KSE/ia64: NULL thread pointer in _thr_sig_add()

Sun Aug 10 21:17:00 PDT 2003

Gang,

There seems to be a bug in libkse where we dereference the thread
pointer in situations where it's NULL. I suspect this bug is
specific to platforms that have per-thread thread pointers. I
have some rough gdb(1) support to help out with the analysis:

itanium% /nfs/gnu/obj/gdb/gdb kse kse.core
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "ia64-unknown-freebsd5.1"...
Core was generated by `kse'.
Program terminated with signal 4, Illegal instruction.
#0  _thr_sig_add (pthread=0x600000000010e000, sig=11, info=0x6000000000112a40)
    at /nfs/freebsd/5.x/src/lib/libpthread/arch/ia64/include/pthread_md.h:189
189             return (_tcb->tcb_thread);
(gdb) l
184     }
185
186     static __inline struct pthread *
187     _get_curthread(void)
188     {
189             return (_tcb->tcb_thread);
190     }
191
192     /*
193      * Get the current kse.
(gdb) bt
#0  _thr_sig_add (pthread=0x6000000000172000, sig=11, info=0x6000000000176a40)
    at /nfs/freebsd/5.x/src/lib/libpthread/arch/ia64/include/pthread_md.h:189
#1  0x40000000000099e0 in kse_check_completed (kse=0x600000000001a000)
    at /nfs/freebsd/5.x/src/lib/libpthread/thread/thr_kern.c:1556
#2  0x40000000000063c0 in kse_sched_multi (kmbx=0x600000000001a000)
    at /nfs/freebsd/5.x/src/lib/libpthread/thread/thr_kern.c:1001
#3  0x0000000000000000 in ?? ()

The illegal instruction fault is caused by a NULL thread pointer:

Dump of assembler code for function _thr_sig_add:
0x400000000001eac0 <_thr_sig_add>:      [MII]       alloc r40=ar.pfs,13,10,0
0x400000000001eac1 <_thr_sig_add+1>:                adds r12=-80,r12
0x400000000001eac2 <_thr_sig_add+2>:                mov r41=r1
0x400000000001ead0 <_thr_sig_add+16>:   [MII]       nop.m 0x0
0x400000000001ead1 <_thr_sig_add+17>:               mov r39=b0
0x400000000001ead2 <_thr_sig_add+18>:               mov r38=r0
0x400000000001eae0 <_thr_sig_add+32>:   [MMI]       adds r14=-32,r13;;
0x400000000001eae1 <_thr_sig_add+33>:               ld8 r16=[r14]

The fault is given on the last instruction if the disassembly
given above (the thread pointer is r13):

(gdb) info register r13
r13            0x0      0
(gdb) info register r14
r14            0xffffffffffffffe0       -32

Q: Shouldn't we call _tcb_set() somewhere in the code stream to make
sure we have a valid thread pointer?

-- 
 Marcel Moolenaar	  USPA: A-39004		 marcel at xcllnt.net