From owner-freebsd-stable@freebsd.org  Fri Jul  3 21:11:23 2015
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B528993A76
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Fri,  3 Jul 2015 21:11:23 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 155F91DF4
 for <freebsd-stable@freebsd.org>; Fri,  3 Jul 2015 21:11:22 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kostik@localhost [127.0.0.1])
 by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id t63LBB7O007717
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
 Sat, 4 Jul 2015 00:11:11 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.9.2 kib.kiev.ua t63LBB7O007717
Received: (from kostik@localhost)
 by tom.home (8.14.9/8.14.9/Submit) id t63LBB1o007716;
 Sat, 4 Jul 2015 00:11:11 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Sat, 4 Jul 2015 00:11:11 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Andre Meiser <ortadur@web.de>
Cc: freebsd-stable@freebsd.org
Subject: Re: Many core dumps in pthread_getspecific.
Message-ID: <20150703211111.GZ2080@kib.kiev.ua>
References: <trinity-d3a62468-a8fd-44c3-ab9c-8b177ca8a366-1433331244003@3capp-webde-bs60>
 <20150603145838.GX2499@kib.kiev.ua>
 <trinity-15fcacbd-871c-4ea8-9257-5d11e7862ec0-1434103396559@3capp-webde-bs41>
 <20150614190504.GT2080@kib.kiev.ua>
 <trinity-e44527ae-e511-4ff3-bcdf-ee8426fc8a94-1434438565708@3capp-webde-bs53>
 <20150616073637.GO2080@kib.kiev.ua>
 <trinity-9d219acd-7aa9-4574-a9ad-458b52374069-1435936910016@3capp-webde-bs27>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <trinity-9d219acd-7aa9-4574-a9ad-458b52374069-1435936910016@3capp-webde-bs27>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2015 21:11:23 -0000

On Fri, Jul 03, 2015 at 05:21:50PM +0200, Andre Meiser wrote:
> Hi,
> 
> back again. Sorry, I accidently deleted the core file and I'd to wait two weeks until vim crashed again. Xorg didn't crashed so far with the debug libs.
> 
> On Tue, Jun 16, 2015 at 09:36 +0200, Konstantin Belousov wrote:
> > Ok, so the vim fault is reproducable, I suppose ?
> 
> No, I tried, but no chance to do it on purpose. But so far it always happens while resizing the xterm.
> 
> Now the entire info you asked for (out of the new core file):
> 
> 
> % readelf -d vim | grep NEEDED
>  0x0000000000000001 (NEEDED)             Shared library: [libm.so.5]
>  0x0000000000000001 (NEEDED)             Shared library: [libncurses.so.8]
>  0x0000000000000001 (NEEDED)             Shared library: [libintl.so.8]
>  0x0000000000000001 (NEEDED)             Shared library: [libpython2.7.so.1]
>  0x0000000000000001 (NEEDED)             Shared library: [libthr.so.3]
>  0x0000000000000001 (NEEDED)             Shared library: [libc.so.7]
> 
> (gdb) bt
> #0  0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
> #1  0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
> #2  0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
> #3  0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
> #4  0x000000080083b15d in .text () from /libexec/ld-elf.so.1
> #5  0x00000000004e4163 in preserve_exit ()
> #6  0x000000000051f118 in mch_libcall ()
> #7  0x000000080149f47a in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:240
> #8  0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
> #9  <signal handler called>
> #10 0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
> #11 0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
> #12 0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
> #13 0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
> #14 0x000000080083b15d in .text () from /libexec/ld-elf.so.1
> #15 0x000000080149f4e2 in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:256
> #16 0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
> #17 <signal handler called>
> #18 select () at select.S:3
> #19 0x000000080149cb32 in __select (numfds=1, readfds=0x7fffffffdfb0, writefds=0x0, exceptfds=0x7fffffffdf30, timeout=0x7fffffffe038) at /usr/src/lib/libthr/thread/thr_syscalls.c:561
> #20 0x000000000051ac4b in mch_write ()
> #21 0x000000000051ae0f in mch_inchar ()
> #22 0x00000000005b8647 in ui_inchar ()
> #23 0x00000000004aeb8a in inchar ()
> #24 0x00000000004b1ffb in vgetc ()
> #25 0x00000000004b0efa in vgetc ()
> #26 0x00000000004b27b9 in safe_vgetc ()
> #27 0x00000000004f59ef in normal_cmd ()
> #28 0x00000000005dfec7 in main_loop ()
> #29 0x00000000005df538 in main ()
> 
> 
> (gdb) info locals
> act = {__sigaction_u = {__sa_handler = 0, __sa_sigaction = 0}, sa_flags = 37875000, sa_mask = {__bits = {8, 4239276, 0, 0}}}
> info = {si_signo = 0, si_errno = 0, si_code = 37875000, si_pid = 8, si_uid = 37874640, si_status = 8, si_addr = 0x700000008, si_value = {sival_int = 37875104, sival_ptr = 0x80241eda0, sigval_int = 37875104, sigval_ptr = 0x80241eda0}, _reason = {_fault = {_trapno = 141}, 
>     _timer = {_timerid = 141, _overrun = 0}, _mesgq = {_mqd = 141}, _poll = {_band = 141}, __spare__ = {__spare1__ = 141, __spare2__ = {0, 0, 8744960, 8, 37874976, 8, 8641467}}}}
> 
> 
> (gdb) info registers
> rax            0xf0b470 15774832
> rbx            0x802406400      34397512704
> rcx            0x1      1
> rdx            0x80085b800      34368501760
> rsi            0x80241ed38      34397613368
> rdi            0x8015137d0      34381838288
> rbp            0x80241ecd0      0x80241ecd0
> rsp            0x8015137d0      0x8015137d0
> r8             0x800856600      34368480768
> r9             0x8080808080808080       -9187201950435737472
> r10            0x41b778 4306808
> r11            0x5262   21090
> r12            0x1      1
> r13            0x839888 8624264
> r14            0x8015137d0      34381838288
> r15            0x2      2
> rip            0x80149e6a2      0x80149e6a2 <check_deferred_signal+82>
> eflags         0x10202  66050
> cs             0x43     67
> ss             0x3b     59
> ds             0x0      0
> es             0x0      0
> fs             0x0      0
> gs             0x0      0
> 
> 
> (gdb) disassemble
> Dump of assembler code for function check_deferred_signal:
> 0x000000080149e650 <check_deferred_signal+0>:   push   %rbp
> 0x000000080149e651 <check_deferred_signal+1>:   mov    %rsp,%rbp
> 0x000000080149e654 <check_deferred_signal+4>:   push   %r15
> 0x000000080149e656 <check_deferred_signal+6>:   push   %r14
> 0x000000080149e658 <check_deferred_signal+8>:   push   %rbx
> 0x000000080149e659 <check_deferred_signal+9>:   sub    $0x78,%rsp
> 0x000000080149e65d <check_deferred_signal+13>:  mov    %rdi,%rbx
> 0x000000080149e660 <check_deferred_signal+16>:  cmpl   $0x0,0x100(%rbx)
> 0x000000080149e667 <check_deferred_signal+23>:  je     0x80149e672 <check_deferred_signal+34>
> 0x000000080149e669 <check_deferred_signal+25>:  cmpl   $0x0,0x180(%rbx)
> 0x000000080149e670 <check_deferred_signal+32>:  je     0x80149e67d <check_deferred_signal+45>
> 0x000000080149e672 <check_deferred_signal+34>:  lea    -0x18(%rbp),%rsp
> 0x000000080149e676 <check_deferred_signal+38>:  pop    %rbx
> 0x000000080149e677 <check_deferred_signal+39>:  pop    %r14
> 0x000000080149e679 <check_deferred_signal+41>:  pop    %r15
> 0x000000080149e67b <check_deferred_signal+43>:  pop    %rbp
> 0x000000080149e67c <check_deferred_signal+44>:  retq   
> 0x000000080149e67d <check_deferred_signal+45>:  movl   $0x1,0x180(%rbx)
> 0x000000080149e687 <check_deferred_signal+55>:  callq  0x801498e44 <__getcontextx_size@plt>
> 0x000000080149e68c <check_deferred_signal+60>:  cltq   
> 0x000000080149e68e <check_deferred_signal+62>:  mov    %rsp,%r14
> 0x000000080149e691 <check_deferred_signal+65>:  add    $0xf,%rax
> 0x000000080149e695 <check_deferred_signal+69>:  and    $0xfffffffffffffff0,%rax
> 0x000000080149e699 <check_deferred_signal+73>:  sub    %rax,%r14
> 0x000000080149e69c <check_deferred_signal+76>:  mov    %r14,%rsp
> 0x000000080149e69f <check_deferred_signal+79>:  mov    %r14,%rdi
> 0x000000080149e6a2 <check_deferred_signal+82>:  callq  0x801499214 <getcontext@plt>
> 0x000000080149e6a7 <check_deferred_signal+87>:  cmpl   $0x0,0x100(%rbx)
> 0x000000080149e6ae <check_deferred_signal+94>:  je     0x80149e73b <check_deferred_signal+235>
> 0x000000080149e6b4 <check_deferred_signal+100>: lea    0x100(%rbx),%r15
> 0x000000080149e6bb <check_deferred_signal+107>: mov    %r14,%rdi
> 0x000000080149e6be <check_deferred_signal+110>: callq  0x801499064 <__fillcontextx2@plt>
> 0x000000080149e6c3 <check_deferred_signal+115>: movups 0x160(%rbx),%xmm0
> 0x000000080149e6ca <check_deferred_signal+122>: movups 0x170(%rbx),%xmm1
> 0x000000080149e6d1 <check_deferred_signal+129>: movaps %xmm1,-0x30(%rbp)
> 0x000000080149e6d5 <check_deferred_signal+133>: movaps %xmm0,-0x40(%rbp)
> 0x000000080149e6d9 <check_deferred_signal+137>: movups 0x150(%rbx),%xmm0
> 0x000000080149e6e0 <check_deferred_signal+144>: movups %xmm0,(%r14)
> 0x000000080149e6e4 <check_deferred_signal+148>: movups 0x40(%r15),%xmm0
> 0x000000080149e6e9 <check_deferred_signal+153>: movaps %xmm0,-0x50(%rbp)
> 0x000000080149e6ed <check_deferred_signal+157>: movups (%r15),%xmm0
> 0x000000080149e6f1 <check_deferred_signal+161>: movups 0x10(%r15),%xmm1
> 0x000000080149e6f6 <check_deferred_signal+166>: movups 0x20(%r15),%xmm2
> 0x000000080149e6fb <check_deferred_signal+171>: movups 0x30(%r15),%xmm3
> 0x000000080149e700 <check_deferred_signal+176>: movaps %xmm3,-0x60(%rbp)
> 0x000000080149e704 <check_deferred_signal+180>: movaps %xmm2,-0x70(%rbp)
> 0x000000080149e708 <check_deferred_signal+184>: movaps %xmm1,-0x80(%rbp)
> 0x000000080149e70c <check_deferred_signal+188>: movaps %xmm0,-0x90(%rbp)
> 0x000000080149e713 <check_deferred_signal+195>: movl   $0x0,0x100(%rbx)
> 0x000000080149e71d <check_deferred_signal+205>: mov    -0x90(%rbp),%esi
> 0x000000080149e723 <check_deferred_signal+211>: lea    -0x40(%rbp),%rdi
> 0x000000080149e727 <check_deferred_signal+215>: lea    -0x90(%rbp),%rdx
> 0x000000080149e72e <check_deferred_signal+222>: mov    %r14,%rcx
> 0x000000080149e731 <check_deferred_signal+225>: callq  0x80149f390 <handle_signal>
> 0x000000080149e736 <check_deferred_signal+230>: jmpq   0x80149e672 <check_deferred_signal+34>
> 0x000000080149e73b <check_deferred_signal+235>: movl   $0x0,0x180(%rbx)
> 0x000000080149e745 <check_deferred_signal+245>: jmpq   0x80149e672 <check_deferred_signal+34>
> End of assembler dump.
> 
> 
> I've kept a copy of the vim binary and also the core file, so this time I can answer any further questions much faster. ;)
> 
> I can't help much with those assembler part. But I've looked into /usr/src/lib/libthr/thread/thr_sig.c and there is alloca used at line 330:
> 
>    330      uc = alloca(uc_len);
>    331      getcontext(uc);
> 
> I would bet using malloc and check for NULL will help to fix this problem. Well, there will be a free needed before return and one at the end of check_deferred_signal, but that's better than an unsafe alloca.
> 
You would be wrong.

It seems that there is a recursion into rtld which cannot work when returning
from the signal.  Try the following patch, but I am unsure how easy is to
see whether the patch helps.

diff --git a/lib/libthr/thread/thr_sig.c b/lib/libthr/thread/thr_sig.c
index a6d021f..ebb6c58 100644
--- a/lib/libthr/thread/thr_sig.c
+++ b/lib/libthr/thread/thr_sig.c
@@ -30,6 +30,7 @@
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/signalvar.h>
+#include <sys/syscall.h>
 #include <signal.h>
 #include <errno.h>
 #include <stdlib.h>
@@ -257,7 +258,7 @@ handle_signal(struct sigaction *actp, int sig, siginfo_t *info, ucontext_t *ucp)
 	/* reschedule cancellation */
 	check_cancel(curthread, &uc2);
 	errno = err;
-	__sys_sigreturn(&uc2);
+	syscall(SYS_sigreturn, &uc2);
 }
 
 void