crash of 32-bit powerpc -r347549 kernel built via system-clang-8, _init_tls is where the initial DIAGNOSTICS-reported SIGSEGV happens

Mark Millard marklmi at yahoo.com
Sat Jun 8 22:57:43 UTC 2019 

The failure is related to *sp++ in the
below source code from lib/libc/gen/tls.c .

extern char **environ;
 
void
_init_tls(void)
{
#ifndef PIC
        Elf_Addr *sp;
        Elf_Auxinfo *aux, *auxp;
        Elf_Phdr *phdr;
        size_t phent, phnum;
        int i;
        void *tls;

        sp = (Elf_Addr *) environ;
        while (*sp++ != 0)
                ;
. . .

system-clang-8 produced the following
code in /sbin/init :

01812f50 <_init_tls> mflr    r0
01812f54 <_init_tls+0x4> stw     r0,4(r1)
01812f58 <_init_tls+0x8> stwu    r1,-16(r1)
01812f5c <_init_tls+0xc> stw     r31,12(r1)
01812f60 <_init_tls+0x10> mr      r31,r1
01812f64 <_init_tls+0x14> lis     r3,404
01812f68 <_init_tls+0x18> lwz     r4,-28276(r3) #### Note: r4=*environ
01812f6c <_init_tls+0x1c> li      r5,0
01812f70 <_init_tls+0x20> addi    r3,r4,-4

01812f74 <_init_tls+0x24> lwzu    r7,4(r3) #### fails here
01812f78 <_init_tls+0x28> mr      r6,r5
01812f7c <_init_tls+0x2c> addi    r5,r5,1
01812f80 <_init_tls+0x30> cmplwi  r7,0
01812f84 <_init_tls+0x34> bne+    01812f74 <_init_tls+0x24>
. . .

readelf -asW shows environ as:

  2652: 000000000193918c     4 OBJECT  GLOBAL DEFAULT   17 environ

MAJOR CONCLUSION (so far): It appears that the values
found by the sp++ are strange so *sp++ gets the SIGSEGV.

The:

01812f64 <_init_tls+0x14> lis     r3,404
01812f68 <_init_tls+0x18> lwz     r4,-28276(r3)

does match up: 0x193918c==(404<<16)-28276 .

It looks like the Elf_Addr value itself is strange
when the SIGSEGV's happen.

The evidence for where the failure point is was:

KDB: enter p_pid 1 got signal 11
[ thread pid 1 tid 100002 ]
Stopped at kdb_enter+0x74: addi r3,r0,0x0
db> bt
Tracing pid 1 tid 100002 td 0x1506ae0
0xd6b7c950: at cursig+0x55c
0xd6b7ca10: at ast+0x508
0xd6b7ca40: user DSI read trap @ 0x1c000020 by 0x1812f74: srr1=0xd032
           r1=0xffffde90 cr=0x20000000 xer=0 ctr=0 sr=0x40000000 frame=0xd6b7ca48
db>

The "trap @" value can vary, such as instead being 0xfa5005af .

===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)

More information about the freebsd-toolchain mailing list