Date: Fri, 3 Jul 2015 17:21:50 +0200 From: "Andre Meiser" <ortadur@web.de> To: "Konstantin Belousov" <kostikbel@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: Many core dumps in pthread_getspecific. Message-ID: <trinity-9d219acd-7aa9-4574-a9ad-458b52374069-1435936910016@3capp-webde-bs27> In-Reply-To: <20150616073637.GO2080@kib.kiev.ua> References: <trinity-d3a62468-a8fd-44c3-ab9c-8b177ca8a366-1433331244003@3capp-webde-bs60> <20150603145838.GX2499@kib.kiev.ua> <trinity-15fcacbd-871c-4ea8-9257-5d11e7862ec0-1434103396559@3capp-webde-bs41> <20150614190504.GT2080@kib.kiev.ua> <trinity-e44527ae-e511-4ff3-bcdf-ee8426fc8a94-1434438565708@3capp-webde-bs53>, <20150616073637.GO2080@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
back again. Sorry, I accidently deleted the core file and I'd to wait two weeks until vim crashed again. Xorg didn't crashed so far with the debug libs.
On Tue, Jun 16, 2015 at 09:36 +0200, Konstantin Belousov wrote:
> Ok, so the vim fault is reproducable, I suppose ?
No, I tried, but no chance to do it on purpose. But so far it always happens while resizing the xterm.
Now the entire info you asked for (out of the new core file):
% readelf -d vim | grep NEEDED
0x0000000000000001 (NEEDED) Shared library: [libm.so.5]
0x0000000000000001 (NEEDED) Shared library: [libncurses.so.8]
0x0000000000000001 (NEEDED) Shared library: [libintl.so.8]
0x0000000000000001 (NEEDED) Shared library: [libpython2.7.so.1]
0x0000000000000001 (NEEDED) Shared library: [libthr.so.3]
0x0000000000000001 (NEEDED) Shared library: [libc.so.7]
(gdb) bt
#0 0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
#1 0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
#2 0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
#3 0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
#4 0x000000080083b15d in .text () from /libexec/ld-elf.so.1
#5 0x00000000004e4163 in preserve_exit ()
#6 0x000000000051f118 in mch_libcall ()
#7 0x000000080149f47a in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:240
#8 0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
#9 <signal handler called>
#10 0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
#11 0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
#12 0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
#13 0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
#14 0x000000080083b15d in .text () from /libexec/ld-elf.so.1
#15 0x000000080149f4e2 in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:256
#16 0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
#17 <signal handler called>
#18 select () at select.S:3
#19 0x000000080149cb32 in __select (numfds=1, readfds=0x7fffffffdfb0, writefds=0x0, exceptfds=0x7fffffffdf30, timeout=0x7fffffffe038) at /usr/src/lib/libthr/thread/thr_syscalls.c:561
#20 0x000000000051ac4b in mch_write ()
#21 0x000000000051ae0f in mch_inchar ()
#22 0x00000000005b8647 in ui_inchar ()
#23 0x00000000004aeb8a in inchar ()
#24 0x00000000004b1ffb in vgetc ()
#25 0x00000000004b0efa in vgetc ()
#26 0x00000000004b27b9 in safe_vgetc ()
#27 0x00000000004f59ef in normal_cmd ()
#28 0x00000000005dfec7 in main_loop ()
#29 0x00000000005df538 in main ()
(gdb) info locals
act = {__sigaction_u = {__sa_handler = 0, __sa_sigaction = 0}, sa_flags = 37875000, sa_mask = {__bits = {8, 4239276, 0, 0}}}
info = {si_signo = 0, si_errno = 0, si_code = 37875000, si_pid = 8, si_uid = 37874640, si_status = 8, si_addr = 0x700000008, si_value = {sival_int = 37875104, sival_ptr = 0x80241eda0, sigval_int = 37875104, sigval_ptr = 0x80241eda0}, _reason = {_fault = {_trapno = 141},
_timer = {_timerid = 141, _overrun = 0}, _mesgq = {_mqd = 141}, _poll = {_band = 141}, __spare__ = {__spare1__ = 141, __spare2__ = {0, 0, 8744960, 8, 37874976, 8, 8641467}}}}
(gdb) info registers
rax 0xf0b470 15774832
rbx 0x802406400 34397512704
rcx 0x1 1
rdx 0x80085b800 34368501760
rsi 0x80241ed38 34397613368
rdi 0x8015137d0 34381838288
rbp 0x80241ecd0 0x80241ecd0
rsp 0x8015137d0 0x8015137d0
r8 0x800856600 34368480768
r9 0x8080808080808080 -9187201950435737472
r10 0x41b778 4306808
r11 0x5262 21090
r12 0x1 1
r13 0x839888 8624264
r14 0x8015137d0 34381838288
r15 0x2 2
rip 0x80149e6a2 0x80149e6a2 <check_deferred_signal+82>
eflags 0x10202 66050
cs 0x43 67
ss 0x3b 59
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disassemble
Dump of assembler code for function check_deferred_signal:
0x000000080149e650 <check_deferred_signal+0>: push %rbp
0x000000080149e651 <check_deferred_signal+1>: mov %rsp,%rbp
0x000000080149e654 <check_deferred_signal+4>: push %r15
0x000000080149e656 <check_deferred_signal+6>: push %r14
0x000000080149e658 <check_deferred_signal+8>: push %rbx
0x000000080149e659 <check_deferred_signal+9>: sub $0x78,%rsp
0x000000080149e65d <check_deferred_signal+13>: mov %rdi,%rbx
0x000000080149e660 <check_deferred_signal+16>: cmpl $0x0,0x100(%rbx)
0x000000080149e667 <check_deferred_signal+23>: je 0x80149e672 <check_deferred_signal+34>
0x000000080149e669 <check_deferred_signal+25>: cmpl $0x0,0x180(%rbx)
0x000000080149e670 <check_deferred_signal+32>: je 0x80149e67d <check_deferred_signal+45>
0x000000080149e672 <check_deferred_signal+34>: lea -0x18(%rbp),%rsp
0x000000080149e676 <check_deferred_signal+38>: pop %rbx
0x000000080149e677 <check_deferred_signal+39>: pop %r14
0x000000080149e679 <check_deferred_signal+41>: pop %r15
0x000000080149e67b <check_deferred_signal+43>: pop %rbp
0x000000080149e67c <check_deferred_signal+44>: retq
0x000000080149e67d <check_deferred_signal+45>: movl $0x1,0x180(%rbx)
0x000000080149e687 <check_deferred_signal+55>: callq 0x801498e44 <__getcontextx_size@plt>
0x000000080149e68c <check_deferred_signal+60>: cltq
0x000000080149e68e <check_deferred_signal+62>: mov %rsp,%r14
0x000000080149e691 <check_deferred_signal+65>: add $0xf,%rax
0x000000080149e695 <check_deferred_signal+69>: and $0xfffffffffffffff0,%rax
0x000000080149e699 <check_deferred_signal+73>: sub %rax,%r14
0x000000080149e69c <check_deferred_signal+76>: mov %r14,%rsp
0x000000080149e69f <check_deferred_signal+79>: mov %r14,%rdi
0x000000080149e6a2 <check_deferred_signal+82>: callq 0x801499214 <getcontext@plt>
0x000000080149e6a7 <check_deferred_signal+87>: cmpl $0x0,0x100(%rbx)
0x000000080149e6ae <check_deferred_signal+94>: je 0x80149e73b <check_deferred_signal+235>
0x000000080149e6b4 <check_deferred_signal+100>: lea 0x100(%rbx),%r15
0x000000080149e6bb <check_deferred_signal+107>: mov %r14,%rdi
0x000000080149e6be <check_deferred_signal+110>: callq 0x801499064 <__fillcontextx2@plt>
0x000000080149e6c3 <check_deferred_signal+115>: movups 0x160(%rbx),%xmm0
0x000000080149e6ca <check_deferred_signal+122>: movups 0x170(%rbx),%xmm1
0x000000080149e6d1 <check_deferred_signal+129>: movaps %xmm1,-0x30(%rbp)
0x000000080149e6d5 <check_deferred_signal+133>: movaps %xmm0,-0x40(%rbp)
0x000000080149e6d9 <check_deferred_signal+137>: movups 0x150(%rbx),%xmm0
0x000000080149e6e0 <check_deferred_signal+144>: movups %xmm0,(%r14)
0x000000080149e6e4 <check_deferred_signal+148>: movups 0x40(%r15),%xmm0
0x000000080149e6e9 <check_deferred_signal+153>: movaps %xmm0,-0x50(%rbp)
0x000000080149e6ed <check_deferred_signal+157>: movups (%r15),%xmm0
0x000000080149e6f1 <check_deferred_signal+161>: movups 0x10(%r15),%xmm1
0x000000080149e6f6 <check_deferred_signal+166>: movups 0x20(%r15),%xmm2
0x000000080149e6fb <check_deferred_signal+171>: movups 0x30(%r15),%xmm3
0x000000080149e700 <check_deferred_signal+176>: movaps %xmm3,-0x60(%rbp)
0x000000080149e704 <check_deferred_signal+180>: movaps %xmm2,-0x70(%rbp)
0x000000080149e708 <check_deferred_signal+184>: movaps %xmm1,-0x80(%rbp)
0x000000080149e70c <check_deferred_signal+188>: movaps %xmm0,-0x90(%rbp)
0x000000080149e713 <check_deferred_signal+195>: movl $0x0,0x100(%rbx)
0x000000080149e71d <check_deferred_signal+205>: mov -0x90(%rbp),%esi
0x000000080149e723 <check_deferred_signal+211>: lea -0x40(%rbp),%rdi
0x000000080149e727 <check_deferred_signal+215>: lea -0x90(%rbp),%rdx
0x000000080149e72e <check_deferred_signal+222>: mov %r14,%rcx
0x000000080149e731 <check_deferred_signal+225>: callq 0x80149f390 <handle_signal>
0x000000080149e736 <check_deferred_signal+230>: jmpq 0x80149e672 <check_deferred_signal+34>
0x000000080149e73b <check_deferred_signal+235>: movl $0x0,0x180(%rbx)
0x000000080149e745 <check_deferred_signal+245>: jmpq 0x80149e672 <check_deferred_signal+34>
End of assembler dump.
I've kept a copy of the vim binary and also the core file, so this time I can answer any further questions much faster. ;)
I can't help much with those assembler part. But I've looked into /usr/src/lib/libthr/thread/thr_sig.c and there is alloca used at line 330:
330 uc = alloca(uc_len);
331 getcontext(uc);
I would bet using malloc and check for NULL will help to fix this problem. Well, there will be a free needed before return and one at the end of check_deferred_signal, but that's better than an unsafe alloca.
Sincerely yours Andre.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-9d219acd-7aa9-4574-a9ad-458b52374069-1435936910016>