[Bug nptl/17165] New: [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[Bug nptl/17165] New: [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[ubizjak at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17165

            Bug ID: 17165
           Summary: [alpha] Saved stack pointer is not mangled in
                    unwind_stop jumpbuffer
           Product: glibc
           Version: 2.17
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nptl
          Assignee: unassigned at sourceware dot org
          Reporter: ubizjak at gmail dot com
                CC: drepper.fsp at gmail dot com

Following testcase:

--cut here--
#include <bits/cxxabi_forced.h>
#include <pthread.h>

void* f(void*) {
 try
   {
     pthread_exit(0);
   }
 catch (__cxxabiv1::__forced_unwind const&)
   {
     __builtin_puts("unwind");
     throw;
   }
 catch (...)
   {
     __builtin_puts("something else");
     throw;
   }
}

int main()
{
  pthread_t t;
  pthread_create(&t, 0, f, 0);
  pthread_join(t, 0);

}
--cut here--

executes on alpha-linux-gnu without printing anything when compiled with
"gcc-4.9 -pthread". The problem was tracked to invalid execution of unwind_stop
from nptl/unwind.c.

The referred function calls _jmpbuf_sp:

0033 static inline uintptr_t __attribute__ ((unused))
0034 _jmpbuf_sp (__jmp_buf regs)
0035 {
0036   uintptr_t sp = regs[JB_SP];
0037 #ifdef PTR_DEMANGLE
0038   PTR_DEMANGLE (sp);
0039 #endif
0040   return sp;

through _JMPBUF_CFA_UNWINDS_ADJ/ _JMPBUF_UNWINDS_ADJ macros, defined in
​sysdeps/​alpha/​jmpbuf-unwind.h. However, regs[JB_SP] is not mangled at all at
function entry, as confirmed by following gdb session:

(gdb) b jmpbuf-unwind.h:38
No source file named jmpbuf-unwind.h.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (jmpbuf-unwind.h:38) pending.
(gdb) r
Starting program: /space/homedirs/uros/test/a.out 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
[New Thread 0x20000c391f0 (LWP 11609)]
[Switching to Thread 0x20000c391f0 (LWP 11609)]

Breakpoint 1, unwind_stop (version=<optimized out>, actions=<optimized out>,
exc_class=<optimized out>, exc_obj=<optimized out>, context=<optimized out>, 
    stop_parameter=<optimized out>) at unwind.c:61
61            || ! _JMPBUF_CFA_UNWINDS_ADJ (buf->cancel_jmp_buf[0].jmp_buf,
context,
(gdb) s
_jmpbuf_sp (regs=0x20000c38a40) at ../ports/sysdeps/alpha/jmpbuf-unwind.h:38
38        PTR_DEMANGLE (sp);
(gdb) p/x regs[8]
$1 = 0x20000c38a10

Following detail can be obtained from dissasembly:

   0x000002000028774c <+188>:   ldq     s1,64(a5)  <-- load SP value
   0x0000020000287750 <+192>:   ldq     t0,0(t0)   <-- load ptr chk guard
=> 0x0000020000287754 <+196>:   xor     s1,t0,s1   <-- mangling function

just before mangling function, we have:

(gdb) i r s1 t0
s1             0x20000c38a10    2199036070416
t0             0x33608b9cba2ff160       3702112398953410912

The consequence of the wrong value is, that do_longjump flag gets set in
unwind_stop function. This caused errorneous call to __libc_unwind_longjmp at
the end of the function, which silently terminates the execution.

I suspect a missing call to PTR_MANGLE, or one of PTR_MANGLE* macros in
sysdeps/unix/alpha/sysdep.h is not defined correctly, so saved SP value in
jmp_buf isn't mangled as expected by unwind_stop function.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-25838-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed Jul 16 16:18:00 2014
Return-Path: <glibc-bugs-return-25838-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 10134 invoked by alias); 16 Jul 2014 16:18:00 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 10060 invoked by uid 48); 16 Jul 2014 16:17:56 -0000
From: "ubizjak at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug nptl/17165] [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer
Date: Wed, 16 Jul 2014 16:18:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: nptl
X-Bugzilla-Version: 2.17
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: ubizjak at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cf_gcctarget
Message-ID: <bug-17165-131-hLkxWylFbA@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17165-131@http.sourceware.org/bugzilla/>
References: <bug-17165-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-07/txt/msg00621.txt.bz2
Content-length: 380

https://sourceware.org/bugzilla/show_bug.cgi?id\x17165

Uros Bizjak <ubizjak at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Target|                            |alpha-linux-gnu

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/17165] [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[ubizjak at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17165

--- Comment #1 from Uros Bizjak <ubizjak at gmail dot com> ---
__sigsetjmp doesn't mangle any register:

(gdb) disass __sigsetjmp
Dump of assembler code for function __sigsetjmp:
   0x000002000001b440 <+0>:     ldah    gp,2(t12)
   0x000002000001b444 <+4>:     lda     gp,-5136(gp)
   0x000002000001b448 <+8>:     stq     s0,0(a0)
   0x000002000001b44c <+12>:    stq     s1,8(a0)
   0x000002000001b450 <+16>:    stq     s2,16(a0)
   0x000002000001b454 <+20>:    stq     s3,24(a0)
   0x000002000001b458 <+24>:    stq     s4,32(a0)
   0x000002000001b45c <+28>:    stq     s5,40(a0)
   0x000002000001b460 <+32>:    stq     ra,48(a0)   <-- ra should be mangled,
   0x000002000001b464 <+36>:    addq    sp,0,t1     <-- sp too,
   0x000002000001b468 <+40>:    stq     t1,64(a0)
   0x000002000001b46c <+44>:    stq     fp,56(a0)   <-- fp as well.
   0x000002000001b470 <+48>:    stt     $f2,72(a0)
   0x000002000001b474 <+52>:    stt     $f3,80(a0)
   0x000002000001b478 <+56>:    stt     $f4,88(a0)
   0x000002000001b47c <+60>:    stt     $f5,96(a0)
   0x000002000001b480 <+64>:    stt     $f6,104(a0)
   0x000002000001b484 <+68>:    stt     $f7,112(a0)
   0x000002000001b488 <+72>:    stt     $f8,120(a0)
   0x000002000001b48c <+76>:    stt     $f9,128(a0)
   0x000002000001b490 <+80>:    mov     0,v0
   0x000002000001b494 <+84>:    ret
End of assembler dump.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/17165] [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[ubizjak at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17165

--- Comment #2 from Uros Bizjak <ubizjak at gmail dot com> ---
Got it - IS_IN_libpthread handling is missing in the __ASSEMBLER__ part of the
sysdeps/unix/alpha/sysdep.h.

I will leave to the maintainer from here...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/17165] [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[rth at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17165

Richard Henderson <rth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING
                 CC|                            |rth at gcc dot gnu.org

--- Comment #3 from Richard Henderson <rth at gcc dot gnu.org> ---
I don't see this problem with mainline glibc, although I admit I
compiled for ev67, not ev4.  I just wouldn't have thought that
would make any difference.

$ ./elf/ld.so --library-path .:elf:math:nptl ~/a.out
unwind

0000000000000000 <__sigsetjmp>:
   0:   00 00 bb 27     ldah    gp,0(t12)
                        0: GPDISP       .text+0x4
   4:   00 00 bd 23     lda     gp,0(gp)
   8:   00 00 30 b5     stq     s0,0(a0)
   c:   08 00 50 b5     stq     s1,8(a0)
  10:   10 00 70 b5     stq     s2,16(a0)
  14:   18 00 90 b5     stq     s3,24(a0)
  18:   20 00 b0 b5     stq     s4,32(a0)
  1c:   28 00 d0 b5     stq     s5,40(a0)
  20:   00 00 3d a4     ldq     t0,0(gp)
                        20: ELF_LITERAL __pointer_chk_guard
  24:   00 00 21 a4     ldq     t0,0(t0)
                        24: LITUSE      .text+0x1
  28:   02 08 41 47     xor     ra,t0,t1
  2c:   30 00 50 b4     stq     t1,48(a0)
  30:   02 08 c1 47     xor     sp,t0,t1
  34:   40 00 50 b4     stq     t1,64(a0)
  38:   02 08 e1 45     xor     fp,t0,t1
  3c:   38 00 50 b4     stq     t1,56(a0)

Can you please re-verify mainline?  We're going to cut 2.20 soon.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/17165] [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[ubizjak at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17165

--- Comment #4 from Uros Bizjak <ubizjak at gmail dot com> ---
(In reply to Richard Henderson from comment #3)
> Can you please re-verify mainline?  We're going to cut 2.20 soon.

2.20 seems OK:

0000000000040820 <__sigsetjmp>:
   40820:       19 00 bb 27     ldah    gp,25(t12)
   40824:       d8 8e bd 23     lda     gp,-28968(gp)
   40828:       00 00 30 b5     stq     s0,0(a0)
   4082c:       08 00 50 b5     stq     s1,8(a0)
   40830:       10 00 70 b5     stq     s2,16(a0)
   40834:       18 00 90 b5     stq     s3,24(a0)
   40838:       20 00 b0 b5     stq     s4,32(a0)
   4083c:       28 00 d0 b5     stq     s5,40(a0)
   40840:       70 81 3d a4     ldq     t0,-32400(gp)
   40844:       00 00 21 a4     ldq     t0,0(t0)
   40848:       02 08 41 47     xor     ra,t0,t1
   4084c:       30 00 50 b4     stq     t1,48(a0)
   40850:       02 08 c1 47     xor     sp,t0,t1
   40854:       40 00 50 b4     stq     t1,64(a0)
   40858:       02 08 e1 45     xor     fp,t0,t1
   4085c:       38 00 50 b4     stq     t1,56(a0)

I configured only with --prefix=/opt, default host/build was detected as
alphaev68.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/17165] [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[ubizjak at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17165

--- Comment #5 from Uros Bizjak <ubizjak at gmail dot com> ---
It looks that patch at [1] fixed the problem. This patch is in 2.18.

2013-10-01  Richard Henderson  <rth@redhat.com>

    * sysdeps/unix/alpha/sysdep.h (PTR_MANGLE): Improve conditions under
    which it is defined.

[1] https://sourceware.org/ml/libc-alpha/2013-10/msg00014.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nptl/17165] [alpha] Saved stack pointer is not mangled in unwind_stop jumpbuffer

[rth at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17165

Richard Henderson <rth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.18

--- Comment #6 from Richard Henderson <rth at gcc dot gnu.org> ---
Thanks for the archaeology, Uros.
Closing as fixed in 2.18.

-- 
You are receiving this mail because:
You are on the CC list for the bug.