Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
ld.elf_so i386 memcpy corruption - calligrawords hangs
Hi,
I have made a package of calligra 2.7.2 and I am trying to get calligrawords
and calligra author to work.
I have built all libraries with symbols and upon analysis with gdb I have
found the following:
NB: This was obtained on a machine running NetBSD 6.1.1 i386 PAE kernel, but I
believe the problem would effect current also.
This is the debugging session around tls.c line 147 of ld.elf_so.
Breakpoint 1, _rtld_tls_allocate_locked ()
at /home/build/NetBSD-6.1_source_tree/usr/src/libexec/ld.elf_so/tls.c:147
147 memcpy(q, obj->tlsinit, obj->tlsinitsize);
(gdb) display/$pc
1: x/i $pc
=> 0xbb7f900f <_rtld_tls_allocate_locked+179>: mov -0x8(%ebp),%eax
(gdb) x q
0xb82ffa40: 0xb82ffa40
(gdb) x obj->tlsinit
0xb3802000: 0xc0000001
(gdb) x obj->tlsinitsize
0x6c: (gdb) list
142 #ifdef __HAVE_TLS_VARIANT_I
143 q = p + obj->tlsoffset;
144 #else
145 q = p - obj->tlsoffset;
146 #endif
147 memcpy(q, obj->tlsinit, obj->tlsinitsize);
148 tcb->tcb_dtv[obj->tlsindex] = q;
149 }
150 }
151
(gdb) x tcb->tcb_dtv
0xb38085c4: 0x00000002
(gdb) stepi
0xbb7f9012 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f9012 <_rtld_tls_allocate_locked+182>: mov 0x100(%eax),%edx
(gdb)
0xbb7f9018 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f9018 <_rtld_tls_allocate_locked+188>: mov -0x8(%ebp),%eax
(gdb)
0xbb7f901b 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f901b <_rtld_tls_allocate_locked+191>: mov 0xfc(%eax),%eax
(gdb)
0xbb7f9021 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f9021 <_rtld_tls_allocate_locked+197>: mov %edx,0x8(%esp)
(gdb)
0xbb7f9025 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f9025 <_rtld_tls_allocate_locked+201>: mov %eax,0x4(%esp)
(gdb)
0xbb7f9029 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f9029 <_rtld_tls_allocate_locked+205>: mov -0x14(%ebp),%eax
(gdb)
0xbb7f902c 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f902c <_rtld_tls_allocate_locked+208>: mov %eax,(%esp)
(gdb)
0xbb7f902f 147 memcpy(q, obj->tlsinit,
obj->tlsinitsize);
1: x/i $pc
=> 0xbb7f902f <_rtld_tls_allocate_locked+211>: call 0xbb7faca0 <memcpy>
(gdb)
0xbb7faca0 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7faca0 <memcpy>: push %esi
(gdb)
0xbb7faca1 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7faca1 <memcpy+1>: mov %edi,%edx
(gdb)
0xbb7faca3 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7faca3 <memcpy+3>: mov 0x8(%esp),%edi
(gdb)
0xbb7faca7 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7faca7 <memcpy+7>: mov 0xc(%esp),%esi
(gdb)
0xbb7facab in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facab <memcpy+11>: mov 0x10(%esp),%ecx
(gdb)
0xbb7facaf in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facaf <memcpy+15>: mov %ecx,%eax
(gdb)
0xbb7facb1 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb1 <memcpy+17>: shr $0x2,%ecx
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb) info reg
eax 0x6c 108
ecx 0x1b 27
edx 0xbf7fd748 -1082140856
ebx 0xbb7fef10 -1149243632
esp 0xbf7fd384 0xbf7fd384
ebp 0xbf7fd3ac 0xbf7fd3ac
esi 0xb3802000 -1283448832
edi 0xb82ffa40 -1204815296
eip 0xbb7facb4 0xbb7facb4 <memcpy+20>
eflags 0x200316 [ PF AF TF IF ID ]
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs *value not available*
gs *value not available*
(gdb) stepi
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb4 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb4 <memcpy+20>: rep movsl %ds:(%esi),%es:(%edi)
(gdb)
0xbb7facb6 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb6 <memcpy+22>: and $0x3,%eax
(gdb) info reg
eax 0x6c 108
ecx 0x0 0
edx 0xbf7fd748 -1082140856
ebx 0xbb7fef10 -1149243632
esp 0xbf7fd384 0xbf7fd384
ebp 0xbf7fd3ac 0xbf7fd3ac
esi 0xb380206c -1283448724
edi 0xb82ffaac -1204815188
eip 0xbb7facb6 0xbb7facb6 <memcpy+22>
eflags 0x200316 [ PF AF TF IF ID ]
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs *value not available*
gs *value not available*
(gdb) stepi
0xbb7facb9 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facb9 <memcpy+25>: jne 0xbb7facc3 <memcpy+35>
(gdb)
0xbb7facbb in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facbb <memcpy+27>: mov 0x8(%esp),%eax
(gdb)
0xbb7facbf in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facbf <memcpy+31>: mov %edx,%edi
(gdb)
0xbb7facc1 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facc1 <memcpy+33>: pop %esi
(gdb)
0xbb7facc2 in memcpy () from /usr/libexec/ld.elf_so
1: x/i $pc
=> 0xbb7facc2 <memcpy+34>: ret
(gdb)
_rtld_tls_allocate_locked ()
at /home/build/NetBSD-6.1_source_tree/usr/src/libexec/ld.elf_so/tls.c:148
148 tcb->tcb_dtv[obj->tlsindex] = q;
1: x/i $pc
=> 0xbb7f9034 <_rtld_tls_allocate_locked+216>: mov -0x10(%ebp),%eax
(gdb)
0xbb7f9037 148 tcb->tcb_dtv[obj->tlsindex] = q;
1: x/i $pc
=> 0xbb7f9037 <_rtld_tls_allocate_locked+219>: mov 0x4(%eax),%edx
(gdb) x tcb->tcb_dtv
0x3fffffff:
(gdb) x tcb->tcb
0xb82ffa40: 0xc0000001
(gdb)
It seems that the value for q is equal to tcb and is overwritten by the
memcpy.
So my question is - Is this the desired effect? What could be a possible
cause for tcb->tcb_dtv to become corrupted (by a preceeding function call in
the program)?
This happens just after a call to pthread_create and as far as I can tell all
of the arguments to the call seem valid (attributes etc.)
I will provide a backtrace and any necessary information as requested.
Thanks for your time and help.
Regards,
Nat.
Home |
Main Index |
Thread Index |
Old Index