Re: pkg/59017: ruby32 crashes in asciidoctor

To: Takahiro Kambe <taca%NetBSD.org@localhost>
Subject: Re: pkg/59017: ruby32 crashes in asciidoctor
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Tue, 21 Jan 2025 19:16:43 +0000
OK, I spoke too soon: the crash still happens sometimes with the
patch, but it's stochastic; I guess I just got lucky with the first
few trials.

However, with the patch to enable sigaltstack -- and, more
importantly, to enable SA_SIGINFO -- I have more information now.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007a007667b701 in uleb128 (p=0x7a007623dca0) at addr2line.c:206
206     addr2line.c: No such file or directory.
(gdb) bt
#0  0x00007a007667b701 in uleb128 (p=0x7a007623dca0) at addr2line.c:206
#1  di_read_debug_abbrev_cu (reader=0x7a007623dce0) at addr2line.c:1048
#2  di_read_cu (reader=0x7a007623dce0) at addr2line.c:1737
#3  fill_lines (num_traces=num_traces@entry=5,
    traces=traces@entry=0x7a0076b26680 <trace>,
    check_debuglink=check_debuglink@entry=1, objp=objp@entry=0x7a007623e658,
    lines=lines@entry=0x7a0075eb6a00, offset=offset@entry=0)
    at addr2line.c:2167
#4  0x00007a007667d4f1 in rb_dump_backtrace_with_lines (
    num_traces=<optimized out>, traces=traces@entry=0x7a0076b26680 <trace>)
    at addr2line.c:2611
#5  0x00007a00766716d0 in rb_print_backtrace () at vm_dump.c:787
#6  0x00007a00766717cc in rb_vm_bugreport (ctx=ctx@entry=0x7a007623ea20)
    at vm_dump.c:1080
#7  0x00007a00764e9f98 in rb_bug_for_fatal_signal (default_sighandler=0x0,
    sig=sig@entry=11, ctx=ctx@entry=0x7a007623ea20,
    fmt=fmt@entry=0x7a00767bb52e "Segmentation fault at %p") at error.c:813
#8  0x00007a00765f0084 in sigsegv (sig=11, info=0x7a007623e9a0,
    ctx=0x7a007623ea20) at signal.c:964
#9  0x00007a00746a1da0 in _opendir (name=<optimized out>)
    at /usr/src/9/lib/libc/gen/opendir.c:72
#10 0x000000010000000b in ?? ()
#11 0x0000000000000000 in ?? ()
(gdb) fr 8
#8  0x00007a00765f0084 in sigsegv (sig=11, info=0x7a007623e9a0,
    ctx=0x7a007623ea20) at signal.c:964
964         rb_bug_for_fatal_signal(default_sigsegv_handler, sig, SIGINFO_CTX, "Segmentation fault" MESSAGE_FAULT_ADDRESS);
(gdb) print *info
$1 = {
  si_pad = "\v\000\000\000\001", '\000' <repeats 12 times>, "\240\000\377\177\177\000\000\006", '\000' <repeats 102 times>, _info = {_signo = 11, _code = 1,
    _errno = 0, _pad = 0, _reason = {_rt = {_pid = -16736256, _uid = 32639,
        _value = {sival_int = 6, sival_ptr = 0x6}}, _child = {
        _pid = -16736256, _uid = 32639, _status = 6, _utime = 0, _stime = 0},
      _fault = {_addr = 0x7f7fff00a000, _trap = 6, _trap2 = 0, _trap3 = 0},
      _poll = {_band = 140187715805184, _fd = 6}, _syscall = {
        _sysnum = -16736256, _retval = {32639, 6}, _error = 0, _args = {0, 0,
          0, 0, 0, 0, 0, 0}}, _ptrace_state = {_pe_report_event = -16736256,
        _option = {_pe_other_pid = 32639, _pe_lwp = 32639}}}}}
(gdb) print *(ucontext_t *)ctx
$2 = {uc_flags = 655373, uc_link = 0x0, uc_sigmask = {__bits = {0, 0, 0, 0}},
  uc_stack = {ss_sp = 0x0, ss_size = 0, ss_flags = 0}, uc_mcontext = {
    __gregs = {134142411075584, 118, 3353560262451, 22, 134142403527024, 32,
      1, 514, 134142411075584, 140187715785200, 134142403577003,
      134142411075624, 349634, 2498, 134142410498040, 0, 0, 35, 35, 6, 4,
      134142403527117, 71, 66054, 140187715785152, 63},
    _mc_tlsbase = 134142411307248,
    __fpregs = "\177\003", '\000' <repeats 22 times>, "\240\037\000\000\377\377", '\000' <repeats 130 times>, "\\\217\302\365(\\oA", '\000' <repeats 14 times>, "\340C", '\000' <repeats 327 times>}}

Instruction pointer (rip) of the signal ucontext:

(gdb) print (void *)((ucontext_t *)ctx)->uc_mcontext.__gregs[21]
$4 = (void *) 0x7a00764fc1cd <each_location+27>
(gdb) info line *(each_location+27)
Line 6512 of "gc.c" starts at address 0x7a00764fc1cd <each_location+27>
   and ends at 0x7a00764fc1dc <each_location+42>.

Stack pointer (rsp) of the signal ucontext:

(gdb) print (void *)((ucontext_t *)ctx)->uc_mcontext.__gregs[24]
$5 = (void *) 0x7f7fff0051c0

If I have understood this correctly, it might correspond to this
frame;

(gdb) frame view 0x7f7fff0051c0 0x7a00764fc1cd
#0  each_location (objspace=0x7a006e052000, x=0x44a0427a1af34, n=-123985769,
    cb=0x3) at gc.c:6512
6512            cb(objspace, v);
(gdb) info frame
Stack level 0, frame at 0x7f7fff0051c0:
 rip = 0x7a00764fc1cd in each_location (gc.c:6512); saved rip = <not saved>
 Outermost frame: previous frame identical to this frame (corrupt stack?)
 source language c.
 Arglist at 0x7a007623dae8, args: objspace=0x7a006e052000, x=0x44a0427a1af34,
    n=-123985769, cb=0x3
 Locals at 0x7a007623dae8, Previous frame's sp is 0x7a007623db20
 Saved registers:
  rbx at 0x7a007623daf0, rbp at 0x7a007623daf8, r12 at 0x7a007623db00,
  r13 at 0x7a007623db08, r14 at 0x7a007623db10, rip at 0x7a007623db18

However, the frame pointer rbp looks wrong:

(gdb) print (void *)((ucontext_t *)ctx)->uc_mcontext.__gregs[12]
$11 = (void *) 0x555c2

And the candidate value for objspace shown above isn't mapped:

(gdb) print *objspace
Cannot access memory at address 0x7a006e052000

Plus the value of n looks wrong, so maybe I misunderstood the mcontext
and led gdb astray with `frame view'.

Disassembly of each_location:

(gdb) disas each_location+27
Dump of assembler code for function each_location:
   0x00007a00764fc1b2 <+0>:     test   %rdx,%rdx
   0x00007a00764fc1b5 <+3>:     je     0x7a00764fc1ea <each_location+56>
   0x00007a00764fc1b7 <+5>:     push   %r14
   0x00007a00764fc1b9 <+7>:     push   %r13
   0x00007a00764fc1bb <+9>:     push   %r12
   0x00007a00764fc1bd <+11>:    push   %rbp
   0x00007a00764fc1be <+12>:    push   %rbx
   0x00007a00764fc1bf <+13>:    mov    %rcx,%r14
   0x00007a00764fc1c2 <+16>:    mov    %rdx,%rbp
   0x00007a00764fc1c5 <+19>:    mov    %rsi,%r13
   0x00007a00764fc1c8 <+22>:    mov    %rdi,%r12
   0x00007a00764fc1cb <+25>:    xor    %ebx,%ebx
=> 0x00007a00764fc1cd <+27>:    mov    0x0(%r13,%rbx,8),%rsi
   0x00007a00764fc1d2 <+32>:    mov    %r12,%rdi
   0x00007a00764fc1d5 <+35>:    callq  *%r14
   0x00007a00764fc1d8 <+38>:    add    $0x1,%rbx
   0x00007a00764fc1dc <+42>:    cmp    %rbx,%rbp
   0x00007a00764fc1df <+45>:    jne    0x7a00764fc1cd <each_location+27>
   0x00007a00764fc1e1 <+47>:    pop    %rbx
   0x00007a00764fc1e2 <+48>:    pop    %rbp
   0x00007a00764fc1e3 <+49>:    pop    %r12
   0x00007a00764fc1e5 <+51>:    pop    %r13
   0x00007a00764fc1e7 <+53>:    pop    %r14
   0x00007a00764fc1e9 <+55>:    retq   
   0x00007a00764fc1ea <+56>:    retq   
End of assembler dump.

r13 (__gregs[9]) and rbx (__gregs[13]):

(gdb) fr 8
#8  0x00007a00765f0084 in sigsegv (sig=11, info=0x7a007623e9a0, 
    ctx=0x7a007623ea20) at signal.c:964
964         rb_bug_for_fatal_signal(default_sigsegv_handler, sig, SIGINFO_CTX, "Segmentation fault" MESSAGE_FAULT_ADDRESS);
(gdb) print (void *)((ucontext_t *)ctx)->uc_mcontext.__gregs[9]
$9 = (void *) 0x7f7fff0051f0
(gdb) print (void *)((ucontext_t *)ctx)->uc_mcontext.__gregs[13]
$10 = (void *) 0x9c2

The base pointer (r13=0x7f7fff0051f0) is OK but adding the index
(rbx*8=0x9c2*8) is not -- this obviously ran just past the end of a
mapped region:

(gdb) x/xg 0x7f7fff0051f0
0x7f7fff0051f0: 0x00007a0076c2f000
(gdb) x/xg 0x7f7fff0051f0 + 0x9c2*8
0x7f7fff00a000: Cannot access memory at address 0x7f7fff00a000
(gdb) x/xg 0x7f7fff0051f0 + 0x9c2*8 - 8
0x7f7fff009ff8: 0x0000000000000076
References:
- Re: pkg/59017: ruby32 crashes in asciidoctor
  - From: Taylor R Campbell
Prev by Date: Re: pkg/59017: ruby32 crashes in asciidoctor
Next by Date: Re: port-macppc/59014: Shutdown -r now often freezes on macppc b&w G3
Previous by Thread: Re: pkg/59017: ruby32 crashes in asciidoctor
Indexes:
Home | Main Index | Thread Index | Old Index