From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 101849 invoked by alias); 25 Mar 2019 13:06:08 -0000 Mailing-List: contact gcc-help-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-help-owner@gcc.gnu.org Received: (qmail 101839 invoked by uid 89); 25 Mar 2019 13:06:08 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,KAM_ASCII_DIVIDERS,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 spammy=monitored, online X-HELO: mail-wm1-f46.google.com Received: from mail-wm1-f46.google.com (HELO mail-wm1-f46.google.com) (209.85.128.46) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 25 Mar 2019 13:06:06 +0000 Received: by mail-wm1-f46.google.com with SMTP id a188so8966627wmf.3 for ; Mon, 25 Mar 2019 06:06:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jguk-org.20150623.gappssmtp.com; s=20150623; h=from:subject:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=gyKntkzmx3ijL0eZfew/+yA+dHf8a0oz5Pzm7VdsqEs=; b=Ca5vMxreoSsinLoGAw7WRcycTNVNuN7sxX87vz0Kt0tc8q1IKHltKjPWMLteQqDLUS sXKLZpDQ75b7UgxTmzT+USyJfjODPgthiXjuDyhN7f2btoxn/6xHYi0wVx5Ai4pU5+Ob sgEIbIRfpSku4mDZPXd5kvQQpGCg/I7XDyzPUY67xn+No3EUyPeH9vX6dRgDSZ5UpdpK rLjfCQpLcgRCbw2R8eb+vmOY0x6kf44hkAtDTED3GeAtdIDfO1T43vry4dLgWhoEPjlY RelrKsPMzbMmFEjy/AtL2mUUYjM/CyXvrbWHnvRKVRE/bWkiyvJght3dImfnQgl3tvNN jCrQ== Return-Path: Received: from [192.168.1.71] (251.98.189.80.dyn.plus.net. [80.189.98.251]) by smtp.gmail.com with ESMTPSA id y125sm14302594wmc.39.2019.03.25.06.06.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Mar 2019 06:06:02 -0700 (PDT) From: Jonny Grant Subject: Re: Recursive SIGSEGV question To: Florian Weimer Cc: gcc-help References: <1255ee27-882f-ab4e-ea45-ba6f35791b45@jguk.org> <877ecuikq9.fsf@mid.deneb.enyo.de> Message-ID: <835d09ce-752a-c0f7-e5cf-210e855df2ab@jguk.org> Date: Mon, 25 Mar 2019 13:23:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <877ecuikq9.fsf@mid.deneb.enyo.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2019-03/txt/msg00161.txt.bz2 Hi Florian! On 19/03/2019 22:05, Florian Weimer wrote: > * Jonny Grant: > >> Wanted to ask opinion about the following. >> >> Compiling with g++ 8.2.0 and saw the following. The program was in a >> recursive function call (bug). My test case is attached, although could >> not reproduce exactly same backtrace. >> >> I had a look at https://github.com/lattera/glibc/blob/master/malloc/malloc.c >> >> Is there an issue in _int_malloc? or was it most likely just out of >> memory? Do out of memory issues normally show up as SIGSEGV? I had >> expected some sort of "out of memory" > > This isn't really a GCC question, _int_malloc looks like something > that would be part of glibc. > >> This is the log from own software (not attached) :- >> >> Program terminated with signal SIGSEGV, Segmentation fault. >> #0 0x00007faa0e37b30e in _int_malloc (av=av@entry=0x7fa980000020, >> bytes=bytes@entry=45) at malloc.c:3557 >> 3557 malloc.c: No such file or directory. >> [Current thread is 1 (Thread 0x7fa997860700 (LWP 20571))] >> (gdb) bt >> #0 0x00007faa0e37b30e in _int_malloc (av=av@entry=0x7fa980000020, >> bytes=bytes@entry=45) at malloc.c:3557 >> #1 0x00007faa0e37e2ed in __GI___libc_malloc (bytes=45) at malloc.c:3065 >> #2 0x00007faa0eba21a8 in operator new(unsigned long) () >> from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 > > How does hit go on after that? Where does the fault actually happen? > > See: > > (gdb) print $_siginfo._sifields._sigfault > > Usually that's heap corruption. For example, the application might > have overrun a buffer overwritten some internal malloc data > structures. > > If you can reproduce it at will, valgrind is a great diagnostic tool > for such issues. I built & ran with the Sanitizer, it seems it's also stack overflow within the operator new() I had thoughts GCC would generate code that monitored the stack size and aborted with a clear message when the stack size was exceeded. Looked online, and it doesn't seem to be the case. AddressSanitizer:DEADLYSIGNAL ================================================================= ==16598==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe4b0e7fc0 (pc 0x7f85c609293a bp 0x7ffe4b0e88d0 sp 0x7ffe4b0e7fb0 T0) #0 0x7f85c6092939 (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x28939) #1 0x7f85c6091217 (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x27217) #2 0x7f85c615974e in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xef74e) #3 0x563e23701a4a in void std::__cxx11::basic_string, std::allocator >::_M_construct(char const*, char const*, std::forward_iterator_tag) /usr/include/c++/8/bits/basic_string.tcc:219 #4 0x563e23947131 in void std::__cxx11::basic_string, std::allocator >::_M_construct_aux(char const*, char const*, std::__false_type) /usr/include/c++/8/bits/basic_string.h:236 #5 0x563e23947131 in void std::__cxx11::basic_string, std::allocator >::_M_construct(char const*, char const*) /usr/include/c++/8/bits/basic_string.h:255 #6 0x563e23947131 in std::__cxx11::basic_string, std::allocator >::basic_string(char const*, std::allocator const&) /usr/include/c++/8/bits/basic_string.h:516 > >> I tried to create a test case, but got slightly different messages, they >> actually vary. Is there a gdb bug if the same program has different >> backtraces? >> GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git >> >> Core was generated by `./loop'. >> Program terminated with signal SIGSEGV, Segmentation fault. >> #0 0x00007fc10dee51e7 in void std::__cxx11::basic_string> std::char_traits, std::allocator >> >::_M_construct(char*, char*, std::forward_iterator_tag) () >> from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 >> (gdb) bt >> #0 0x00007fc10dee51e7 in void std::__cxx11::basic_string> std::char_traits, std::allocator >> >::_M_construct(char*, char*, std::forward_iterator_tag) () >> from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 >> #1 0x00005592fbb669d7 in func (f="a", g=0) at loop.cpp:7 >> #2 0x00005592fbb669e8 in func (f="a", g=0) at loop.cpp:7 >> #3 0x00005592fbb669e8 in func (f="a", g=0) at loop.cpp:7 > > This looks like a very different thing. Due to the deep recursion, > the code faults when accessing the guard page below the stack. Sanitizer says the same. There isn't really anything that can be done when stack is exceeded! There isn't a StackOverflowException $ ./loop AddressSanitizer:DEADLYSIGNAL ================================================================= ==13496==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd8f0f1f18 (pc 0x7f705dcf59b6 bp 0x7ffd8f0f27a0 sp 0x7ffd8f0f1f20 T0) #0 0x7f705dcf59b5 (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x989b5) #1 0x7f705d9fb536 in std::__cxx11::basic_string, std::allocator >::basic_string(char const*, std::allocator const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x127536) #2 0x562e51e7ceed in func /home/jonny/code/loop.cpp:7 #3 0x562e51e7cf01 in func /home/jonny/code/loop.cpp:7 Cheers, Jonny