From: "mcermak at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: systemtap@sourceware.org
Subject: [Bug tapsets/18597] long_arg() doesn't correctly handle negative values in 32-on-64 environment
Date: Wed, 01 Jul 2015 15:21:00 -0000 [thread overview]
Message-ID: <bug-18597-6586-rjWMCRFJgH@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-18597-6586@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18597
--- Comment #13 from Martin Cermak <mcermak at redhat dot com> ---
The aforementioned patch brings some testcase extensions, that fail on rhel5.
For instance the pwrite testcase newly has following subtest:
=======
pwrite(-1, "Hello Again", 11, 0x12345678deadbeefLL);
//staptest// pwrite (-1, "Hello Again", 11, 1311768468603649775) = NNNN
=======
For the purpose of this comment, I reduced pwrite.c to this one single pwrite
call only, and dompiled it with -m31. On x86_64, value of the fourth argument
is being grabbed in _stp_get_arg32_by_number(n, nr_regargs, regs, &val), where
n=4 and nr_regargs=6, effectively grabbing the value from RREG(cx, regs). This
works fine except of rhel5. E.g. on rhel7 we have:
=======
7.1 S x86_64 # stap -ge 'probe kernel.function("*pwrite*") {println(pp());
print_regs()}' -c ./a.out
WARNING: probe kernel.function("C_SYSC_pwritev@fs/read_write.c:1072") (address
0xffffffff811c7d06) registration error (rc -84)
kernel.function("sys32_pwrite@arch/x86/ia32/sys_ia32.c:183")
RIP: ffffffff81062c10
RSP: ffff880094fa3f80 EFLAGS: 00000293
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 00000000deadbeef
RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff
RBP: 00000000080485bc R08: 0000000012345678 R09: 00000000ffeae768
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0
kernel.function("SyS_pwrite64@fs/read_write.c:542")
RIP: ffffffff811c7180
RSP: ffff880094fa3f70 EFLAGS: 00000202
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 12345678deadbeef
RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff
RBP: ffff880094fa3f78 R08: 12345678deadbeef R09: 00000000ffeae768
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0
kernel.function("SYSC_pwrite64@fs/read_write.c:542")
RIP: ffffffff811c71a7
RSP: ffff880094fa3f28 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 12345678deadbeef
RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff
RBP: ffff880094fa3f68 R08: 12345678deadbeef R09: 00000000ffeae768
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0
7.1 S x86_64 #
=======
Whereas on rhel5 I see:
=======
5.11 S x86_64 # stap -ge 'probe kernel.function("*pwrite*") {println(pp());
print_regs()}' -c ./a.out
kernel.function("sys32_pwrite@arch/x86_64/ia32/sys_ia32.c:690")
RIP: ffffffff800860b2
RSP: ffff81015527ff80 EFLAGS: 00000283
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 00000000deadbeef
RDX: 000000000000000b RSI: 0000000008048578 RDI: 00000000ffffffff
RBP: 0000000008048578 R08: 00000000ffffffff R09: 00000000ffaafd48
R10: ffff81015527e000 R11: 0000000000000297 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00002b70d78cdaf0(0000) GS:ffff810181caddc0(0063) knlGS:00000000f7eed6c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000004889c0 CR3: 0000000061b4e000 CR4: 00000000000006e0
kernel.function("sys_pwrite64@fs/read_write.c:438")
RIP: ffffffff80044241
RSP: ffff81015527ff80 EFLAGS: 00000282
RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: ffffffffdeadbeef
RDX: 000000000000000b RSI: 0000000008048578 RDI: 00000000ffffffff
RBP: 0000000008048578 R08: ffffffff00000000 R09: 00000000ffaafd48
R10: ffff81015527e000 R11: 0000000000000297 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00002b70d78cdaf0(0000) GS:ffff810181caddc0(0063) knlGS:00000000f7eed6c0
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000004889c0 CR3: 0000000061b4e000 CR4: 00000000000006e0
5.11 S x86_64 #
=======
On rhel5 sys32_pwrite looks like this:
=======
asmlinkage long
sys32_pwrite(unsigned int fd, char __user *ubuf, u32 count, u32 poslo, u32
poshi)
{
return sys_pwrite64(fd, ubuf, count,
((loff_t)AA(poshi) << 32) | AA(poslo));
}
=======
Which overall means that in this case sys32_pwrite() is only getting truncated
argument and that is also what it passes to sys_pwrite64() via CX. Looks like
it's glibc's choice to throw poshi away when calling sys32_pwrite().
And indeed, on rhel7 we have:
=======
7.1 S x86_64 # stap -e 'probe process.syscall {if ($syscall==181) printf("%d,
%x, %x, %x, %x, %x\n", $syscall, $arg1, $arg2, $arg3, $arg4, $arg5)}' -c
./a.out
181, ffffffff, 80485bc, b, deadbeef, 12345678
7.1 S x86_64 #
=======
Whereas on rhel5:
=======
5.11 S x86_64 # stap -e 'probe process.syscall {if ($syscall==181) printf("%d,
%x, %x, %x, %x, %x\n", $syscall, $arg1, $arg2, $arg3, $arg4, $arg5)}' -c
./a.out
181, ffffffff, 8048578, b, deadbeef, ffffffff
5.11 S x86_64 #
=======
So this is probably okay.
Now I'm going to run patched systemtap with original testcases to check for
regressions this way.
--
You are receiving this mail because:
You are the assignee for the bug.
next prev parent reply other threads:[~2015-07-01 15:21 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-25 11:00 [Bug tapsets/18597] New: " mcermak at redhat dot com
2015-06-25 11:03 ` [Bug tapsets/18597] " mcermak at redhat dot com
2015-06-25 11:04 ` mcermak at redhat dot com
2015-06-25 15:03 ` mcermak at redhat dot com
2015-06-26 12:13 ` dsmith at redhat dot com
2015-06-26 12:20 ` dsmith at redhat dot com
2015-06-30 15:56 ` dsmith at redhat dot com
2015-06-30 15:59 ` dsmith at redhat dot com
2015-06-30 17:21 ` jistone at redhat dot com
2015-06-30 17:36 ` dsmith at redhat dot com
2015-06-30 20:21 ` dsmith at redhat dot com
2015-06-30 20:22 ` dsmith at redhat dot com
2015-06-30 20:32 ` jistone at redhat dot com
2015-06-30 20:46 ` dsmith at redhat dot com
2015-07-01 15:21 ` mcermak at redhat dot com [this message]
2015-07-01 16:14 ` dsmith at redhat dot com
2015-07-01 17:10 ` mcermak at redhat dot com
2015-07-01 17:29 ` dsmith at redhat dot com
2015-07-03 14:18 ` mcermak at redhat dot com
2015-07-06 13:45 ` dsmith at redhat dot com
2015-07-07 7:02 ` mcermak at redhat dot com
2015-07-08 6:09 ` mcermak at redhat dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-18597-6586-rjWMCRFJgH@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=systemtap@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).