improper handling of dlpened's C++/atexit() code?
Konstantin Belousov
kostikbel at gmail.com
Sun May 21 20:51:03 PDT 2006
On Sun, May 21, 2006 at 06:22:34PM -0400, m m wrote:
> n 5/21/06, Konstantin Belousov <kostikbel at gmail.com> wrote:
> >> >Program received signal SIGSEGV, Segmentation fault.
> >> >0x00000000 in ?? ()
> >> >(gdb) bt
> >> >#0 0x00000000 in ?? ()
> >> >#1 0x294c0ad8 in __do_global_dtors_aux () from
> >> >/usr/local/lib/perl5/5.8.8/mach/auto/Sys/Syslog/Syslog.so
> >> >#2 0x294c1d4c in _fini () from
> >> >/usr/local/lib/perl5/5.8.8/mach/auto/Sys/Syslog/Syslog.so
> >> >#3 0x280b4c80 in ?? ()
> >> >#4 0x280aaab8 in ?? () from /libexec/ld-elf.so.1
> >> >#5 0xbfbfe6e8 in ?? ()
> >> >#6 0x2808dca6 in objlist_call_fini (list=0x280a96d8) at
> >> >/usr/src/libexec/rtld-elf/rtld.c:1336
> >> >#7 0x2808e1d4 in rtld_exit () at /usr/src/libexec/rtld-elf/rtld.c:1528
> >> >#8 0x281d58ea in __cxa_finalize (dso=0x0) at
> >> >/usr/src/lib/libc/stdlib/atexit.c:184
> >> >#9 0x281d55ba in exit (status=0) at /usr/src/lib/libc/stdlib/exit.c:69
> >> >#10 0x0805d0cb in clean_child_exit ()
> >> >#11 0x0805ea77 in just_die ()
> >> >#12 0x0805ea9a in usr1_handler ()
> >> >#13 0xbfbfffb4 in ?? ()
> >> >#14 0x0000001e in ?? ()
> >> >#15 0x00000000 in ?? ()
> >> >#16 0xbfbfe7c0 in ?? ()
> >> >#17 0x00000002 in ?? ()
> >> >#18 0x0805ea80 in just_die ()
> >> >#19 0x0806011e in child_main ()
> >> >#20 0x080607de in make_child ()
> >> >#21 0x08060868 in startup_children ()
> >> >#22 0x08060e81 in standalone_main ()
> >> >#23 0x08061702 in main ()
> >
> >Could you, please, put somewhere:
> >1. /usr/local/lib/perl5/5.8.8/mach/auto/Sys/Syslog/Syslog.so
> >2. output of lsof -p <some apache child process pid> for apache running
> >in your usual configuration.
> >
> >Also, could you run the apache with LD_PRELOAD=/usr/lib/libstdc++.so.5
> >and report whether the problem persists ?
>
> Konstantin,
> Thank you for looking into this.
>
> lsof: http://www.savefile.com/files/6494253
> Syslog.so: http://www.savefile.com/files/2163369
>
> Although it's not an indicator of certainty (I have had it exit
> cleanly in the past), it appears that running Apache with LD_PRELOAD
> of libstdc++ does allow it to exit cleanly. Please let me know how I
> can further assist. If it would make things easier - I can provide
> access to a jail on this machine which exhibits the same behavior.
Ok, I have a theory how it happens. Investigation of your instance
of Syslog.so shows that crash happens at the following code of
/usr/lib/crtbeginS.o:
282: if (__deregister_frame_info)
283: __deregister_frame_info (__EH_FRAME_BEGIN__);
(this comes in from contrib/gcc/crtstuff.c, lines 282-283).
Symbol __deregister_frame_info is weak and undefined in all your
DSOs except libstdc++.so.5. This symbol provides part of the C++
runtime support for exception handling, and reasonably included
from c++ runtime support library.
Both lines 282 and 283 produce dynamic relocations in final DSO,
but line 282 implies R_386_GLOB_DAT, and 283 - R386_JUMP_SLOT (for PLT).
First relocation is resolved immediately on DSO load, second one is
resolved on demand.
My theory is that, at the time of loading Syslog.so, libstdc++.so.5
is loaded in the process, resulting in first relocation being satisfied
by rtld immediately. But, at the time exit() processing comes
to _fini() function of Syslog.so, libstdc++.so.5 is unloaded. And
weak PLT relocation is resolved to 0. As result we got the
frame #0 from your trace.
This theory is confirmed by presence of libstdc++ in lsof output.
Please, check that it does not show up at the time of crash dump
by using "show shared" gdb command on crash dump.
Short-time fix is to use LD_PRELOAD hack. The real solution
would be to mark the libstdc++ DSO as unloadable and
implement support for unloadable DSO in rtld (BTW, I think
this is also needed for threading libraries libpthread and libthr
for the same reason). I know that glibc dynamic loader has support
for this feature.
P.S. Apache seems to call exit(3) from the signal handler. This is wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060522/a48ae46d/attachment.pgp
More information about the freebsd-stable
mailing list