[GHC] #11133: Misaligned stack leads to dynamic linker crash
GHC
ghc-devs at haskell.org
Wed Nov 25 13:03:15 UTC 2015
#11133: Misaligned stack leads to dynamic linker crash
--------------------------------------+----------------------------------
Reporter: trippels | Owner:
Type: bug | Status: new
Priority: normal | Milestone:
Component: Compiler | Version: 7.10.2
Keywords: | Operating System: Linux
Architecture: x86_64 (amd64) | Type of failure: Runtime crash
Test Case: | Blocked By:
Blocking: | Related Tickets:
Differential Rev(s): | Wiki Page:
--------------------------------------+----------------------------------
{{{
Running programs compiled with ghc leads to a crash
of the glibc dynamic linker. This happens because ghc
doesn't align the stack correctly during lazy symbol resolution.
Example:
markus at x4 glibc-build % gdb --args /var/tmp/glibc-build/elf/ld-
linux-x86-64.so.2 /home/markus/bin/xmonad
Reading symbols from /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2...done.
(gdb) run
Starting program: /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2
/home/markus/bin/xmonad
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
_dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb",
undef_map=0x7ffff76494d0, ref=ref at entry=0x7fffffffa170,
symbol_scope=0x7ffff7649828, version=0x0,
type_class=type_class at entry=1, flags=1, skip_map=0x0) at dl-
lookup.c:809
809 struct sym_val current_value = { NULL, NULL };
(gdb) bt
#0 _dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb",
undef_map=0x7ffff76494d0, ref=ref at entry=0x7fffffffa170,
symbol_scope=0x7ffff7649828, version=0x0,
type_class=type_class at entry=1, flags=1, skip_map=0x0) at dl-
lookup.c:809
#1 0x0000555555564413 in _dl_fixup (l=<optimized out>,
reloc_arg=<optimized out>) at ../elf/dl-runtime.c:111
#2 0x000055555556ce1f in _dl_runtime_resolve_sse () at ../sysdeps/x86_64
/dl-trampoline.h:112
#3 0x00007ffff762093a in __gmpn_divrem_1 () from /usr/lib/libgmp.so.10
#4 0xee6b280000000000 in ?? ()
#5 0x00007ffff6b0b138 in ?? ()
#6 0x00007ffff6b057d0 in ?? ()
#7 0x00000000ffffffe2 in ?? ()
#8 0x00007ffff6b057b8 in ?? ()
#9 0x00007ffff6b051b0 in ?? ()
#10 0x00007ffff6b0b1b0 in ?? ()
#11 0x00000000006b47d8 in ?? ()
#12 0x00000000006142a9 in ?? ()
#13 0x0000000000000000 in ?? ()
(gdb) disass
Dump of assembler code for function _dl_lookup_symbol_x:
...
=> 0x000055555555e93a <+154>: movaps %xmm0,-0x80(%rbp)
The crash happens because the incoming stack alignment is wrong:
rax 0xffffffff 4294967295
rbx 0x7ffff763c360 140737343898464
rcx 0x7ffff75cb3d7 140737343435735
rdx 0x0 0
rsi 0x33f9b936d4fb49a0 3745228210287888800
rdi 0x7ffff75cb3c5 140737343435717
rbp 0x7fffffffa148 0x7fffffffa148
rsp 0x7fffffffa058 0x7fffffffa058
r8 0x0 0
r9 0x1 1
r10 0x7ffff76494d0 140737343952080
r11 0x7ffff7620840 140737343785024
r12 0x0 0
r13 0x0 0
r14 0x7ffff76494d0 140737343952080
r15 0x7fffffffa170 140737488331120
rip 0x55555555e93a 0x55555555e93a <_dl_lookup_symbol_x+154>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
0000000000001470 <_dl_lookup_symbol_x>:
1470: 55 push %rbp
1471: 48 89 e5 mov %rsp,%rbp
1474: 41 57 push %r15
1476: 41 56 push %r14
1478: 41 55 push %r13
147a: 41 54 push %r12
147c: 49 89 d5 mov %rdx,%r13
147f: 53 push %rbx
1480: 49 89 f7 mov %rsi,%r15
1483: 4d 89 c6 mov %r8,%r14
1486: 48 81 ec a8 00 00 00 sub $0xa8,%rsp
148d: 0f b6 17 movzbl (%rdi),%edx
1490: 48 89 bd 68 ff ff ff mov %rdi,-0x98(%rbp)
1497: 48 89 8d 50 ff ff ff mov %rcx,-0xb0(%rbp)
149e: 44 89 8d 5c ff ff ff mov %r9d,-0xa4(%rbp)
14a5: 4c 8b 65 18 mov 0x18(%rbp),%r12
14a9: 84 d2 test %dl,%dl
14ab: 0f 84 cb 02 00 00 je 177c
<_dl_lookup_symbol_x+0x30c>
14b1: 48 89 f9 mov %rdi,%rcx
14b4: b8 05 15 00 00 mov $0x1505,%eax
14b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
14c0: 48 89 c6 mov %rax,%rsi
14c3: 48 83 c1 01 add $0x1,%rcx
14c7: 48 c1 e6 05 shl $0x5,%rsi
14cb: 48 01 f0 add %rsi,%rax
14ce: 48 01 d0 add %rdx,%rax
14d1: 0f b6 11 movzbl (%rcx),%edx
14d4: 84 d2 test %dl,%dl
14d6: 75 e8 jne 14c0
<_dl_lookup_symbol_x+0x50>
14d8: 89 c0 mov %eax,%eax
14da: 48 89 85 60 ff ff ff mov %rax,-0xa0(%rbp)
14e1: 66 0f ef c0 pxor %xmm0,%xmm0
14e5: b8 ff ff ff ff mov $0xffffffff,%eax
14ea: 4d 85 f6 test %r14,%r14
14ed: 48 89 85 78 ff ff ff mov %rax,-0x88(%rbp)
=> 14f4: 0f 29 45 80 movaps %xmm0,-0x80(%rbp)
(0x7fffffffa058 + 0xa8) % 16 == 0 (instead of the correct 8)
Please see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68537
for further info.
}}}
--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/11133>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler
More information about the ghc-tickets
mailing list