From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) by sourceware.org (Postfix) with ESMTPS id DF4E13858D33 for ; Thu, 13 Apr 2023 12:18:04 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DF4E13858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-oo1-xc2e.google.com with SMTP id i10-20020a4ad68a000000b0053b8aa32089so2185503oot.5 for ; Thu, 13 Apr 2023 05:18:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681388282; x=1683980282; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=l3znMddBztjLf0LrxfYn6qoIKA2dI5wdYY5KPmY9Hkc=; b=WCWOZA3hND53XN9EevDSnKEM+zu6pwJfwTEy9hAJiR+X4hVvOq6kEhernbSrJlabBA /WbJbU3Eos7yuR/d3srm1U0XONuf4OQY/NwFaKlaEaTSO15ILj9ShwpIlQvQHUOHzuBA PoJWv+LI8auJjX9rudwXm5fQqH277sq9Nc90KGK1+gObGY5RPJO8vSg8+ir0OqfkWTbx hLw6RA/4igeFGgMn9J5Z4mhaONMdwyAD/bzFnXiPOGaaVqiqvWF0c9c5TBE5sTu1Qb58 YFNWEutSv375aJna9ww6Q3DaYFakuZ0TKp8R92WQeeY1mw65XJMZZxxLUbyWxijJSwJo AXJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681388282; x=1683980282; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l3znMddBztjLf0LrxfYn6qoIKA2dI5wdYY5KPmY9Hkc=; b=iCkAI1/NcYtlalSl/oDKGa6ivV0hlR7oJhtnJDgUS8EmR3PKtjXAQWtzR2hhPgUCct eKMAOtTI3cEhL0OQkuyo/xqges4pkeoaj0+1IdMQSflg481A/aX9gEejeWLp3VxJyZ6I J9pZqxy4eDzJy4L7/jWD03WhzGlhyhw+1gOydnvvCWfrn61BqrTgiDFlBjDm5sn4PyIv bU1b3xhVHgjMhadsxjhQO9E4BSTypvYG3zAw3x/ftU562ts5hjqXuPge8jpb+h4fIsIC utpXZxNbWUm9zp33E9Czgt3YTS2RWFkW2vCGYl9VlHtZzb6a8nWK1qhGGxo4nC807+Qj grpA== X-Gm-Message-State: AAQBX9f02+m8yrohIFaKCvAoNEx0m2EiSNoNU8bk6bhCdFugG172VyP8 Je+a6XsV8FB+ZNc6wEumqrWpoEqmS+EdH54zimu+FixGc5r3WA== X-Google-Smtp-Source: AKy350aF8lE9hfi1XxYwgactV78GyB54AreSmsxQeEYf2zTZSDk6KUFH+4bour1+kcPrwxZMzGCYBnfCeMV9L4Zsc94= X-Received: by 2002:a4a:c682:0:b0:541:b832:6cdc with SMTP id m2-20020a4ac682000000b00541b8326cdcmr465602ooq.0.1681388282498; Thu, 13 Apr 2023 05:18:02 -0700 (PDT) MIME-Version: 1.0 References: <20230412234657.ntztyz7iau55lcwt@begin> <20230413101058.wfmy7mb4dexsrbio@begin> In-Reply-To: <20230413101058.wfmy7mb4dexsrbio@begin> From: Sergey Bugaev Date: Thu, 13 Apr 2023 15:17:51 +0300 Message-ID: Subject: Re: [RFC PATCH glibc 24/34] hurd: Only check for TLS initialization inside rtld or in static builds To: Samuel Thibault Cc: libc-alpha@sourceware.org, bug-hurd@gnu.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_BLACK autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Alright, here's some more analysis. I was unable to fetch your core dump (403), but the test case and libc/ld all 200'ed, and the crash / hang reproduces -- awesome. and guess what? Firstly, the error we get from mach_port_mod_refs is EMACH_RCV_INVALID_NAME 268451842 (ipc/rcv) invalid name so my hunch that this one reply port was broken turned out correct. So now looking at how we get it... (gdb) disas __mig_get_reply_port Dump of assembler code for function __GI___mig_get_reply_port: 0x0001c310 <+0>: call 0x1cb9e2 <__x86.get_pc_thunk.cx> 0x0001c315 <+5>: add $0x28ecdf,%ecx 0x0001c31b <+11>: mov %gs:0x0,%eax 0x0001c321 <+17>: mov 0x38(%eax),%edx 0x0001c324 <+20>: test %edx,%edx 0x0001c326 <+22>: je 0x1c340 <__GI___mig_get_reply_port+48> 0x0001c328 <+24>: lea 0x16d8(%ecx),%ecx 0x0001c32e <+30>: add $0x38,%eax 0x0001c331 <+33>: cmp %ecx,%eax 0x0001c333 <+35>: je 0x1c339 <__GI___mig_get_reply_port+41> 0x0001c335 <+37>: cmp (%ecx),%edx 0x0001c337 <+39>: je 0x1c340 <__GI___mig_get_reply_port+48> 0x0001c339 <+41>: mov %edx,%eax 0x0001c33b <+43>: ret 0x0001c33c <+44>: lea 0x0(%esi,%eiz,1),%esi 0x0001c340 <+48>: sub $0xc,%esp 0x0001c343 <+51>: call 0x1ba40 <__GI___mach_reply_port> 0x0001c348 <+56>: mov %gs:0x0,%eax 0x0001c34e <+62>: mov 0x38(%eax),%eax 0x0001c351 <+65>: add $0xc,%esp 0x0001c354 <+68>: ret That is surely very different from the one I cited in the cover letter! Look at what it's doing to the result of mach_reply_port (in %eax) -- it straight-up overwrites it with the tcb pointer. That is, of course, exactly the __seg_gs miscompilation I reported, and exactly what "hurd: Remove __hurd_local_reply_port" was supposed to work around (by not accessing it as THREAD_SELF->reply_port, but rather using THREAD_SETMEM). I have now sent the second version of that patch, please try applying it and test if that fixes it. And the commit that has broken things here was 748511f0bb61785f976e18843d707a8ba8fffe29 ("hurd: i386 TLS tweaks"), where I made THREAD_SELF (and friends) work through __seg_gs, triggering the miscompilation. I'm surprised your testing hasn't caught it earlier, but maybe the extra branch/indirection for the no-tls case was masking the miscompilation. Please also check if the other reply port tweak you reverted today is also innocent. I have uploaded my own builds of libc.so and ld.so at [0] & [1] (but these are with v1 of "hurd: Remove __hurd_local_reply_port", and with all of this patchset applied). [0] https://darnassus.sceen.net/~bugaevc/libc.so [1] https://darnassus.sceen.net/~bugaevc/ld.so Please test whether they work on your system. Sergey