public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "alex_y_xu at yahoo dot ca" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/29039] New: _dl_tlsdesc_dynamic (sometimes) returns garbage offsets
Date: Sun, 10 Apr 2022 05:36:08 +0000 [thread overview]
Message-ID: <bug-29039-131@http.sourceware.org/bugzilla/> (raw)
https://sourceware.org/bugzilla/show_bug.cgi?id=29039
Bug ID: 29039
Summary: _dl_tlsdesc_dynamic (sometimes) returns garbage
offsets
Product: glibc
Version: 2.35
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: alex_y_xu at yahoo dot ca
Target Milestone: ---
Many users have reported that Mesa 22 causes GTK4 programs to segfault on start
with the crocus driver under X. This is caused by _dl_tlsdesc_dynamic returning
a large negative value, which when added to FS results in a value slightly
above zero. Unfortunately, I have been unable to find any reduced test case,
even after testing many sequences of dlopen and dlclose calls. Additionally,
the issue reportedly does not affect Fedora Linux. The shortest reproduction
steps I have found are:
1. Use a GPU supported by the Mesa crocus driver; all i915 through Haswell
Intel GPUs should be supported.
2. podman run -it --privileged --net=host -v /tmp/.X11-unix:/tmp/.X11-unix --rm
archlinux. It may be possible to use docker instead of podman; I did not test
this. Alternatively, install Arch Linux.
3. Run:
pacman -Syu
pacman -U
https://archive.archlinux.org/packages/m/mesa/mesa-22.0.1-2-x86_64.pkg.tar.zst
pacman -S gnome-chess
useradd -m -u 1000 -g 1000 user # set to your host UID/GID
su - user
DISPLAY=:0 gnome-chess
This should segfault in lookup_opcode_desc with a small pointer dereference
which was computed in brw_opcode_desc from a call to _dl_tlsdesc_dynamic.
Unfortunately, there are no symbols for Mesa, but there are dynamic symbols for
glibc. Debug output:
$ DISPLAY=:0 gdb gnome-chess
[ ... ]
(gdb) b _dl_tlsdesc_dynamic
Breakpoint 1 at 0x7ffff7fdc600
(gdb) r
[ ... ]
Thread 1 "gnome-chess" hit Breakpoint 1, 0x00007ffff7fdc600 in
_dl_tlsdesc_dynamic () from /lib64/ld-linux-x86-64.so.2
(gdb) info reg
rax 0x7fffebe36898 140737150937240
rbx 0x7fffffff7e60 140737488322144
rcx 0x0 0
rdx 0x7fffffff81a0 140737488322976
rsi 0x555556426d00 93825007774976
rdi 0x7fffffff8190 140737488322960
rbp 0x7fffffff8310 0x7fffffff8310
rsp 0x7fffffff7e58 0x7fffffff7e58
r8 0x5555561fec90 93825005513872
r9 0x1 1
r10 0x7fffebb248c0 140737147717824
r11 0x91df835f16e6916b -7935479573974183573
r12 0x5555564c0a60 93825008405088
r13 0x0 0
r14 0x7fffffff87b0 140737488324528
r15 0x7fffffff82c0 140737488323264
rip 0x7ffff7fdc600 0x7ffff7fdc600 <_dl_tlsdesc_dynamic>
eflags 0x202 [ IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) fin
Run till exit from #0 0x00007ffff7fdc600 in _dl_tlsdesc_dynamic () from
/lib64/ld-linux-x86-64.so.2
[Thread 0x7fffe9571640 (LWP 921) exited]
[Thread 0x7fffe9d72640 (LWP 920) exited]
0x00007fffeb3d8979 in ?? () from /usr/lib/dri/crocus_dri.so
(gdb) p $rax
$2 = -140737272884288
(gdb) p $rax+$fs_base
$3 = 0
Exporting LD_PRELOAD=/usr/local/lib/dri/crocus_dri.so avoids the crash, as
static TLS is used in that case. More interestingly, exporting
LD_PRELOAD=/usr/lib/libLLVM.so also avoids the crash, despite still using
dynamic TLS. Exporting LD_BIND_NOW=1 does not avoid the crash.
--
You are receiving this mail because:
You are on the CC list for the bug.
next reply other threads:[~2022-04-10 5:36 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-10 5:36 alex_y_xu at yahoo dot ca [this message]
2022-04-10 9:46 ` [Bug dynamic-link/29039] " evangelos at foutrelis dot com
2022-04-10 14:34 ` alex_y_xu at yahoo dot ca
2022-04-12 11:27 ` fweimer at redhat dot com
2022-04-12 15:18 ` alex_y_xu at yahoo dot ca
2022-05-17 20:20 ` j at bitron dot ch
2023-11-26 14:16 ` sam at gentoo dot org
2023-11-26 14:17 ` sam at gentoo dot org
2023-11-28 10:12 ` [Bug dynamic-link/29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS fweimer at redhat dot com
2023-11-28 17:29 ` cvs-commit at gcc dot gnu.org
2023-12-20 8:46 ` cvs-commit at gcc dot gnu.org
2023-12-22 14:43 ` sam at gentoo dot org
2023-12-22 14:57 ` dilfridge at gentoo dot org
2023-12-22 16:58 ` cvs-commit at gcc dot gnu.org
2023-12-22 16:58 ` cvs-commit at gcc dot gnu.org
2023-12-22 16:59 ` cvs-commit at gcc dot gnu.org
2023-12-22 16:59 ` cvs-commit at gcc dot gnu.org
2023-12-22 17:00 ` cvs-commit at gcc dot gnu.org
2023-12-22 17:00 ` cvs-commit at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-29039-131@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).