[Bug translator/15452] New: segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[Bug translator/15452] New: segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[dsmith at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15452

             Bug #: 15452
           Summary: segmentation fault in libdw while running compiling
                    debugtypes.stp on rawhide
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: translator
        AssignedTo: systemtap@sourceware.org
        ReportedBy: dsmith@redhat.com
    Classification: Unclassified


On rawhide (3.10.0-0.rc0.git21.1.fc20.x86_64), I'm seeing the following crash
when running the following command:

make installcheck RUNTESTFLAGS=debugtypes.exp

====
Running ../../src.copy/testsuite/systemtap.pass1-4/debugtypes.exp ...
Executing on host: gcc
../../src.copy/testsuite/systemtap.pass1-4/debugtypes.cxx  -gdwarf-4
-fdebug-types-section -g  -lm   -o debugtypes.exe    (timeout = 300)
spawn -ignore SIGHUP gcc
../../src.copy/testsuite/systemtap.pass1-4/debugtypes.cxx -gdwarf-4
-fdebug-types-section -g -lm -o debugtypes.exe
PASS: compiling debugtypes.cxx
starting ../../src.copy/testsuite/systemtap.pass1-4/debugtypes.stp 
spawn1 stap -p2 ../../src.copy/testsuite/systemtap.pass1-4/debugtypes.stp 
spawn stap -p2 ../../src.copy/testsuite/systemtap.pass1-4/debugtypes.stp
wait results: 22420 exp12 0 0 CHILDKILLED SIGSEGV {segmentation violation}
FAIL: compiling debugtypes.stp
====

According to gdb, we're crashing in libdw (from
elfutils-libs-0.155-5.fc19.x86_64):

====
Program received signal SIGSEGV, Segmentation fault.
0x0000003b43a0ba17 in __libdw_find_attr (die=die@entry=0x7fffffffabe0, 
    search_name=search_name@entry=1, codep=codep@entry=0x7fffffffabc0, 
    formp=formp@entry=0x7fffffffabc4) at dwarf_child.c:85
85          get_uleb128 (attr_name, attrp);
====

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug translator/15452] segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[dsmith at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15452

David Smith <dsmith at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mjw at redhat dot com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug translator/15452] segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[mjw at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15452

--- Comment #1 from Mark Wielaard <mjw at redhat dot com> 2013-05-10 14:31:53 UTC ---
Sorry I have no access atm to rawhide. Does this also happen on (pre-)f19?
Would it be possible to add the full backtrace?

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug translator/15452] segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[mjw at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15452

--- Comment #2 from Mark Wielaard <mjw at redhat dot com> 2013-05-10 15:34:09 UTC ---
Replicated on f19:

$ gdb --args stap -p2
/home/mark/src/systemtap/testsuite/systemtap.pass1-4/debugtypes.stp
GNU gdb (GDB) Fedora (7.6-24.fc19)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/stap...Reading symbols from
/usr/lib/debug/usr/bin/stap.debug...done.
done.
(gdb) run
Starting program: /usr/bin/stap -p2
/home/mark/src/systemtap/testsuite/systemtap.pass1-4/debugtypes.stp
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff735d99c in __libdw_find_attr (die=die@entry=0x7fffffffad90, 
    search_name=search_name@entry=1, codep=codep@entry=0x7fffffffad70, 
    formp=formp@entry=0x7fffffffad74) at dwarf_child.c:52
52        get_uleb128 (abbrev_code, readp);
(gdb) where
    search_name=search_name@entry=1, codep=codep@entry=0x7fffffffad70, 
    formp=formp@entry=0x7fffffffad74) at dwarf_child.c:52
#1  0x00007ffff735efdf in dwarf_siblingof (die=0x7fffffffae50, 
    result=0x7fffffffae50) at dwarf_siblingof.c:73
#2  0x00005555556d80f1 in dwflpp::print_members (
    this=this@entry=0x5555577e1b20, vardie=vardie@entry=0x7fffffffb3e0, o=..., 
Python Exception <type 'exceptions.IndexError'> list index out of range: 
    dupes=std::set with 0 elements) at dwflpp.cxx:2525
#3  0x00005555556dd0d9 in dwflpp::translate_components (
    this=this@entry=0x5555577e1b20, pool=pool@entry=0x7fffffffb400, 
    tail=tail@entry=0x7fffffffb358, pc=pc@entry=4195728, e=e@entry=
    0x5555577e6cc0, vardie=vardie@entry=0x7fffffffb3c0, 
    typedie=typedie@entry=0x7fffffffb3e0, first=first@entry=0)
    at dwflpp.cxx:2737
#4  0x00005555556def58 in dwflpp::literal_stmt_for_local (this=0x5555577e1b20, 
    scopes=..., pc=4195728, local=..., e=0x5555577e6cc0, lvalue=false, 
    ty=@0x7fffffffb5b0: pe_long) at dwflpp.cxx:3060
#5  0x00005555556546b9 in dwarf_var_expanding_visitor::visit_target_symbol (
    this=0x7fffffffb9b0, e=0x5555577e6cc0) at tapsets.cxx:3739
#6  0x00005555555c3a83 in update_visitor::require<expression> (
    this=this@entry=0x7fffffffb9b0, src=<optimized out>, 
    clearok=clearok@entry=false) at staptree.h:959
#7  0x00005555555be6c5 in replace<expression> (clearok=false, 
    src=@0x5555577e6c30: 0x5555577e6cc0, this=0x7fffffffb9b0) at staptree.h:981
#8  update_visitor::visit_print_format (this=0x7fffffffb9b0, e=0x5555577e6ba0)
    at staptree.cxx:2776
#9  0x00005555555c3a83 in update_visitor::require<expression> (
    this=this@entry=0x7fffffffb9b0, src=<optimized out>, 
    clearok=clearok@entry=false) at staptree.h:959
#10 0x00005555555bbcf7 in replace<expression> (clearok=false, 
    src=<optimized out>, this=0x7fffffffb9b0) at staptree.h:981
#11 update_visitor::visit_expr_statement (this=0x7fffffffb9b0, 
    s=0x5555577e6b80) at staptree.cxx:2534
#12 0x00005555555c3d03 in update_visitor::require<statement> (
    this=this@entry=0x7fffffffb9b0, src=<optimized out>, 
    clearok=clearok@entry=false) at staptree.h:959

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug translator/15452] segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[mjw at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15452

--- Comment #3 from Mark Wielaard <mjw at redhat dot com> 2013-05-10 18:16:38 UTC ---
The problematic DIEs are:

 [    a8]    variable
             name                 (string) "S1"
             decl_file            (data1) 1
             decl_line            (data1) 11
             type                 (ref4) [    bc]
             external             (flag_present) Yes
             location             (exprloc) 
              [   0] addr 0x601060 <S1>
 [    bc]    structure_type
             signature            (ref_sig8) {37e91ebb1355d09b}

The issue is in systemtap dwflpp::print_members, which has:

  // Try to get the first child of vardie.
  Dwarf_Die die_mem, import;
  Dwarf_Die *die = &die_mem;
  switch (dwarf_child (vardie, die))
    {
    case 1:                             // No children.
      o << _F("%s is empty", dwarf_type_name(vardie).c_str());
      break;

    case -1:                            // Error.
    default:                            // Shouldn't happen.
      o << dwarf_type_name(vardie)
        << ": " << dwarf_errmsg (-1);
      break;

    case 0:                             // Success.
      break;
    }

For the structure_type DIE dwarf_child will return 1 and die will be garbage.
So the following dwarf_siblingof (die, die) will crash.

The following will prevent the crash:

diff --git a/dwflpp.cxx b/dwflpp.cxx
index f41d6c7..55c411b 100644
--- a/dwflpp.cxx
+++ b/dwflpp.cxx
@@ -2473,13 +2473,13 @@ dwflpp::print_members(Dwarf_Die *vardie, ostream &o,
set<string> &dupes)
     {
     case 1:                            // No children.
       o << _F("%s is empty", dwarf_type_name(vardie).c_str());
-      break;
+      return;

     case -1:                           // Error.
     default:                           // Shouldn't happen.
       o << dwarf_type_name(vardie)
         << ": " << dwarf_errmsg (-1);
-      break;
+      return;

     case 0:                            // Success.
       break;

But obviously then the testcase will fail with:

semantic error: unable to find member 'l' for struct {...} (alternatives:struct
{...} is empty): operator '->' at
/home/mark/src/systemtap/testsuite/systemtap.pass1-4/debugtypes.stp:4:13
        source:   println($p->l)
                            ^

Pass 2: analysis failed.  [man error::pass2]

Because the code doesn't handle the DW_AT_signature.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug translator/15452] segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[mjw at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15452

--- Comment #4 from Mark Wielaard <mjw at redhat dot com> 2013-05-10 20:35:01 UTC ---
commit c150b595f57ad4b026866ad295474ba365587647
Author: Mark Wielaard <mjw@redhat.com>
Date:   Fri May 10 16:29:15 2013 -0400

    PR15452 Prevent crash in dwflpp::print_members ().

    Don't try to find siblings when a DIE doesn't have any children.

    This doesn't solve the actual bug and the debugtypes testcase still fails
    because the code doesn't doesn't handle the DW_AT_signature.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug translator/15452] segmentation fault in libdw while running compiling debugtypes.stp on rawhide

[mjw at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=15452

Mark Wielaard <mjw at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #5 from Mark Wielaard <mjw at redhat dot com> 2013-05-15 16:01:27 UTC ---
commit 28a494df26044efdba92a30460042e5884f98551
Author: Mark Wielaard <mjw@redhat.com>
Date:   Wed May 15 11:36:08 2013 -0400

    PR15452 Follow DW_AT_signature attributes when trying to find a DW_AT_type.

    When we are trying to find a type DIE we might hit upon a DIE that simply
    has a DW_AT_signature pointing to the actual type (possibly in
.debug_type).
    Extend the debugtypes.exp testcase a bit. Add DW_AT_signature chasing to
    dwarf_wrappers.h (dwarf_attr_die) when searching for a DW_AT_type. And
    clarify that dwflpp::print_members takes a type DIE not a variable DIE.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.