Forum: Ruby-dev [Closed] Segmentation fault while printing out C level backtrace information

9361878d459f1709feec780518946ee5?d=identicon&s=25 unknown (Guest)
on 2014-03-22 15:06
(Received via mailing list)
Issue #9654 has been updated by Yui NARUSE.

Status changed from Assigned to Closed
% Done changed from 0 to 100

Applied in changeset r45383.

----------
* addr2line.c (fill_lines): compare the file names of object in which
  symbols exist. [Bug #9654] [ruby-dev:48058]

----------------------------------------
Bug #9654: Segmentation fault while printing out C level backtrace
information
https://bugs.ruby-lang.org/issues/9654#change-45900

* Author: Rei Odaira
* Status: Closed
* Priority: Normal
* Assignee: Yui NARUSE
* Category: core
* Target version: current: 2.2.0
* ruby -v: ruby 2.2.0dev (2014-03-19) [powerpc64-linux]
* Backport: 2.0.0: DONTNEED, 2.1: DONTNEED
----------------------------------------
When SIGSEGV happens, C level backtrace information should be printed
out, but the printing-out itself causes another segmentation fault.

~~~
$ ./ruby -e 'Process.kill :SEGV, $$'
-e:1: [BUG] Segmentation fault at 0x00584f
ruby 2.2.0dev (2014-03-19) [powerpc64-linux]

-- Control frame information
-----------------------------------------------
c:0003 p:---- s:0009 e:000008 CFUNC  :kill
c:0002 p:0015 s:0004 E:00153c EVAL   -e:1 [FINISH]
c:0001 p:0000 s:0002 E:002574 TOP    [FINISH]

-- Ruby level backtrace information
----------------------------------------
-e:1:in `<main>'
-e:1:in `kill'

-- C level backtrace information
-------------------------------------------
./ruby(Segmentation fault
~~~
This second segmentation fault happens at the following stack context.

~~~
(gdb) bt
#0  0x201ba994 in strlen () from /lib/libc.so.6
#1  0x2070cbe0 in kvprintf (fmt=0x207a097d "+0x%lx) [0x%lx] %s:%d\n")
    at addr2line.c:1009
#2  kprintf (fmt=0x207a097d "+0x%lx) [0x%lx] %s:%d\n") at
addr2line.c:771
#3  0x2070e4f8 in rb_dump_backtrace_with_lines (num_traces=18,
    traces=0x2081762c, syms=0x20a7d720) at addr2line.c:677
#4  0x206f3ffc in rb_print_backtrace () at vm_dump.c:690
#5  rb_vm_bugreport () at vm_dump.c:825
#6  0x207621ac in report_bug (file=<value optimized out>,
    line=<value optimized out>, fmt=0x2079857c "Segmentation fault at
%p",
    args=0x2085f864) at error.c:312
#7  0x207624e4 in rb_bug (fmt=0x2079857c "Segmentation fault at %p")
    at error.c:339
#8  0x206664e0 in sigsegv (sig=<value optimized out>, info=0x2085f8f0,
    ctx=<value optimized out>) at signal.c:704
#9  <signal handler called>
#10 0x2016674c in kill () from /lib/libc.so.6
#11 0x20702c64 in ruby_kill (pid=<value optimized out>,
    sig=<value optimized out>) at thread.c:5185
<<<<< snip >>>>>
~~~

This error began to occur after this change:
http://www.rubyist.net/~kanemoto/chkbuild/plinux/r...
Due to this error, `TestBugReporter#test_bug_reporter_add` fails on
ppc64 GNU/Linux.
My guess is that the changes in addr2line.c are doing something, but I
am not sure.

The second segmentation fault is caused because `line->sname` points to
out-of-range memory.
Tracing `rb_dump_backtrace_with_lines()` and `fill_lines()`, I found the
`sname` entry was first set correctly by reading the `./ruby` file, but
it was later overwritten by some incorrect information while reading the
`/usr/lib/debug/lib/libc-2.5.so.debug` file.
In `libc-2.5.so.debug`, there seem to be several symbol table entries
whose `st_size` is quite big (~1.5 GB), so those entries happen to cover
all the addresses in `traces[]`, which results in overwritting `sname`
at the line 584 of addr2line.c.
I am not familiar with ELF, so I cannot track down further.
Hope this report helps.
This topic is locked and can not be replied to.