Re: Is dialog4ports built in/for releng/13.0 also supposed to work under main [so: 14]? It gets SIGSEGV in my context. (some low level failure info now)
Date: Fri, 22 Oct 2021 06:15:03 UTC
On 2021-Oct-21, at 16:24, Mark Millard <marklmi@yahoo.com> wrote:
> On 2021-Oct-21, at 11:53, Mark Millard <marklmi@yahoo.com> wrote:
>
>> On 2021-Oct-21, at 08:27, Tomoaki AOKI <junchoon at dec.sakura.ne.jp> wrote:
>>
>>> On Thu, 21 Oct 2021 07:40:36 -0700
>>> Mark Millard via freebsd-current <freebsd-current@freebsd.org> wrote:
>>>
>>>>
>>>>
>>>> On 2021-Oct-21, at 06:14, Gary Jennejohn <gljennjohn@gmail.com> wrote:
>>>>
>>>>> On Thu, 21 Oct 2021 01:34:47 -0700
>>>>> Mark Millard via freebsd-current <freebsd-current@freebsd.org> wrote:
>>>>>
>>>>>> I get the following crash (amd64 example shown), as reported
>>>>>> via gdb afterwards. (devel/llvm13 is just an example context.)
>>>>>>
>>>>>> gdb `which dialog4ports` devel/llvm13/dialog4ports.core
>>>>>> . . .
>>>>>> Core was generated by `/usr/local/bin/dialog4ports'.
>>>>>> Program terminated with signal SIGSEGV, Segmentation fault.
>>>>>> Address not mapped to object.
>>>>>> #0 vfprintf_l (fp=0x4d4940, locale=0x8004d4128 <__xlocale_global_locale>, fmt0=0x201f64 "\"%s\"", ap=ap@entry=0x7fffffffcf00) at /usr/main-src/lib/libc/stdio/vfprintf.c:281
>>>>>> 281 if ((fp->_flags & (__SNBF|__SWR|__SRW)) == (__SNBF|__SWR) &&
>>>>>> (gdb) bt
>>>>>> #0 vfprintf_l (fp=0x4d4940, locale=0x8004d4128 <__xlocale_global_locale>, fmt0=0x201f64 "\"%s\"", ap=ap@entry=0x7fffffffcf00) at /usr/main-src/lib/libc/stdio/vfprintf.c:281
>>>>>> #1 0x0000000800409283 in fprintf (fp=0x800411660 <__stdio_cancel_cleanup>, fmt=0x7fffffffcdd0 "0\317\377\377\377\177") at /usr/main-src/lib/libc/stdio/fprintf.c:57
>>>>>> #2 0x000000000020399d in main (argc=<optimized out>, argv=<optimized out>) at dialog4ports.c:332
>>>>>> (gdb) quit
>>>>>>
>>>>>> The crash happens after selecting OK but not after selecting Cancel. The
>>>>>> display is also odd before that (no line drawing, just odd text instead),
>>>>>> but is sufficient to be usable at that stage.
>>>>>>
>>>>>> . . .
>>>>
>
> gdb's disass/s reports the failure point via:
>
> . . .
> /usr/main-src/lib/libc/stdio/vfprintf.c:
> 279 FLOCKFILE_CANCELSAFE(fp);
> 0x0000000800412357 <+71>: mov 0xbf082(%rip),%rax # 0x8004d13e0
> 0x000000080041235e <+78>: cmpl $0x0,(%rax)
> 0x0000000800412361 <+81>: je 0x800412370 <vfprintf_l+96>
> 0x0000000800412363 <+83>: mov %rbx,%rdi
> 0x0000000800412366 <+86>: call 0x8004c6730 <_flockfile@plt>
> 0x000000080041236b <+91>: mov %rbx,%rsi
> 0x000000080041236e <+94>: jmp 0x800412372 <vfprintf_l+98>
> 0x0000000800412370 <+96>: xor %esi,%esi
> 0x0000000800412372 <+98>: lea -0xd19(%rip),%rdi # 0x800411660 <__stdio_cancel_cleanup>
> 0x0000000800412379 <+105>: lea -0x70(%rbp),%rdx
> 0x000000080041237d <+109>: call 0x800384a90 <__pthread_cleanup_push_imp_int>
>
> 280 /* optimise fprintf(stderr) (and other unbuffered Unix files) */
> 281 if ((fp->_flags & (__SNBF|__SWR|__SRW)) == (__SNBF|__SWR) &&
> => 0x0000000800412382 <+114>: movzwl 0x10(%rbx),%eax
> 0x0000000800412386 <+118>: and $0x1a,%eax
> 0x0000000800412389 <+121>: cmp $0xa,%ax
> 0x000000080041238d <+125>: jne 0x8004123a9 <vfprintf_l+153>
>
> 282 fp->_file >= 0)
> 0x000000080041238f <+127>: cmpw $0x0,0x12(%rbx)
>
> 281 if ((fp->_flags & (__SNBF|__SWR|__SRW)) == (__SNBF|__SWR) &&
> 0x0000000800412394 <+132>: js 0x8004123a9 <vfprintf_l+153>
> . . .
>
> (gdb) info reg
> rax 0x0 0
> rbx 0x4d4940 5065024
> rcx 0x7fffffffd0e0 140737488343264
> rdx 0x7fffffffcfb0 140737488342960
> rsi 0x0 0
> rdi 0x800411660 34364003936
> rbp 0x7fffffffd020 0x7fffffffd020
> rsp 0x7fffffffcfb0 0x7fffffffcfb0
> r8 0x0 0
> r9 0x0 0
> r10 0x800a330f0 34370433264
> r11 0x206 518
> r12 0x8004d4128 34364801320
> r13 0x2083a0 2130848
> r14 0x7fffffffd0e0 140737488343264
> r15 0x201f64 2105188
> rip 0x800412382 0x800412382 <vfprintf_l+114>
> eflags 0x10246 [ PF ZF IF RF ]
> cs 0x43 67
> ss 0x3b 59
> ds <unavailable>
> es <unavailable>
> fs <unavailable>
> gs <unavailable>
> fs_base <unavailable>
> gs_base <unavailable>
>
> where:
>
> (gdb) disass/s __pthread_cleanup_push_imp_int
> Dump of assembler code for function __pthread_cleanup_push_imp_int:
> /usr/main-src/lib/libc/gen/_pthread_stubs.c:
> 289 STUB_FUNC3(__pthread_cleanup_push_imp, PJT_CLEANUP_PUSH_IMP, void, void *,
> 0x0000000800384a90 <+0>: push %rbp
> 0x0000000800384a91 <+1>: mov %rsp,%rbp
> 0x0000000800384a94 <+4>: mov 0x14c94d(%rip),%rax # 0x8004d13e8
> 0x0000000800384a9b <+11>: mov 0x3c8(%rax),%rax
> 0x0000000800384aa2 <+18>: pop %rbp
> 0x0000000800384aa3 <+19>: jmp *%rax
> End of assembler dump.
>
>
> It is not obvious that any of this has any relationship with
> libtinfow.so.9 or libncursesw.so.9 use unless some memory is
> being trashed first.
It is memory being stomped on, for example __stderrp has its value
inappropriately replaced by inappropriate code.
Hardware watchpoint 1: -location __stderrp
Old value = (FILE *) 0x8004d4940
New value = (FILE *) 0x4d4940
caused by:
0x00000008002d298e <+62>: movb $0x0,0x84(%rax)
of:
286 } else {
287 dialog_state.had_resize = FALSE;
in:
(gdb) bt
#0 0x00000008002d2995 in dlg_result_key (dialog_key=541, fkey=541, resultp=resultp@entry=0x7fffffffd0c0) at /usr/main-src/contrib/dialog/dlg_keys.c:287
#1 0x0000000000204934 in dlg_mixedlist (title=title@entry=0x7fffffffd150 " llvm13-13.0.0 ", cprompt=0x20207c "", height=<optimized out>, min_height=<optimized out>, width=<optimized out>,
width@entry=80, item_no=17, items=0x800a3dc80, align_center=<optimized out>, fullscreen=<optimized out>) at mixedlist.c:475
#2 0x000000000020393b in mixedlist_show (title=0x7fffffffd150 " llvm13-13.0.0 ", cprompt=<optimized out>, height=0, min_height=0, width=80, items=0x800a3dc80, align_center=false, fullscreen=false)
at dialog4ports.c:212
#3 main (argc=<optimized out>, argv=<optimized out>) at dialog4ports.c:321
(gdb) disass/s
Dump of assembler code for function dlg_result_key:
/usr/main-src/contrib/dialog/dlg_keys.c:
278 {
0x00000008002d2950 <+0>: push %rbp
0x00000008002d2951 <+1>: mov %rsp,%rbp
0x00000008002d2954 <+4>: push %r15
0x00000008002d2956 <+6>: push %r14
0x00000008002d2958 <+8>: push %r12
0x00000008002d295a <+10>: push %rbx
0x00000008002d295b <+11>: mov %rdx,%r14
0x00000008002d295e <+14>: mov %esi,%r15d
0x00000008002d2961 <+17>: mov %edi,%ebx
279 int done = FALSE;
280
281 DLG_TRACE(("# dlg_result_key(dialog_key=%d, fkey=%d)\n", dialog_key, fkey));
0x00000008002d2963 <+19>: lea -0x116aa(%rip),%rdi # 0x8002c12c0
0x00000008002d296a <+26>: xor %r12d,%r12d
0x00000008002d296d <+29>: mov %ebx,%esi
0x00000008002d296f <+31>: mov %r15d,%edx
0x00000008002d2972 <+34>: xor %eax,%eax
0x00000008002d2974 <+36>: call 0x8002ee460 <dlg_trace_msg@plt>
282 #ifdef KEY_RESIZE
283 if (dialog_state.had_resize) {
0x00000008002d2979 <+41>: mov 0x1ec10(%rip),%rax # 0x8002f1590
0x00000008002d2980 <+48>: cmpb $0x0,0x84(%rax)
0x00000008002d2987 <+55>: je 0x8002d29dd <dlg_result_key+141>
284 if (dialog_key == ERR) {
0x00000008002d2989 <+57>: cmp $0xffffffff,%ebx
0x00000008002d298c <+60>: je 0x8002d2998 <dlg_result_key+72>
285 dialog_key = 0;
286 } else {
287 dialog_state.had_resize = FALSE;
0x00000008002d298e <+62>: movb $0x0,0x84(%rax)
=> 0x00000008002d2995 <+69>: mov %ebx,%r12d
291 }
292 #endif
. . .
So: dialog_state.had_resize overlaps with the content of
__stderrp at the time, specifically with the most
significant byte of __stderrp .
===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)