NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: toolchain/42479: netbsd-5-0 tools config(1) generates bad config_file.h on i386 5.99.22



The following reply was made to PR toolchain/42479; it has been noted by GNATS.

From: enami tsugutomo <tsugutomo.enami%jp.sony.com@localhost>
To: tsutsui%ceres.dti.ne.jp@localhost, gnats-bugs%NetBSD.org@localhost
Cc: toolchain-manager%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost,
        netbsd-bugs%NetBSD.org@localhost
Subject: Re: toolchain/42479: netbsd-5-0 tools config(1) generates bad 
config_file.h on i386 5.99.22
Date: 21 Dec 2009 19:57:31 +0900

 <tsutsui%ceres.dti.ne.jp@localhost> writes:
 
 > >Number:         42479
 > >Category:       toolchain
 > >Synopsis:       netbsd-5-0 tools config(1) generates bad config_file.h on 
 > >i386 5.99.22
 
 I've found that this is reproducable even on NetBSD/amd64.
 
     enami@quasiquote% uname -rm
     5.99.22 amd64
     enami@quasiquote% cc -O -c -o /tmp/vis.o 
-Isrc/netbsd-5/src/lib/libc/include src/netbsd-5/src/lib/libc/gen/vis.c
     enami@quasiquote% cat /tmp/main.c
     #include <errno.h>
     #include <stdio.h>
     #include <string.h>
     #include <vis.h>
 
     main(){
            char b[256];
            int n = strvis(b, "abc", 0);
 
            printf("%d, %s\n", n, strerror(errno));
     }
     enami@quasiquote% cc -o /tmp/bug /tmp/vis.o /tmp/main.c
     enami@quasiquote% /tmp/bug
     0, Cannot allocate memory
     enami@quasiquote% 
 
 It looks like linker tries to compat the rodata.  The strvis is
 compiled like this:
 
     enami@quasiquote% cc -O -S -o /tmp/vis.s 
-Isrc/netbsd-5/src/lib/libc/include src/netbsd-5/src/lib/libc/gen/vis.c
     enami@quasiquote% grep -A30 'strvis:' /tmp/vis.s
     _strvis:
     .LFB23:
            pushq   %r13
     .LCFI34:
            pushq   %r12
     .LCFI35:
            pushq   %rbp
     .LCFI36:
            pushq   %rbx
     .LCFI37:
            subq    $8, %rsp
     .LCFI38:
            movq    %rdi, %r12
            movq    %rsi, %r13
            movl    %edx, %ebx
            movl    $.LC2, %edx
     .L163:
            movzbl  (%rdx), %eax
            addq    $1, %rdx
            testb   %al, %al
            jne     .L163
            movq    %rdx, %rdi
            subq    $.LC2-5, %rdi
            call    malloc
            testq   %rax, %rax
            je      .L165
            movq    %rax, %rbp
            movq    %rax, %rdx
            movl    $.LC2, %ecx
     .L167:
 
 and the line `movl $.LC2, %edx' and `subq $.LC2-5, %rdi' are assembled
 as follows:
 
     enami@quasiquote% as /tmp/vis.s -o /tmp/vis.o
     enami@quasiquote% objdump -D /tmp/vis.o | grep -A20 'strvis>:'
     00000000000006ad <_strvis>:
      6ad:   41 55                   push   %r13
      6af:   41 54                   push   %r12
      6b1:   55                      push   %rbp
      6b2:   53                      push   %rbx
      6b3:   48 83 ec 08             sub    $0x8,%rsp
      6b7:   49 89 fc                mov    %rdi,%r12
      6ba:   49 89 f5                mov    %rsi,%r13
      6bd:   89 d3                   mov    %edx,%ebx
      6bf:   ba 00 00 00 00          mov    $0x0,%edx
      6c4:   0f b6 02                movzbl (%rdx),%eax
      6c7:   48 83 c2 01             add    $0x1,%rdx
      6cb:   84 c0                   test   %al,%al
      6cd:   75 f5                   jne    6c4 <_strvis+0x17>
      6cf:   48 89 d7                mov    %rdx,%rdi
      6d2:   48 81 ef 00 00 00 00    sub    $0x0,%rdi
      6d9:   e8 00 00 00 00          callq  6de <_strvis+0x31>
      6de:   48 85 c0                test   %rax,%rax
      6e1:   74 6f                   je     752 <_strvis+0xa5>
      6e3:   48 89 c5                mov    %rax,%rbp
      6e6:   48 89 c2                mov    %rax,%rdx
     enami@quasiquote% objdump -r /tmp/vis.o | egrep '6c0|6d5'
     00000000000006c0 R_X86_64_32       .rodata.str1.1+0x000000000000001d
     00000000000006d5 R_X86_64_32S      .rodata.str1.1+0x0000000000000018
     enami@quasiquote% objdump -j .rodata.str1.1 -s /tmp/vis.o
 
     /tmp/vis.o:     file format elf64-x86-64
 
     Contents of section .rodata.str1.1:
      0000 242d5f2e 2b212a27 28292c00 30313233  $-_.+!*'(),.0123
      0010 34353637 38396162 63646566 0000      456789abcdef..  
     enami@quasiquote% 
 
 Note that `.rodata.str1.1+0x000000000000001d' points the last `00' and
 `.rodata.str1.1+0x0000000000000018' points the `63'.
 
 But after the object is linked, the references to $.LC2 is moved to
 point another empty string while $.LC2-5 left unchanged:
 
     enami@quasiquote% cc -o /tmp/bug /tmp/vis.o /tmp/main.cenami@quasiquote% 
objdump -D /tmp/bug | grep -A20 'strvis>:'
     000000000040122d <_strvis>:
       40122d:       41 55                   push   %r13
       40122f:       41 54                   push   %r12
       401231:       55                      push   %rbp
       401232:       53                      push   %rbx
       401233:       48 83 ec 08             sub    $0x8,%rsp
       401237:       49 89 fc                mov    %rdi,%r12
       40123a:       49 89 f5                mov    %rsi,%r13
       40123d:       89 d3                   mov    %edx,%ebx
       40123f:       ba d3 15 40 00          mov    $0x4015d3,%edx
       401244:       0f b6 02                movzbl (%rdx),%eax
       401247:       48 83 c2 01             add    $0x1,%rdx
       40124b:       84 c0                   test   %al,%al
       40124d:       75 f5                   jne    401244 <_strvis+0x17>
       40124f:       48 89 d7                mov    %rdx,%rdi
       401252:       48 81 ef e0 15 40 00    sub    $0x4015e0,%rdi
       401259:       e8 86 f6 ff ff          callq  4008e4 <malloc@plt>
       40125e:       48 85 c0                test   %rax,%rax
       401261:       74 6f                   je     4012d2 <_strvis+0xa5>
       401263:       48 89 c5                mov    %rax,%rbp
       401266:       48 89 c2                mov    %rax,%rdx
     enami@quasiquote% objdump -j .rodata -s /tmp/bug
 
     /tmp/bug:     file format elf64-x86-64
 
     Contents of section .rodata:
      401470 436f7272 75707420 4f626a5f 456e7472  Corrupt Obj_Entr
      401480 7920706f 696e7465 7220696e 20474f54  y pointer in GOT
      401490 0a000000 00000000 44796e61 6d696320  ........Dynamic 
      4014a0 6c696e6b 65722076 65727369 6f6e206d  linker version m
      4014b0 69736d61 7463680a 00000000 00000000  ismatch.........
      4014c0 970c4000 00000000 c00c4000 00000000  ..@.......@.....
      4014d0 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      4014e0 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      4014f0 c00c4000 00000000 420c4000 00000000  ..@.....B.@.....
      401500 310c4000 00000000 640c4000 00000000  1.@.....d.@.....
      401510 0f0c4000 00000000 530c4000 00000000  ..@.....S.@.....
      401520 750c4000 00000000 200c4000 00000000  u.@..... .@.....
      401530 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      401540 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      401550 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      401560 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      401570 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      401580 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      401590 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      4015a0 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      4015b0 c00c4000 00000000 c00c4000 00000000  ..@.......@.....
      4015c0 860c4000 00000000 242d5f2e 2b212a27  ..@.....$-_.+!*'
      4015d0 28292c00 30313233 34353637 38396162  (),.0123456789ab
      4015e0 63646566 00616263 0025642c 2025730a  cdef.abc.%d, %s.
      4015f0 00                                   .               
     enami@quasiquote% 
 
 Now, $0x4015d3 points `00' which is terminating byte of sting
 "$-_.+!*'()," while $0x4015e0 still points same `63'.
 
 So, $.LC2 - ($.LC2 - 5) becomes negative number and for malloc() it is
 considered as very large number and it fails.
 
 enami.
 


Home | Main Index | Thread Index | Old Index