This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/20061] New: backtrace() is not async signal safe (malloc in _dl_load_cache_lookup)

From: "dx at dxzone dot com.ar" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Sun, 08 May 2016 17:09:14 +0000
Subject: [Bug libc/20061] New: backtrace() is not async signal safe (malloc in _dl_load_cache_lookup)
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=20061

            Bug ID: 20061
           Summary: backtrace() is not async signal safe (malloc in
                    _dl_load_cache_lookup)
           Product: glibc
           Version: 2.23
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: dx at dxzone dot com.ar
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 9241
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9241&action=edit
test case

I was fixing the segfault handler of an application to avoid malloc() calls,
but found that glibc's own backtrace() includes calls to malloc.

I made a test case that:

1. Sets a SIGSEGV handler to a function that only calls backtrace()
2. Calls malloc() in main() to give gdb a place to break
3. When gdb breaks in _int_malloc() and raises SIGSEGV, it deadlocks

It seems to need to dlopen libgcc_s.so.1, and _dl_load_cache_lookup() includes
a call to strdup().

Log follows, test file attached.

--------------------------------------------------------------------------------

$ gcc backtracetest.c
$ gdb -ex 'set br p on' -ex 'b _int_malloc' -ex 'run' -ex 'sig 11' ./a.out

[...]

Breakpoint 1, _int_malloc (av=av@entry=0x7ffff7dd4b00 <main_arena>,
bytes=bytes@entry=1024) at malloc.c:3350
3350      checked_request2size (bytes, nb);
Continuing with signal SIGSEGV.

[deadlock happens here]

^C
Program received signal SIGINT, Interrupt.
__lll_lock_wait_private () at
../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
95      2:      movl    %edx, %eax
(gdb) bt
#0  __lll_lock_wait_private () at
../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
#1  0x00007ffff7ab4faf in __GI___libc_malloc (bytes=140737351863040) at
malloc.c:2912
#2  0x00007ffff7df4712 in __strdup (s=<optimized out>) at strdup.c:42
#3  0x00007ffff7df04b1 in _dl_load_cache_lookup (name=name@entry=0x7ffff7ba0206
"libgcc_s.so.1") at dl-cache.c:305
#4  0x00007ffff7de266d in _dl_map_object (loader=loader@entry=0x7ffff7ff7068,
name=<optimized out>, name@entry=0x7ffff7ba0206 "libgcc_s.so.1",
type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879048191,
nsid=<optimized out>) at dl-load.c:2105
#5  0x00007ffff7ded59d in dl_open_worker (a=a@entry=0x7fffffffd8a0) at
dl-open.c:226
#6  0x00007ffff7de8ee2 in _dl_catch_error
(objname=objname@entry=0x7fffffffd898,
errstring=errstring@entry=0x7fffffffd890,
mallocedp=mallocedp@entry=0x7fffffffd88f, operate=operate@entry=0x7ffff7ded496
<dl_open_worker>, args=args@entry=0x7fffffffd8a0) at dl-error.c:187
#7  0x00007ffff7ded02c in _dl_open (file=0x7ffff7ba0206 "libgcc_s.so.1",
mode=-2147483647, caller_dlopen=0x7ffff7b30e34 <init+42>, nsid=-2, argc=1,
argv=0x7fffffffe608, env=0x7fffffffe618) at dl-open.c:649
#8  0x00007ffff7b59341 in do_dlopen (ptr=ptr@entry=0x7fffffffdac0) at
dl-libc.c:87
#9  0x00007ffff7de8ee2 in _dl_catch_error (objname=0x7fffffffdaa8,
errstring=0x7fffffffdaa0, mallocedp=0x7fffffffda9f, operate=0x7ffff7b592f3
<do_dlopen>, args=0x7fffffffdac0) at dl-error.c:187
#10 0x00007ffff7b5940d in dlerror_run (operate=operate@entry=0x7ffff7b592f3
<do_dlopen>, args=args@entry=0x7fffffffdac0) at dl-libc.c:46
#11 0x00007ffff7b59482 in __GI___libc_dlopen_mode
(name=name@entry=0x7ffff7ba0206 "libgcc_s.so.1", mode=mode@entry=-2147483647)
at dl-libc.c:163
#12 0x00007ffff7b30e34 in init () at ../sysdeps/x86_64/backtrace.c:52
#13 0x00007ffff7b30f1e in __GI___backtrace (array=<optimized out>,
size=<optimized out>) at ../sysdeps/x86_64/backtrace.c:105
#14 0x00005555555548a2 in handler ()
#15 <signal handler called>
#16 _int_malloc (av=av@entry=0x7ffff7dd4b00 <main_arena>,
bytes=bytes@entry=1024) at malloc.c:3350
#17 0x00007ffff7ab4fc1 in __GI___libc_malloc (bytes=bytes@entry=1024) at
malloc.c:2914
#18 0x00007ffff7ab63a7 in malloc_hook_ini (sz=1024, caller=<optimized out>) at
hooks.c:32
#19 0x00007ffff7ab4f65 in __GI___libc_malloc (bytes=1024) at malloc.c:2910
#20 0x0000555555554929 in main ()

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/20061] backtrace() is not async signal safe (malloc in _dl_load_cache_lookup)
  - From: fweimer at redhat dot com
- [Bug libc/20061] backtrace() is not async signal safe (malloc in _dl_load_cache_lookup)
  - From: carlos at redhat dot com
- [Bug libc/20061] backtrace() is not async signal safe (malloc in _dl_load_cache_lookup)
  - From: dx at dxzone dot com.ar
- [Bug libc/20061] backtrace() is not async signal safe (malloc in _dl_load_cache_lookup)
  - From: dx at dxzone dot com.ar
- [Bug libc/20061] backtrace() is not async signal safe (malloc in _dl_load_cache_lookup)
  - From: carlos at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]