Crash in gconv_db.c - Abhidnya Joshi

public inbox for libc-locales@sourceware.org
 help / color / mirror / Atom feed

From: Abhidnya Joshi <abhidnyachirmule@gmail.com>
To: libc-locales@sourceware.org
Cc: abhidnya chirmule <abhidnyachirmule@gmail.com>
Subject: Crash in gconv_db.c
Date: Mon, 11 Nov 2019 16:05:00 -0000	[thread overview]
Message-ID: <CALmqtCWYWMUm51HhL0VM3YgBJagyC8T3uCGxiUCjXA0KBB-h8w@mail.gmail.com> (raw)

Hi,

We use glibc version glibc-2.17-78.el7.src.rpm on centos.

We encountered a problem recently in our product where we get crash in
libc stack in gconv.
The crash is seen randomly after few days during character encoding
(UTF-8 to UTF-16LE). The functions getting called are:

iconv_open --> __gconv_open--> __gconv_find_transform -->
find_derivation --> increment_counter

In increment_counter, we get nstep = 2. In the second iteration inside
increment_counter when step[0] is under processing,
we see below values in it:
shlib_handle is NULL, _modname = NULL, __counter = 1 after condition
check in (increment-counter), from_name UTF-8 to to_name INTENAL

{__shlib_handle = 0x0, __modname = 0x0, __counter = 1, __from_name =
0x7f028853b890 "ISO-10646/UTF8/", __to_name = 0x7f028abca431
"INTERNAL",
  __fct = 0x7f028aa73ce0 <__gconv_transform_utf8_internal>,
__btowc_fct = 0x7f028aa714b0 <__gconv_btwoc_ascii>, __init_fct = 0x0,
__end_fct = 0x0, __min_needed_from = 1,
  __max_needed_from = 6, __min_needed_to = 4, __max_needed_to = 4,
__stateful = 0, __data = 0x0}


The stack looks something like this:

(gdb) bt
#0  0x00007f028aa6f31a in increment_counter (nsteps=2,
steps=0x7f028853b140) at gconv_db.c:393
#1  find_derivation (toset=toset@entry=0x7f0251ceb990 "UTF-16LE//",
toset_expand=0x0, fromset=fromset@entry=0x7f0251ceb970 "UTF-8//",
    fromset_expand=fromset_expand@entry=0x7f028853a798
"ISO-10646/UTF8/", handle=handle@entry=0x7f0251ceb900,
nsteps=nsteps@entry=0x7f0251ceb910) at gconv_db.c:426
#2  0x00007f028aa6ff61 in __gconv_find_transform
(toset=toset@entry=0x7f0251ceb990 "UTF-16LE//",
fromset=fromset@entry=0x7f0251ceb970 "UTF-8//",
handle=handle@entry=0x7f0251ceb900,
    nsteps=nsteps@entry=0x7f0251ceb910, flags=flags@entry=0) at gconv_db.c:755
#3  0x00007f028aa6e7ea in __gconv_open
(toset=toset@entry=0x7f0251ceb990 "UTF-16LE//",
fromset=fromset@entry=0x7f0251ceb970 "UTF-8//",
handle=handle@entry=0x7f0251ceb9c0,
    flags=flags@entry=0) at gconv_open.c:173
#4  0x00007f028aa6e371 in iconv_open (tocode=0x7f0251ceb990
"UTF-16LE//", fromcode=0x7f0251ceb970 "UTF-8//") at iconv_open.c:71

(Pasting last 4 frames out of 27)

The gconv_steps looked like below:

(gdb) p *(&step[1])
$4 = {__shlib_handle = 0x7f028853b240, __modname = 0x7f028853b270
"/usr/lib64/gconv/UTF-16.so", __counter = 1, __from_name =
0x7f028abca431 "INTERNAL",
  __to_name = 0x7f028853b220 "UTF-16LE//", __fct = 0x59e0be5c0391534f,
__btowc_fct = 0xa7e5bbe252f1534f, __init_fct = 0x59e0be5c1c91534f,
__end_fct = 0x59e0be5c03b1534f,
  __min_needed_from = 4, __max_needed_from = 4, __min_needed_to = 2,
__max_needed_to = 4, __stateful = 0, __data = 0x9bd320}
(gdb) p *(&step[0])
$5 = {__shlib_handle = 0x0, __modname = 0x0, __counter = 1,
__from_name = 0x7f028853b890 "ISO-10646/UTF8/", __to_name =
0x7f028abca431 "INTERNAL",
  __fct = 0x7f028aa73ce0 <__gconv_transform_utf8_internal>,
__btowc_fct = 0x7f028aa714b0 <__gconv_btwoc_ascii>, __init_fct = 0x0,
__end_fct = 0x0, __min_needed_from = 1,
  __max_needed_from = 6, __min_needed_to = 4, __max_needed_to = 4,
__stateful = 0, __data = 0x0}
(gdb)

And locals were:
(gdb) f 0
#0  0x00007f028aa6f31a in increment_counter (nsteps=2,
steps=0x7f028853b140) at gconv_db.c:393
393     in gconv_db.c
(gdb) info locals
init_fct = 0xa9a7d3f2ddf12978
step = 0x7f028853b140
cnt = 0
result = 0
(gdb)

Coming back to the core, if we examine frame 0, it gave problem at
below assembly code:

   0x00007f028aa6f2e1 <+209>:   mov    0x20(%rax),%r15
   0x00007f028aa6f2e5 <+213>:   mov    0x28(%rax),%rax
   0x00007f028aa6f2e9 <+217>:   movq   $0x0,0x30(%rbx)
   0x00007f028aa6f2f1 <+225>:   mov    %rdx,0x28(%rbx)
   0x00007f028aa6f2f5 <+229>:   mov    %r15,0x38(%rbx)
   0x00007f028aa6f2f9 <+233>:   mov    %rax,0x40(%rbx)
   0x00007f028aa6f2fd <+237>:   ror    $0x11,%r15
   0x00007f028aa6f301 <+241>:   xor    %fs:0x30,%r15
   0x00007f028aa6f30a <+250>:   test   %r15,%r15
   0x00007f028aa6f30d <+253>:   je     0x7f028aa6f332 <find_derivation+290>
   0x00007f028aa6f30f <+255>:   mov    %r15,%rdi
   0x00007f028aa6f312 <+258>:   callq  0x7f028ab7f7b0
<__GI__dl_mcount_wrapper_check>
   0x00007f028aa6f317 <+263>:   mov    %rbx,%rdi
=> 0x00007f028aa6f31a <+266>:   callq  *%r15
   0x00007f028aa6f31d <+269>:   mov    0x30(%rbx),%rax
   0x00007f028aa6f321 <+273>:   xor    %fs:0x30,%rax
   0x00007f028aa6f32a <+282>:   rol    $0x11,%rax
   0x00007f028aa6f32e <+286>:   mov    %rax,0x30(%rbx)
   0x00007f028aa6f332 <+290>:   sub    $0x1,%r12
   0x00007f028aa6f336 <+294>:   sub    $0x68,%rbx
   0x00007f028aa6f33a <+298>:   test   %r12,%r12
   0x00007f028aa6f33d <+301>:   je     0x7f028aa6f35f <find_derivation+335>


The questions here are:
1. why step[0] has counter 1? this means it was 0, got incremented via
increment_counter and hence getting inside

              DL_CALL_FCT (init_fct, (step));

2. When step gets initialized, counter is never 0. Under which
condition this can become 0?
3. Please let me know what to debug more to understand this.

Thanks
Abhidnya

next             reply	other threads:[~2019-11-11 16:05 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-11 16:05 Abhidnya Joshi [this message]
2019-11-11 16:19 ` Florian Weimer
2019-11-11 16:47   ` Abhidnya Joshi
     [not found]     ` <CALmqtCVBCb2vJ+XNb6WZa1csNZaisLmqoG5nTn-QUU0MO=UbPw@mail.gmail.com>
2019-11-14 17:34       ` Florian Weimer
2019-11-19 14:05         ` Abhidnya Joshi
2019-11-28 18:47           ` Abhidnya Joshi
2019-12-12 15:58             ` Florian Weimer
2019-12-20 15:05               ` Abhidnya Joshi
2019-12-20 15:16                 ` Florian Weimer
2019-12-20 15:40                   ` Abhidnya Joshi
2019-12-20 15:43                     ` Florian Weimer
2019-12-20 15:53                       ` Abhidnya Joshi
2019-12-20 16:09                         ` Florian Weimer
2019-12-20 16:42                           ` Abhidnya Joshi
2019-12-20 16:47                             ` Florian Weimer
2019-12-20 17:18                               ` Abhidnya Joshi
2019-12-20 18:39                                 ` Florian Weimer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CALmqtCWYWMUm51HhL0VM3YgBJagyC8T3uCGxiUCjXA0KBB-h8w@mail.gmail.com \
    --to=abhidnyachirmule@gmail.com \
    --cc=libc-locales@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).