[Bug sanitizer/55521] many instances of ASAN:SIGSEGV failures in g++ testsuite with -fsanitize=address

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "howarth at nitro dot med.uc.edu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/55521] many instances of ASAN:SIGSEGV failures in g++ testsuite with -fsanitize=address
Date: Thu, 29 Nov 2012 21:25:00 -0000	[thread overview]
Message-ID: <bug-55521-4-ojfmatLHfZ@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-55521-4@http.gcc.gnu.org/bugzilla/>


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55521

--- Comment #6 from Jack Howarth <howarth at nitro dot med.uc.edu> 2012-11-29 21:25:07 UTC ---
Opened radr://12777299 so that the darwin linker maintainer could look at this
issue. His analysis of the failing test case so far is...

----------------------------------------------------------------------------------

I debugged this a bit and it seems the mach_override patching of __cxa_throw is
bogus.  The start of that function is patched to jump to garbage.

Breakpoint 1, 0x0000000100001c19 in main ()
(gdb) display/i $pc
2: x/i $pc  0x100001c19 <main+318>:     callq  0x100016386
<dyld_stub___cxa_throw>
(gdb) si
0x0000000100016386 in dyld_stub___cxa_throw ()
2: x/i $pc  0x100016386 <dyld_stub___cxa_throw>:        jmpq   *0xae1c(%rip)   
    # 0x1000211a8
(gdb)
0x0000000102244870 in __cxa_throw ()
2: x/i $pc  0x102244870 <__cxa_throw>:  jmpq   0xffd27000
(gdb)  # the above its __cxa_throw in gcc's libstdc++.6.dylib.  The first
instruction has been patch to jump to a garbage address.

(gdb) x/8i 0x102244870-8
0x102244868
<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+56>: std
0x102244869
<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+57>:
(bad)
0x10224486a
<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+58>:
decl   (%rdi)
0x10224486c
<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+60>:
(bad)
0x10224486d
<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+61>: add
   %r8b,(%rax)
0x102244870 <__cxa_throw>:    jmpq   0xffd27000
0x102244875 <__cxa_throw+5>:    or     (%rax),%eax
0x102244877 <__cxa_throw+7>:    push   %rbx
(gdb)
(gdb) watch *0x102244870
Hardware watchpoint 2: *4330899568
(gdb) r

Old value = -788165304
New value = -1373139991
0x0000000100016203 in __asan_mach_override_ptr_custom ()
(gdb) bt
#0  0x0000000100016203 in __asan_mach_override_ptr_custom ()
#1  0x0000000100015a9e in __interception::OverrideFunction ()
#2  0x00007fff5fc13378 in ImageLoaderMachO::doModInitFunctions ()
#3  0x00007fff5fc13762 in ImageLoaderMachO::doInitialization ()
#4  0x00007fff5fc1006e in ImageLoader::recursiveInitialization ()
#5  0x00007fff5fc0feba in ImageLoader::runInitializers ()
#6  0x00007fff5fc01fc0 in dyld::initializeMainExecutable ()
#7  0x00007fff5fc05b04 in dyld::_main ()
#8  0x00007fff5fc01397 in dyldbootstrap::start ()
#9  0x00007fff5fc0105e in _dyld_start ()
(gdb) x/8i 0x102244870
0x102244870 <__cxa_throw>:      jmpq   0xffd27000
0x102244875 <__cxa_throw+5>:    or     (%rax),%eax
0x102244877 <__cxa_throw+7>:    push   %rbx
0x102244878 <__cxa_throw+8>:    lea    -0x20(%rdi),%rbx
0x10224487c <__cxa_throw+12>:   mov    %rsi,-0x70(%rdi)
# Here is where the patching is being done

next prev parent reply	other threads:[~2012-11-29 21:25 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-28 21:44 [Bug sanitizer/55521] New: " howarth at nitro dot med.uc.edu
2012-11-28 21:48 ` [Bug sanitizer/55521] " howarth at nitro dot med.uc.edu
2012-11-28 21:55 ` howarth at nitro dot med.uc.edu
2012-11-28 22:16 ` howarth at nitro dot med.uc.edu
2012-11-28 22:29 ` howarth at nitro dot med.uc.edu
2012-11-29  0:47 ` howarth at nitro dot med.uc.edu
2012-11-29 21:25 ` howarth at nitro dot med.uc.edu [this message]
2012-11-30 18:01 ` howarth at nitro dot med.uc.edu
2012-12-01  1:51 ` howarth at nitro dot med.uc.edu
2012-12-01 13:55 ` jakub at gcc dot gnu.org
2012-12-01 21:37 ` howarth at nitro dot med.uc.edu
2012-12-01 21:43 ` howarth at nitro dot med.uc.edu
2012-12-01 23:27 ` howarth at nitro dot med.uc.edu
2012-12-01 23:50 ` howarth at nitro dot med.uc.edu
2012-12-01 23:51 ` howarth at nitro dot med.uc.edu
2012-12-02  2:58 ` howarth at nitro dot med.uc.edu
2012-12-02  5:38 ` howarth at nitro dot med.uc.edu
2012-12-02 21:25 ` howarth at nitro dot med.uc.edu
2012-12-03  4:10 ` dvyukov at google dot com
2012-12-04 14:53 ` howarth at nitro dot med.uc.edu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-55521-4-ojfmatLHfZ@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).