kmovb bug again (was Re: Firefox stability?)

To: pkgsrc-users%NetBSD.org@localhost
Subject: kmovb bug again (was Re: Firefox stability?)
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Sat, 11 Feb 2017 18:20:23 +0000

Alexander Nasonov wrote:
> Martin Husemann wrote:
> > On Mon, Jan 09, 2017 at 08:36:28PM +0000, Alexander Nasonov wrote:
> > > 50.1.0 crashes reliably on panopticlick.eff.org for me, it's very
> > > similar to this bug:
> > 
> Thread 1 received signal SIGILL, Illegal instruction.
> [Switching to LWP 1]
> 0x00007f7ff7e1f09e in ?? ()
> (gdb) bt
> #0  0x00007f7ff7e1f09e in ?? ()
> #1  0x00007f7fd1f23000 in ?? ()
> #2  0x00007f7fffffaa50 in ?? ()
> #3  0x0000000000000003 in ?? ()
> #4  0x0000000000000000 in ?? ()
> (gdb) x/30i 0x00007f7ff7e1f09e
> => 0x7f7ff7e1f09e:      kmovb  %r15d,%k0
>    0x7f7ff7e1f0a3:      kmovw  %k0,%esi
>    0x7f7ff7e1f0a7:      and    $0x1,%esi
>    0x7f7ff7e1f0ad:      vpxor  %xmm5,%xmm5,%xmm5
>    0x7f7ff7e1f0b1:      test   %sil,%sil
>    0x7f7ff7e1f0b4:      jne    0x7f7ff7e1f112
>    0x7f7ff7e1f0b6:      and    $0x1,%ebx
>    0x7f7ff7e1f0bc:      kmovw  %ebx,%k0
>    0x7f7ff7e1f0c0:      kmovw  %k0,%esi
>    0x7f7ff7e1f0c4:      and    $0x1,%esi
>    0x7f7ff7e1f0ca:      vpxor  %xmm5,%xmm5,%xmm5
>    0x7f7ff7e1f0ce:      test   %sil,%sil
>    0x7f7ff7e1f0d1:      jne    0x7f7ff7e1f112
>    0x7f7ff7e1f0d3:      and    $0x1,%edx
>    0x7f7ff7e1f0d9:      kmovw  %edx,%k0
>    0x7f7ff7e1f0dd:      kmovw  %k0,%edx
>    0x7f7ff7e1f0e1:      and    $0x1,%edx
>    0x7f7ff7e1f0e7:      vpxor  %xmm5,%xmm5,%xmm5
>    0x7f7ff7e1f0eb:      test   %dl,%dl
>    0x7f7ff7e1f0ed:      jne    0x7f7ff7e1f112

This bug hit me again, this time when starting ricochet.im messenger.

(gdb) run
Starting program: /home/alnsn/pkgsrc/WRKOBJDIR/head/gcc-NetBSD/chat/ricochet/work/ricochet-1.1.4/ricochet
[New LWP 3]
[New LWP 7]
[New LWP 6]
[New LWP 5]
[New LWP 4]
[New LWP 2]

Thread 1 received signal SIGILL, Illegal instruction.
[Switching to LWP 1]
0x000076617d25c0d1 in ?? ()
(gdb) x/20i 0x000076617d25c0d1
=> 0x76617d25c0d1:      kmovb  %r13d,%k0
   0x76617d25c0d6:      kmovw  %k0,%ebx
   0x76617d25c0da:      and    $0x1,%ebx
   0x76617d25c0e0:      vxorps %xmm14,%xmm14,%xmm14
   0x76617d25c0e5:      test   %bl,%bl
   0x76617d25c0e7:      jne    0x76617d25c145
   0x76617d25c0e9:      and    $0x1,%edi
   0x76617d25c0ef:      kmovw  %edi,%k0
   0x76617d25c0f3:      kmovw  %k0,%edi
   0x76617d25c0f7:      and    $0x1,%edi
   0x76617d25c0fd:      vxorps %xmm14,%xmm14,%xmm14
   0x76617d25c102:      test   %dil,%dil
   0x76617d25c105:      jne    0x76617d25c145
   0x76617d25c107:      and    $0x1,%edx
   0x76617d25c10d:      kmovw  %edx,%k0
   0x76617d25c111:      kmovw  %k0,%edx
   0x76617d25c115:      and    $0x1,%edx
   0x76617d25c11b:      vxorps %xmm14,%xmm14,%xmm14
   0x76617d25c120:      test   %dl,%dl
   0x76617d25c122:      jne    0x76617d25c145


In kdump, I see mprotect right before the crash:

  4106      1 ricochet CALL  mprotect(0x73ec02890000,0x2000,5)
  4106      1 ricochet RET   mprotect 0
  4106      1 ricochet CALL  mprotect(0x73ec0288f000,0x1000,5)
  4106      1 ricochet RET   mprotect 0
  4106      1 ricochet CALL  mprotect(0x73ec0288f000,0x1000,5)
  4106      1 ricochet RET   mprotect 0
  4106      1 ricochet CALL  munmap(0x73ebfa100000,0x100000)
  4106      1 ricochet RET   munmap 0
  4106      1 ricochet PSIG  SIGILL SIG_DFL: code=ILL_PRVOPC, addr=0x73ec028900d1, trap=0)

and it's the only mprotect with size 0x2000 and prot 5.

Unfortunately, if I set a conditional breakpoint, gdb hangs:

$ cat session.gdb
b main
run
b mprotect if $rsi==0x2000 && $rdx==5
c

$ gdb -x session.gdb ./ricochet


If anyone wants to debug it, here is my unfinished chat/ricochet
packaging attempt:

$ cat distinfo
$NetBSD$

SHA1 (ricochet-1.1.4-src.tar.bz2) = 2a13d65cf13e864a469713c47b222760d01a1839
RMD160 (ricochet-1.1.4-src.tar.bz2) = d737a18beda009cb8c1bfa98c1157e778629314b
SHA512 (ricochet-1.1.4-src.tar.bz2) = a2f2b203beee98eeddc184bcbffa8c00ea9bee46121dce05feda0b39e1c05a82e1ae937b4c32e66dd15a0a1e7cc7e676b9f3ed9a9d3e0a4115e05c3019eb6f27
Size (ricochet-1.1.4-src.tar.bz2) = 1183887 bytes

$ cat Makefile
# $NetBSD$

PKGNAME=        ricochet-1.1.4
DISTNAME=       ${PKGNAME}-src
CATEGORIES=     chat
MASTER_SITES=   https://ricochet.im/releases/1.1.4/
EXTRACT_SUFX=   .tar.bz2

MAINTAINER=     alnsn%NetBSD.org@localhost
HOMEPAGE=       https://ricochet.im/releases/1.1.4/
COMMENT=        Anonymous peer-to-peer instant messaging
LICENSE=        modified-bsd

USE_LANGUAGES=  c++
USE_TOOLS+=     gmake libtool pkg-config

WRKSRC=         ${WRKDIR}/ricochet-1.1.4

pre-build:
        ${LN} -sf ${QTDIR}/bin/qmake ${BUILDLINK_DIR}/bin/

do-build:
        cd ${WRKSRC} && qmake && gmake

.include "../../devel/protobuf/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../x11/qt5-qtbase/buildlink3.mk"
.include "../../x11/qt5-qtdeclarative/buildlink3.mk"
.include "../../x11/qt5-qtmultimedia/buildlink3.mk"
.include "../../x11/qt5-qtquick1/buildlink3.mk"
.include "../../x11/qt5-qtquickcontrols/buildlink3.mk"
.include "../../x11/qt5-qttools/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"

Alex

References:
- Re: Firefox stability?
  - From: Ryosuke Moro
- Re: Firefox stability?
  - From: Alexander Nasonov

Prev by Date: Mac OSX xdrproc_t breaks NetBSD mysql57-server build
Next by Date: Re: graphics/librsvg
Previous by Thread: Re: Firefox stability?
Next by Thread: Re: Firefox stability?
Indexes:

Home | Main Index | Thread Index | Old Index