Many core dumps in pthread_getspecific.

Andre Meiser ortadur at web.de
Fri Jul 3 15:22:00 UTC 2015 

Hi,

back again. Sorry, I accidently deleted the core file and I'd to wait two weeks until vim crashed again. Xorg didn't crashed so far with the debug libs.

On Tue, Jun 16, 2015 at 09:36 +0200, Konstantin Belousov wrote:
> Ok, so the vim fault is reproducable, I suppose ?

No, I tried, but no chance to do it on purpose. But so far it always happens while resizing the xterm.

Now the entire info you asked for (out of the new core file):


% readelf -d vim | grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libm.so.5]
 0x0000000000000001 (NEEDED)             Shared library: [libncurses.so.8]
 0x0000000000000001 (NEEDED)             Shared library: [libintl.so.8]
 0x0000000000000001 (NEEDED)             Shared library: [libpython2.7.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libthr.so.3]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.7]

(gdb) bt
#0  0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
#1  0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
#2  0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
#3  0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
#4  0x000000080083b15d in .text () from /libexec/ld-elf.so.1
#5  0x00000000004e4163 in preserve_exit ()
#6  0x000000000051f118 in mch_libcall ()
#7  0x000000080149f47a in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:240
#8  0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
#9  <signal handler called>
#10 0x000000080149e6a2 in check_deferred_signal (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:331
#11 0x000000080149e5ed in _thr_ast (curthread=0x802406400) at /usr/src/lib/libthr/thread/thr_sig.c:264
#12 0x00000008014a33c7 in _thr_rtld_lock_release (lock=<value optimized out>) at /usr/src/lib/libthr/thread/thr_rtld.c:162
#13 0x000000080083d94d in _r_debug_postinit () from /libexec/ld-elf.so.1
#14 0x000000080083b15d in .text () from /libexec/ld-elf.so.1
#15 0x000000080149f4e2 in handle_signal (actp=<value optimized out>, sig=<value optimized out>, info=<value optimized out>, ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:256
#16 0x000000080149f062 in thr_sighandler (sig=<value optimized out>, info=<value optimized out>, _ucp=<value optimized out>) at /usr/src/lib/libthr/thread/thr_sig.c:183
#17 <signal handler called>
#18 select () at select.S:3
#19 0x000000080149cb32 in __select (numfds=1, readfds=0x7fffffffdfb0, writefds=0x0, exceptfds=0x7fffffffdf30, timeout=0x7fffffffe038) at /usr/src/lib/libthr/thread/thr_syscalls.c:561
#20 0x000000000051ac4b in mch_write ()
#21 0x000000000051ae0f in mch_inchar ()
#22 0x00000000005b8647 in ui_inchar ()
#23 0x00000000004aeb8a in inchar ()
#24 0x00000000004b1ffb in vgetc ()
#25 0x00000000004b0efa in vgetc ()
#26 0x00000000004b27b9 in safe_vgetc ()
#27 0x00000000004f59ef in normal_cmd ()
#28 0x00000000005dfec7 in main_loop ()
#29 0x00000000005df538 in main ()


(gdb) info locals
act = {__sigaction_u = {__sa_handler = 0, __sa_sigaction = 0}, sa_flags = 37875000, sa_mask = {__bits = {8, 4239276, 0, 0}}}
info = {si_signo = 0, si_errno = 0, si_code = 37875000, si_pid = 8, si_uid = 37874640, si_status = 8, si_addr = 0x700000008, si_value = {sival_int = 37875104, sival_ptr = 0x80241eda0, sigval_int = 37875104, sigval_ptr = 0x80241eda0}, _reason = {_fault = {_trapno = 141}, 
    _timer = {_timerid = 141, _overrun = 0}, _mesgq = {_mqd = 141}, _poll = {_band = 141}, __spare__ = {__spare1__ = 141, __spare2__ = {0, 0, 8744960, 8, 37874976, 8, 8641467}}}}


(gdb) info registers
rax            0xf0b470 15774832
rbx            0x802406400      34397512704
rcx            0x1      1
rdx            0x80085b800      34368501760
rsi            0x80241ed38      34397613368
rdi            0x8015137d0      34381838288
rbp            0x80241ecd0      0x80241ecd0
rsp            0x8015137d0      0x8015137d0
r8             0x800856600      34368480768
r9             0x8080808080808080       -9187201950435737472
r10            0x41b778 4306808
r11            0x5262   21090
r12            0x1      1
r13            0x839888 8624264
r14            0x8015137d0      34381838288
r15            0x2      2
rip            0x80149e6a2      0x80149e6a2 <check_deferred_signal+82>
eflags         0x10202  66050
cs             0x43     67
ss             0x3b     59
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0


(gdb) disassemble
Dump of assembler code for function check_deferred_signal:
0x000000080149e650 <check_deferred_signal+0>:   push   %rbp
0x000000080149e651 <check_deferred_signal+1>:   mov    %rsp,%rbp
0x000000080149e654 <check_deferred_signal+4>:   push   %r15
0x000000080149e656 <check_deferred_signal+6>:   push   %r14
0x000000080149e658 <check_deferred_signal+8>:   push   %rbx
0x000000080149e659 <check_deferred_signal+9>:   sub    $0x78,%rsp
0x000000080149e65d <check_deferred_signal+13>:  mov    %rdi,%rbx
0x000000080149e660 <check_deferred_signal+16>:  cmpl   $0x0,0x100(%rbx)
0x000000080149e667 <check_deferred_signal+23>:  je     0x80149e672 <check_deferred_signal+34>
0x000000080149e669 <check_deferred_signal+25>:  cmpl   $0x0,0x180(%rbx)
0x000000080149e670 <check_deferred_signal+32>:  je     0x80149e67d <check_deferred_signal+45>
0x000000080149e672 <check_deferred_signal+34>:  lea    -0x18(%rbp),%rsp
0x000000080149e676 <check_deferred_signal+38>:  pop    %rbx
0x000000080149e677 <check_deferred_signal+39>:  pop    %r14
0x000000080149e679 <check_deferred_signal+41>:  pop    %r15
0x000000080149e67b <check_deferred_signal+43>:  pop    %rbp
0x000000080149e67c <check_deferred_signal+44>:  retq   
0x000000080149e67d <check_deferred_signal+45>:  movl   $0x1,0x180(%rbx)
0x000000080149e687 <check_deferred_signal+55>:  callq  0x801498e44 <__getcontextx_size at plt>
0x000000080149e68c <check_deferred_signal+60>:  cltq   
0x000000080149e68e <check_deferred_signal+62>:  mov    %rsp,%r14
0x000000080149e691 <check_deferred_signal+65>:  add    $0xf,%rax
0x000000080149e695 <check_deferred_signal+69>:  and    $0xfffffffffffffff0,%rax
0x000000080149e699 <check_deferred_signal+73>:  sub    %rax,%r14
0x000000080149e69c <check_deferred_signal+76>:  mov    %r14,%rsp
0x000000080149e69f <check_deferred_signal+79>:  mov    %r14,%rdi
0x000000080149e6a2 <check_deferred_signal+82>:  callq  0x801499214 <getcontext at plt>
0x000000080149e6a7 <check_deferred_signal+87>:  cmpl   $0x0,0x100(%rbx)
0x000000080149e6ae <check_deferred_signal+94>:  je     0x80149e73b <check_deferred_signal+235>
0x000000080149e6b4 <check_deferred_signal+100>: lea    0x100(%rbx),%r15
0x000000080149e6bb <check_deferred_signal+107>: mov    %r14,%rdi
0x000000080149e6be <check_deferred_signal+110>: callq  0x801499064 <__fillcontextx2 at plt>
0x000000080149e6c3 <check_deferred_signal+115>: movups 0x160(%rbx),%xmm0
0x000000080149e6ca <check_deferred_signal+122>: movups 0x170(%rbx),%xmm1
0x000000080149e6d1 <check_deferred_signal+129>: movaps %xmm1,-0x30(%rbp)
0x000000080149e6d5 <check_deferred_signal+133>: movaps %xmm0,-0x40(%rbp)
0x000000080149e6d9 <check_deferred_signal+137>: movups 0x150(%rbx),%xmm0
0x000000080149e6e0 <check_deferred_signal+144>: movups %xmm0,(%r14)
0x000000080149e6e4 <check_deferred_signal+148>: movups 0x40(%r15),%xmm0
0x000000080149e6e9 <check_deferred_signal+153>: movaps %xmm0,-0x50(%rbp)
0x000000080149e6ed <check_deferred_signal+157>: movups (%r15),%xmm0
0x000000080149e6f1 <check_deferred_signal+161>: movups 0x10(%r15),%xmm1
0x000000080149e6f6 <check_deferred_signal+166>: movups 0x20(%r15),%xmm2
0x000000080149e6fb <check_deferred_signal+171>: movups 0x30(%r15),%xmm3
0x000000080149e700 <check_deferred_signal+176>: movaps %xmm3,-0x60(%rbp)
0x000000080149e704 <check_deferred_signal+180>: movaps %xmm2,-0x70(%rbp)
0x000000080149e708 <check_deferred_signal+184>: movaps %xmm1,-0x80(%rbp)
0x000000080149e70c <check_deferred_signal+188>: movaps %xmm0,-0x90(%rbp)
0x000000080149e713 <check_deferred_signal+195>: movl   $0x0,0x100(%rbx)
0x000000080149e71d <check_deferred_signal+205>: mov    -0x90(%rbp),%esi
0x000000080149e723 <check_deferred_signal+211>: lea    -0x40(%rbp),%rdi
0x000000080149e727 <check_deferred_signal+215>: lea    -0x90(%rbp),%rdx
0x000000080149e72e <check_deferred_signal+222>: mov    %r14,%rcx
0x000000080149e731 <check_deferred_signal+225>: callq  0x80149f390 <handle_signal>
0x000000080149e736 <check_deferred_signal+230>: jmpq   0x80149e672 <check_deferred_signal+34>
0x000000080149e73b <check_deferred_signal+235>: movl   $0x0,0x180(%rbx)
0x000000080149e745 <check_deferred_signal+245>: jmpq   0x80149e672 <check_deferred_signal+34>
End of assembler dump.


I've kept a copy of the vim binary and also the core file, so this time I can answer any further questions much faster. ;)

I can't help much with those assembler part. But I've looked into /usr/src/lib/libthr/thread/thr_sig.c and there is alloca used at line 330:

   330      uc = alloca(uc_len);
   331      getcontext(uc);

I would bet using malloc and check for NULL will help to fix this problem. Well, there will be a free needed before return and one at the end of check_deferred_signal, but that's better than an unsafe alloca.

Sincerely yours Andre.

More information about the freebsd-stable mailing list