This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug tapsets/18597] long_arg() doesn't correctly handle negative values in 32-on-64 environment
- From: "mcermak at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sourceware dot org
- Date: Wed, 01 Jul 2015 15:21:37 +0000
- Subject: [Bug tapsets/18597] long_arg() doesn't correctly handle negative values in 32-on-64 environment
- Auto-submitted: auto-generated
- References: <bug-18597-6586 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18597
--- Comment #13 from Martin Cermak <mcermak at redhat dot com> ---
The aforementioned patch brings some testcase extensions, that fail on rhel5.
For instance the pwrite testcase newly has following subtest:
=======
pwrite(-1, "Hello Again", 11, 0x12345678deadbeefLL);
//staptest// pwrite (-1, "Hello Again", 11, 1311768468603649775) = NNNN
=======
For the purpose of this comment, I reduced pwrite.c to this one single pwrite
call only, and dompiled it with -m31. On x86_64, value of the fourth argument
is being grabbed in _stp_get_arg32_by_number(n, nr_regargs, regs, &val), where
n=4 and nr_regargs=6, effectively grabbing the value from RREG(cx, regs). This
works fine except of rhel5. E.g. on rhel7 we have:
=======
7.1 S x86_64 # stap -ge 'probe kernel.function("*pwrite*") {println(pp());
print_regs()}' -c ./a.out
WARNING: probe kernel.function("C_SYSC_pwritev@fs/read_write.c:1072") (address
0xffffffff811c7d06) registration error (rc -84)
kernel.function("sys32_pwrite@arch/x86/ia32/sys_ia32.c:183")
RIP: ffffffff81062c10
RSP: ffff880094fa3f80 EFLAGS: 00000293
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 00000000deadbeef
RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff
RBP: 00000000080485bc R08: 0000000012345678 R09: 00000000ffeae768
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0
kernel.function("SyS_pwrite64@fs/read_write.c:542")
RIP: ffffffff811c7180
RSP: ffff880094fa3f70 EFLAGS: 00000202
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 12345678deadbeef
RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff
RBP: ffff880094fa3f78 R08: 12345678deadbeef R09: 00000000ffeae768
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0
kernel.function("SYSC_pwrite64@fs/read_write.c:542")
RIP: ffffffff811c71a7
RSP: ffff880094fa3f28 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 12345678deadbeef
RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff
RBP: ffff880094fa3f68 R08: 12345678deadbeef R09: 00000000ffeae768
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0
7.1 S x86_64 #
=======
Whereas on rhel5 I see:
=======
5.11 S x86_64 # stap -ge 'probe kernel.function("*pwrite*") {println(pp());
print_regs()}' -c ./a.out
kernel.function("sys32_pwrite@arch/x86_64/ia32/sys_ia32.c:690")
RIP: ffffffff800860b2
RSP: ffff81015527ff80 EFLAGS: 00000283
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 00000000deadbeef
RDX: 000000000000000b RSI: 0000000008048578 RDI: 00000000ffffffff
RBP: 0000000008048578 R08: 00000000ffffffff R09: 00000000ffaafd48
R10: ffff81015527e000 R11: 0000000000000297 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00002b70d78cdaf0(0000) GS:ffff810181caddc0(0063) knlGS:00000000f7eed6c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000004889c0 CR3: 0000000061b4e000 CR4: 00000000000006e0
kernel.function("sys_pwrite64@fs/read_write.c:438")
RIP: ffffffff80044241
RSP: ffff81015527ff80 EFLAGS: 00000282
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: ffffffffdeadbeef
RDX: 000000000000000b RSI: 0000000008048578 RDI: 00000000ffffffff
RBP: 0000000008048578 R08: ffffffff00000000 R09: 00000000ffaafd48
R10: ffff81015527e000 R11: 0000000000000297 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00002b70d78cdaf0(0000) GS:ffff810181caddc0(0063) knlGS:00000000f7eed6c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000004889c0 CR3: 0000000061b4e000 CR4: 00000000000006e0
5.11 S x86_64 #
=======
On rhel5 sys32_pwrite looks like this:
=======
asmlinkage long
sys32_pwrite(unsigned int fd, char __user *ubuf, u32 count, u32 poslo, u32
poshi)
{
return sys_pwrite64(fd, ubuf, count,
((loff_t)AA(poshi) << 32) | AA(poslo));
}
=======
Which overall means that in this case sys32_pwrite() is only getting truncated
argument and that is also what it passes to sys_pwrite64() via CX. Looks like
it's glibc's choice to throw poshi away when calling sys32_pwrite().
And indeed, on rhel7 we have:
=======
7.1 S x86_64 # stap -e 'probe process.syscall {if ($syscall==181) printf("%d,
%x, %x, %x, %x, %x\n", $syscall, $arg1, $arg2, $arg3, $arg4, $arg5)}' -c
./a.out
181, ffffffff, 80485bc, b, deadbeef, 12345678
7.1 S x86_64 #
=======
Whereas on rhel5:
=======
5.11 S x86_64 # stap -e 'probe process.syscall {if ($syscall==181) printf("%d,
%x, %x, %x, %x, %x\n", $syscall, $arg1, $arg2, $arg3, $arg4, $arg5)}' -c
./a.out
181, ffffffff, 8048578, b, deadbeef, ffffffff
5.11 S x86_64 #
=======
So this is probably okay.
Now I'm going to run patched systemtap with original testcases to check for
regressions this way.
--
You are receiving this mail because:
You are the assignee for the bug.