6bb <check_deferred_signal+107>: mov    %r14,%rdi
0x000000080149e6be <check_deferred_signal+110>: callq  0x801499064 <__fillcontextx2@plt>
0x000000080149e6c3 <check_deferred_signal+115>: movups 0x160(%rbx),%xmm0
0x000000080149e6ca <check_deferred_signal+122>: movups 0x170(%rbx),%xmm1
0x000000080149e6d1 <check_deferred_signal+129>: movaps %xmm1,-0x30(%rbp)
0x000000080149e6d5 <check_deferred_signal+133>: movaps %xmm0,-0x40(%rbp)
0x000000080149e6d9 <check_deferred_signal+137>: movups 0x150(%rbx),%xmm0
0x000000080149e6e0 <check_deferred_signal+144>: movups %xmm0,(%r14)
0x000000080149e6e4 <check_deferred_signal+148>: movups 0x40(%r15),%xmm0
0x000000080149e6e9 <check_deferred_signal+153>: movaps %xmm0,-0x50(%rbp)
0x000000080149e6ed <check_deferred_signal+157>: movups (%r15),%xmm0
0x000000080149e6f1 <check_deferred_signal+161>: movups 0x10(%r15),%xmm1
0x000000080149e6f6 <check_deferred_signal+166>: movups 0x20(%r15),%xmm2
0x000000080149e6fb <check_deferred_signal+171>: movups 0x30(%r15),%xmm3
0x000000080149e700 <check_deferred_signal+176>: movaps %xmm3,-0x60(%rbp)
0x000000080149e704 <check_deferred_signal+180>: movaps %xmm2,-0x70(%rbp)
0x000000080149e708 <check_deferred_signal+184>: movaps %xmm1,-0x80(%rbp)
0x000000080149e70c <check_deferred_signal+188>: movaps %xmm0,-0x90(%rbp)
0x000000080149e713 <check_deferred_signal+195>: movl   $0x0,0x100(%rbx)
0x000000080149e71d <check_deferred_signal+205>: mov    -0x90(%rbp),%esi
0x000000080149e723 <check_deferred_signal+211>: lea    -0x40(%rbp),%rdi
0x000000080149e727 <check_deferred_signal+215>: lea    -0x90(%rbp),%rdx
0x000000080149e72e <check_deferred_signal+222>: mov    %r14,%rcx
0x000000080149e731 <check_deferred_signal+225>: callq  0x80149f390 <handle_signal>
0x000000080149e736 <check_deferred_signal+230>: jmpq   0x80149e672 <check_deferred_signal+34>
0x000000080149e73b <check_deferred_signal+235>: movl   $0x0,0x180(%rbx)
0x000000080149e745 <check_deferred_signal+245>: jmpq   0x80149e672 <check_deferred_signal+34>
End of assembler dump.


I've kept a copy of the vim binary and also the core file, so this time I can answer any further questions much faster. ;)

I can't help much with those assembler part. But I've looked into /usr/src/lib/libthr/thread/thr_sig.c and there is alloca used at line 330:

   330      uc = alloca(uc_len);
   331      getcontext(uc);

I would bet using malloc and check for NULL will help to fix this problem. Well, there will be a free needed before return and one at the end of check_deferred_signal, but that's better than an unsafe alloca.

Sincerely yours Andre.