From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 62242 invoked by alias); 1 Jul 2015 15:21:42 -0000 Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org Received: (qmail 62167 invoked by uid 48); 1 Jul 2015 15:21:37 -0000 From: "mcermak at redhat dot com" To: systemtap@sourceware.org Subject: [Bug tapsets/18597] long_arg() doesn't correctly handle negative values in 32-on-64 environment Date: Wed, 01 Jul 2015 15:21:00 -0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: systemtap X-Bugzilla-Component: tapsets X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mcermak at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: systemtap at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-q3/txt/msg00000.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18597 --- Comment #13 from Martin Cermak --- The aforementioned patch brings some testcase extensions, that fail on rhel5. For instance the pwrite testcase newly has following subtest: ======= pwrite(-1, "Hello Again", 11, 0x12345678deadbeefLL); //staptest// pwrite (-1, "Hello Again", 11, 1311768468603649775) = NNNN ======= For the purpose of this comment, I reduced pwrite.c to this one single pwrite call only, and dompiled it with -m31. On x86_64, value of the fourth argument is being grabbed in _stp_get_arg32_by_number(n, nr_regargs, regs, &val), where n=4 and nr_regargs=6, effectively grabbing the value from RREG(cx, regs). This works fine except of rhel5. E.g. on rhel7 we have: ======= 7.1 S x86_64 # stap -ge 'probe kernel.function("*pwrite*") {println(pp()); print_regs()}' -c ./a.out WARNING: probe kernel.function("C_SYSC_pwritev@fs/read_write.c:1072") (address 0xffffffff811c7d06) registration error (rc -84) kernel.function("sys32_pwrite@arch/x86/ia32/sys_ia32.c:183") RIP: ffffffff81062c10 RSP: ffff880094fa3f80 EFLAGS: 00000293 RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 00000000deadbeef RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff RBP: 00000000080485bc R08: 0000000012345678 R09: 00000000ffeae768 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0 kernel.function("SyS_pwrite64@fs/read_write.c:542") RIP: ffffffff811c7180 RSP: ffff880094fa3f70 EFLAGS: 00000202 RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 12345678deadbeef RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff RBP: ffff880094fa3f78 R08: 12345678deadbeef R09: 00000000ffeae768 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0 kernel.function("SYSC_pwrite64@fs/read_write.c:542") RIP: ffffffff811c71a7 RSP: ffff880094fa3f28 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 12345678deadbeef RDX: 000000000000000b RSI: 00000000080485bc RDI: 00000000ffffffff RBP: ffff880094fa3f68 R08: 12345678deadbeef R09: 00000000ffeae768 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f749a2ae740(0000) GS:ffff88022fb00000(0063) knlGS:00000000f75e66c0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 00000000f76caa10 CR3: 0000000225946000 CR4: 00000000000006e0 7.1 S x86_64 # ======= Whereas on rhel5 I see: ======= 5.11 S x86_64 # stap -ge 'probe kernel.function("*pwrite*") {println(pp()); print_regs()}' -c ./a.out kernel.function("sys32_pwrite@arch/x86_64/ia32/sys_ia32.c:690") RIP: ffffffff800860b2 RSP: ffff81015527ff80 EFLAGS: 00000283 RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: 00000000deadbeef RDX: 000000000000000b RSI: 0000000008048578 RDI: 00000000ffffffff RBP: 0000000008048578 R08: 00000000ffffffff R09: 00000000ffaafd48 R10: ffff81015527e000 R11: 0000000000000297 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00002b70d78cdaf0(0000) GS:ffff810181caddc0(0063) knlGS:00000000f7eed6c0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 00000000004889c0 CR3: 0000000061b4e000 CR4: 00000000000006e0 kernel.function("sys_pwrite64@fs/read_write.c:438") RIP: ffffffff80044241 RSP: ffff81015527ff80 EFLAGS: 00000282 RAX: 00000000000000b5 RBX: 00000000ffffffff RCX: ffffffffdeadbeef RDX: 000000000000000b RSI: 0000000008048578 RDI: 00000000ffffffff RBP: 0000000008048578 R08: ffffffff00000000 R09: 00000000ffaafd48 R10: ffff81015527e000 R11: 0000000000000297 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00002b70d78cdaf0(0000) GS:ffff810181caddc0(0063) knlGS:00000000f7eed6c0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 00000000004889c0 CR3: 0000000061b4e000 CR4: 00000000000006e0 5.11 S x86_64 # ======= On rhel5 sys32_pwrite looks like this: ======= asmlinkage long sys32_pwrite(unsigned int fd, char __user *ubuf, u32 count, u32 poslo, u32 poshi) { return sys_pwrite64(fd, ubuf, count, ((loff_t)AA(poshi) << 32) | AA(poslo)); } ======= Which overall means that in this case sys32_pwrite() is only getting truncated argument and that is also what it passes to sys_pwrite64() via CX. Looks like it's glibc's choice to throw poshi away when calling sys32_pwrite(). And indeed, on rhel7 we have: ======= 7.1 S x86_64 # stap -e 'probe process.syscall {if ($syscall==181) printf("%d, %x, %x, %x, %x, %x\n", $syscall, $arg1, $arg2, $arg3, $arg4, $arg5)}' -c ./a.out 181, ffffffff, 80485bc, b, deadbeef, 12345678 7.1 S x86_64 # ======= Whereas on rhel5: ======= 5.11 S x86_64 # stap -e 'probe process.syscall {if ($syscall==181) printf("%d, %x, %x, %x, %x, %x\n", $syscall, $arg1, $arg2, $arg3, $arg4, $arg5)}' -c ./a.out 181, ffffffff, 8048578, b, deadbeef, ffffffff 5.11 S x86_64 # ======= So this is probably okay. Now I'm going to run patched systemtap with original testcases to check for regressions this way. -- You are receiving this mail because: You are the assignee for the bug.