Bug 1117841

Summary: stack overflow in splay_tree_foreach_helper
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Franc <mfranc>
Component: gdbAssignee: Sergio Durigan Junior <sergiodj>
Status: CLOSED ERRATA QA Contact: Miroslav Franc <mfranc>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: gdb-bugs, jan.kratochvil, mcermak, mfranc, ohudlick
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: gdb-7.2-80.el6 Doc Type: Bug Fix
Doc Text:
Cause: GDB uses internally a splay tree to store elements related to address maps. The implementation of the an iterator of this splay tree was recursive. Consequence: When iterating through splay trees that were really big, the recursion of the iterator would cause GDB to run out of stack, which then generated a segmentation fault. Fix: The implementation of the iterator function for splay trees has been improved and is now non-recursive. Result: This improves the efficiency of the splay tree iterator and makes GDB more robust, avoiding the failure that was happening because of the recursion.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:34:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Franc 2014-07-09 13:35:04 UTC 
Description of problem:
SSIA.  Does not seem to be a regression within rhel6.  Reproducible on ppc64 and s390x only.


Version-Release number of selected component (if applicable):
device-mapper-persistent-data-debuginfo-0.2.8-2.el6.{ppc64,s390x}
any rhel6 version of gdb on ppc64 and s390x


How reproducible:
all the time


Steps to Reproduce:
1. gdb --args gdb -q -nx -readnow /usr/lib/debug/usr/sbin/thin_dump.debug


Actual results:
#0  0x000000001034ad78 in splay_tree_foreach_helper (sp=0x12da24e0, node=0x13c341a0, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:209
#1  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#2  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#3  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#4  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#5  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#6  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#7  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#8  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#9  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#10 0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#11 0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
...
...
#78598 0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#78599 0x00000000100fd744 in addrmap_mutable_create_fixed (this=<value optimized out>, obstack=0x1071ce68) at ../../gdb/addrmap.c:437
#78600 0x00000000100fd14c in addrmap_create_fixed (original=<value optimized out>, obstack=<value optimized out>) at ../../gdb/addrmap.c:73
#78601 0x00000000101bf0d8 in make_blockvector (end_addr=<value optimized out>, objfile=0x1071ce10, section=<value optimized out>) at ../../gdb/buildsym.c:494
#78602 end_symtab (end_addr=<value optimized out>, objfile=0x1071ce10, section=<value optimized out>) at ../../gdb/buildsym.c:1024
#78603 0x00000000101ea74c in process_full_comp_unit (objfile=<value optimized out>, per_cu=<value optimized out>) at ../../gdb/dwarf2read.c:4512
#78604 process_queue (objfile=<value optimized out>, per_cu=<value optimized out>) at ../../gdb/dwarf2read.c:4271
#78605 dw2_do_instantiate_symtab (objfile=<value optimized out>, per_cu=<value optimized out>) at ../../gdb/dwarf2read.c:1692
#78606 0x00000000101ea948 in dw2_instantiate_symtab (objfile=0x1071ce10, per_cu=0xfffb1a49268) at ../../gdb/dwarf2read.c:1712
#78607 0x00000000101eb134 in dw2_expand_all_symtabs (objfile=0x1071ce10) at ../../gdb/dwarf2read.c:2371
#78608 0x000000001015e888 in symbol_file_add_with_addrs_or_offsets (abfd=<value optimized out>, add_flags=<value optimized out>, addrs=0x0, flags=<value optimized out>, num_offsets=0, offsets=0x0)
    at ../../gdb/symfile.c:1141
#78609 0x000000001015f120 in symbol_file_add_main_1 (args=<value optimized out>, from_tty=<value optimized out>, flags=<value optimized out>) at ../../gdb/symfile.c:1252
#78610 0x0000000010185aac in catch_command_errors (command=@0x104ecb48: 0x1015f2f0 <symbol_file_add_main>, arg=0xffffffff4b0 "/usr/lib/debug/usr/sbin/thin_dump.debug", from_tty=<value optimized out>, 
    mask=<value optimized out>) at ../../gdb/exceptions.c:534
#78611 0x000000001000ce24 in captured_main (data=<value optimized out>) at ../../gdb/main.c:949
#78612 0x0000000010185b98 in catch_errors (func=@0x104ddeb8: 0x1000bab0 <captured_main>, func_args=0xfffffffecf0, errstring=0x1036b598 "", mask=<value optimized out>) at ../../gdb/exceptions.c:518
#78613 0x000000001000b544 in gdb_main (args=<value optimized out>) at ../../gdb/main.c:1076
#78614 0x000000001000b4dc in main (argc=<value optimized out>, argv=<value optimized out>) at ../../gdb/gdb.c:48


Expected results:
no stack overflow
Comment 1 Sergio Durigan Junior 2015-02-11 07:15:51 UTC 
I investigated this, and found that the bug is fixed upstream.  The commit that fixes it is:

commit 98f0b5d4e51f85fd717cda948174ec5c43305e08
Author: DJ Delorie <dj>
Date:   Wed Dec 8 16:24:43 2010 +0000

The patch applies cleanly on the tree and seems to be pretty straightforward.  However, there is always the problem of having a testcase for the problem...  I still did not come up with a testcase, and I don't know if I will have time to investigate the failure and create one.  Maybe Jan or someone else can take a look and try to understand what is causing the failure here.  If not, my proposal is to go ahead and push this fix, leaving the test to QA.  I will wait a few more days until we discuss this and decide what to do; if nothing is decided, I will postpone this to 6.8.
Comment 2 Jan Kratochvil 2015-02-11 21:36:20 UTC 
The testcase could be put into RH Beaker testsuite I think.
It could even use lower `ulimit -s'.
Comment 3 Jan Kratochvil 2015-02-11 21:37:30 UTC 
http://download.eng.bos.redhat.com/brewroot/packages/device-mapper-persistent-data/0.2.8/2.el6/ppc64/device-mapper-persistent-data-debuginfo-0.2.8-2.el6.ppc64.rpm
http://download.eng.bos.redhat.com/brewroot/packages/device-mapper-persistent-data/0.2.8/2.el6/s390x/device-mapper-persistent-data-debuginfo-0.2.8-2.el6.s390x.rpm
Comment 4 Sergio Durigan Junior 2015-02-11 21:46:39 UTC 
I think this is good enough.  I will push the fix soon.  The real problem will be to write a CCFR for this...
Comment 5 Sergio Durigan Junior 2015-02-12 18:34:23 UTC 
Fix pushed to the RHEL-6.7 branch.

QA: No testcase attached.  You can create a testcase on the RH Beaker testsuite (as proposed by Jan above).
Comment 8 errata-xmlrpc 2015-07-22 06:34:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1325.html