Bug 77709

Summary: gcc profiling option lead to app. core-dump
Product: [Retired] Red Hat Linux Reporter: Francois-Xavier 'FiX' KOWALSKI <francois-xavier.kowalski>
Component: gccAssignee: Jakub Jelinek <jakub>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 7.3   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-03 10:39:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
pre-processed offending source code
none
assembly code generated using -ggdb
none
asembly code generated using -pg -a -ggdb none

Description Francois-Xavier 'FiX' KOWALSKI 2002-11-12 16:21:04 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2b) Gecko/20021017

Description of problem:
"GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-112)" cause
core-dumps when using profiling option -pg.

The following extract of a pre-processed C source code leads to core
dump when compiled with the profiling options -pg.

If you wan the complete .i file, please let me know.

	/* extracts of .h files */
	
	typedef unsigned char X;
	
	typedef struct STC
	{
	  struct STC *stnext ;
	}
	ST, *STp;
	
	typedef int (*P3_fxit) (STp , int , unsigned long) ;
	
	typedef void (*P2_txit) (STp , A) ;
	
	typedef void (*P3_nots) (STp , int , int) ;
	
	typedef struct hspa
	{
	  P3_fxit hsp_fxit ;
	  P2_txit hsp_ftxt ;
	
	  short hsp_id ;
	  X hsp_num ;
	  X hsp_ctrl ;
	  X hsp_alpr ;
	  X hsp_trace ;
	  int hsp_oerno ;
	  long hsp_serno ;
	  P3_nots hsp_not ;
	  long hsp_wrq ;
	  short hsp_wflg ;
	  STp hsp_gea ;
	
	  tlkcbT tsp_lock ;
	
	  bfmhspT tsp_bfm ;
	
	}
	hspacbT, *hspacbTp ;
	
	/* actual code */
	int osmtik
	(hspacbTp TESPAP)
	{
	   TESPAP->tsp_lock.tsp_cslk = &TESPAP->tsp_lock.tsp_stlk[0];
	
	   TESPAP->tsp_lock.tsp_cslk->lck_use = 0;
	   TESPAP->tsp_lock.tsp_cslk->lck_cb = &lockD;
	
	   return 0;
	}

The assembly code generated with the debug-only command line works
fine.  command line is:

gcc -g -ggdb -Wno-trigraphs -Wno-unused -Wpointer-arith -fno-common
-fno-strict-aliasing -c build/OCframeworks/code/C_GEA/gtolkm.c -E

generated code is:

.globl osmtik
        .type    osmtik,@function
osmtik:
.LFB1:
.LM1:

        pushl   %ebp
.LCFI0:
        movl    %esp, %ebp
.LCFI1:
.LM2:

        movl    8(%ebp), %edx
        movl    8(%ebp), %eax
        addl    $40, %eax
        movl    %eax, 120(%edx)
.LM3:

        movl    8(%ebp), %eax
        movl    120(%eax), %eax
        movl    $0, 4(%eax)
.LM4:

        movl    8(%ebp), %eax
        movl    120(%eax), %eax
        movl    $lockD, (%eax)
.LM5:

        movl    $0, %eax
.LM6:

        popl    %ebp
        ret
.LFE1:
.Lfe1:
        .size    osmtik,.Lfe1-osmtik
        .align 4

The profiling compilation command-line is:

gcc -g -ggdb -pg -a -Wno-trigraphs -Wno-unused -Wpointer-arith
-fno-common -fno-strict-aliasing -c
build/OCframeworks/code/C_GEA/gtolkm.c -E

.globl osmtik
        .type    osmtik,@function
osmtik:
.LFB1:
.LM1:

.LPB0:
        incl    .LPBX2
        pushl   %ebp
.LCFI0:
        movl    %esp, %ebp
.LCFI1:
        cmpl    $0, .LPBX0
        jne     .LPBZ0
        pushl   $.LPBX0
        call    __bb_init_func
        addl    $4, %esp
.LPBZ0:
        call    mcount
.LM2:

        movl    8(%ebp), %edx
        movl    8(%ebp), %eax
        addl    $40, %eax
        movl    %eax, 120(%edx)
.LM3:

        movl    8(%ebp), %eax
        movl    120(%eax), %eax
        movl    $0, 4(%eax)
.LM4:

        movl    8(%ebp), %eax
        movl    120(%eax), %eax
        movl    $lockD, (%eax)
.LM5:

        movl    $0, %eax
.LM6:

        popl    %ebp
        ret
.LFE1:
.Lfe1:
        .size    osmtik,.Lfe1-osmtik
        .align 4


The crash occurs at line 108, whereas the first line of the osmtik()
function is 109, i.e. it occurs in the profiling prologue.

Here is a step-by step execution of the code under gdb starting from
line 108.

Breakpoint 3, osmtik (TESPAP=0x0) at gtolkm.c:108
108	gtolkm.c: No such file or directory.
	in gtolkm.c
(gdb) info registers eip esp ebp
eip            0x81d3f40	0x81d3f40
esp            0xbfffeabc	0xbfffeabc
ebp            0xbfffeb28	0xbfffeb28
(gdb) x/25i 0x81d3f40
0x81d3f40 <osmtik>:	incl   0x8524240
0x81d3f46 <osmtik+6>:	push   %ebp
0x81d3f47 <osmtik+7>:	mov    %esp,%ebp
0x81d3f49 <osmtik+9>:	cmpl   $0x0,0x7380
0x81d3f50 <osmtik+16>:	jne    0x81d3f5f <osmtik+31>
0x81d3f52 <osmtik+18>:	push   $0x7380
0x81d3f57 <osmtik+23>:	call   0x826a0d0 <__bb_init_func>
0x81d3f5c <osmtik+28>:	add    $0x4,%esp
0x81d3f5f <osmtik+31>:	call   0x804c0ec <mcount>
0x81d3f64 <osmtik+36>:	mov    0x8(%ebp),%edx
0x81d3f67 <osmtik+39>:	mov    0x8(%ebp),%eax
0x81d3f6a <osmtik+42>:	add    $0x28,%eax
0x81d3f6d <osmtik+45>:	mov    %eax,0x78(%edx)
0x81d3f70 <osmtik+48>:	mov    0x8(%ebp),%eax
0x81d3f73 <osmtik+51>:	mov    0x78(%eax),%eax
0x81d3f76 <osmtik+54>:	movl   $0x0,0x4(%eax)
0x81d3f7d <osmtik+61>:	mov    0x8(%ebp),%eax
0x81d3f80 <osmtik+64>:	mov    0x78(%eax),%eax
0x81d3f83 <osmtik+67>:	movl   $0x848f020,(%eax)
0x81d3f89 <osmtik+73>:	mov    $0x0,%eax
0x81d3f8e <osmtik+78>:	pop    %ebp
0x81d3f8f <osmtik+79>:	ret    
0x81d3f90 <osmplk>:	incl   0x8524244
0x81d3f96 <osmplk+6>:	push   %ebp
0x81d3f97 <osmplk+7>:	mov    %esp,%ebp
(gdb) 

breakpoint in the calling function:

Breakpoint 5, BF_GtoTRMsg_impl::init (P_traceFunc=0, P_status=@0xbfffed60) at
build/OCframeworks/code/TrfRep/BF_TRMsg_impl.C:479
479	   if (LkmTinit(TESPAP) < 0) {
(gdb) stepi
0x081c1a28	479	   if (LkmTinit(TESPAP) < 0) {
(gdb) stepi
0x081c1a2b	479	   if (LkmTinit(TESPAP) < 0) {
(gdb) display TESPAP
2: TESPAP = 0x8524280
(gdb) stepi
0x081c1a31	479	   if (LkmTinit(TESPAP) < 0) {
2: TESPAP = 0x8524280
(gdb) 

Breakpoint 3, osmtik (TESPAP=0x0) at gtolkm.c:108
108	gtolkm.c: No such file or directory.
	in gtolkm.c
2: TESPAP = 0x8524280
Current language:  auto; currently c
(gdb) i r eip
eip            0x81d3f40	0x81d3f40
(gdb) x/25i 0x81d3f40
0x81d3f40 <osmtik>:	incl   0x8524240
0x81d3f46 <osmtik+6>:	push   %ebp
0x81d3f47 <osmtik+7>:	mov    %esp,%ebp
0x81d3f49 <osmtik+9>:	cmpl   $0x0,0x7380
0x81d3f50 <osmtik+16>:	jne    0x81d3f5f <osmtik+31>
0x81d3f52 <osmtik+18>:	push   $0x7380
0x81d3f57 <osmtik+23>:	call   0x826a0d0 <__bb_init_func>
0x81d3f5c <osmtik+28>:	add    $0x4,%esp
0x81d3f5f <osmtik+31>:	call   0x804c0ec <mcount>
0x81d3f64 <osmtik+36>:	mov    0x8(%ebp),%edx
0x81d3f67 <osmtik+39>:	mov    0x8(%ebp),%eax
0x81d3f6a <osmtik+42>:	add    $0x28,%eax
0x81d3f6d <osmtik+45>:	mov    %eax,0x78(%edx)
0x81d3f70 <osmtik+48>:	mov    0x8(%ebp),%eax
0x81d3f73<osmtik+51>:	mov    0x78(%eax),%eax
0x81d3f76 <osmtik+54>:	movl   $0x0,0x4(%eax)
0x81d3f7d <osmtik+61>:	mov    0x8(%ebp),%eax
0x81d3f80 <osmtik+64>:	mov    0x78(%eax),%eax
0x81d3f83 <osmtik+67>:	movl   $0x848f020,(%eax)
0x81d3f89 <osmtik+73>:	mov    $0x0,%eax
0x81d3f8e <osmtik+78>:	pop    %ebp
0x81d3f8f <osmtik+79>:	ret    
0x81d3f90 <osmplk>:	incl   0x8524244
0x81d3f96 <osmplk+6>:	push   %ebp
0x81d3f97 <osmplk+7>:	mov    %esp,%ebp

here is the step-by-step execution tracing:

(gdb) i r eip
eip            0x81d3f40	0x81d3f40
(gdb) x/5i 0x81d3f40
0x81d3f40 <osmtik>:	incl   0x8524240
0x81d3f46 <osmtik+6>:	push   %ebp
0x81d3f47 <osmtik+7>:	mov    %esp,%ebp
0x81d3f49 <osmtik+9>:	cmpl   $0x0,0x7380
0x81d3f50 <osmtik+16>:	jne    0x81d3f5f <osmtik+31>
(gdb) stepi
0x081d3f46	108	in gtolkm.c
3: TESPAP = (struct hspa *) 0x0
2: TESPAP = 0x8524280
(gdb) i r eip
eip            0x81d3f46	0x81d3f46
(gdb) x/5i 0x81d3f46
0x81d3f46 <osmtik+6>:	push   %ebp
0x81d3f47 <osmtik+7>:	mov    %esp,%ebp
0x81d3f49 <osmtik+9>:	cmpl   $0x0,0x7380
0x81d3f50 <osmtik+16>:	jne    0x81d3f5f <osmtik+31>
0x81d3f52 <osmtik+18>:	push   $0x7380
(gdb) i r ebp
ebp            0xbfffeb28	0xbfffeb28
(gdb) stepi
0x081d3f47	108	in gtolkm.c
3: TESPAP = (struct hspa *) 0x0
2: TESPAP = 0x8524280
(gdb) i r eip    
eip            0x81d3f47	0x81d3f47
(gdb) x/5i 0x81d3f47
0x81d3f47 <osmtik+7>:	mov    %esp,%ebp
0x81d3f49 <osmtik+9>:	cmpl   $0x0,0x7380
0x81d3f50 <osmtik+16>:	jne    0x81d3f5f <osmtik+31>
0x81d3f52 <osmtik+18>:	push   $0x7380
0x81d3f57 <osmtik+23>:	call   0x826a0d0 <__bb_init_func>
(gdb) i r ebp
ebp            0xbfffeb28	0xbfffeb28
(gdb) stepi
0x081d3f49 in osmtik (TESPAP=0x848e9a0) at gtolkm.c:108
108	in gtolkm.c
3: TESPAP = (struct hspa *) 0x848e9a0
2: TESPAP = 0x8524280
(gdb) i r eip
eip            0x81d3f49	0x81d3f49
(gdb) x/5i 0x81d3f49
0x81d3f49 <osmtik+9>:	cmpl   $0x0,0x7380
0x81d3f50 <osmtik+16>:	jne    0x81d3f5f <osmtik+31>
0x81d3f52 <osmtik+18>:	push   $0x7380
0x81d3f57 <osmtik+23>:	call   0x826a0d0 <__bb_init_func>
0x81d3f5c <osmtik+28>:	add    $0x4,%esp
(gdb) stepi

Program received signal SIGSEGV, Segmentation fault.
0x081d3f49 in osmtik (TESPAP=0x848e9a0) at gtolkm.c:108
108	in gtolkm.c
3: TESPAP = (struct hspa *) 0x848e9a0
2: TESPAP = 0x8524280
(gdb) 

Execution fails at the first line of the following section, generated
by GCC profiling option:

.LCFI1:
        cmpl    $0, .LPBX0
        jne     .LPBZ0
        pushl   $.LPBX0
        call    __bb_init_func
        addl    $4, %esp


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. re-compile the attached pre-processed file with or without profiling option
Eeek, readhat's bugzilla does not allow to attach pre-processed files to the
report... :-(
2. call the offending compiled function
3. SIGSEGV
	

Actual Results:  The application core-dump when running the profiling function
prologue.

Expected Results:  The application should pass through non-user code without
core-dump, only user-scode is expected to lead to core-dump

Additional info:

(gdb) bt
#0  0x081d3f49 in osmtik (TESPAP=0x848e9a0) at gtolkm.c:108
#1  0xbfffeb28 in ?? ()
#2  0x081c1a36 in BF_GtoTRMsg_impl::init (P_traceFunc=0, P_status=@0xbfffed60)
    at build/OCframeworks/code/TrfRep/BF_TRMsg_impl.C:479
#3  0x081c4a11 in BF_IBase::fill (this=0x8545248, P_status=@0xbfffed60) at
build/OCframeworks/code/Meta/BF_IBase.C:358
#4  0x081f465c in BF_MDMsgSet_impl::fillMsgSet (this=0x8545290,
P_iBase=@0x8545248, P_msgSet=0x8545280, P_status=@0xbfffed60)
    at build/OCframeworks/code/Meta/BF_MDMsgSet_impl.C:218
#5  0x081cc24d in BF_MDMsgSet::BF_MDMsgSet (this=0x8545280, P_iBase=@0x8545248,
P_status=@0xbfffed60)
    at build/OCframeworks/code/Meta/BF_MDMsgSet.C:46
#6  0x081eff16 in BF_MDMgr_impl::createMsgSet (this=0x853ac30,
P_iBase=@0x8545248, P_status=@0xbfffede0)
    at build/OCframeworks/code/Meta/BF_MDMgr_impl.C:270
#7  0x081c2d5a in BF_MDMgr::createMsgSet (P_msgSetName=0x8540b98 "IsupA95",
P_status=@0xbfffede0)
    at build/OCframeworks/code/Meta/BF_MDMgr.C:128
#8  0x08107571 in IsupInfoMgr::installMsgSet (P_msgSetName=0x8540b98 "IsupA95",
P_msgSetId=@0xbfffee6e)
    at build/OCISUP/code/message/IsupInfoMgr_impl.C:183
#9  0x08180555 in IsupMocMsgSet::IsupMocMsgSet (this=0x8545230,
P_msgSetName=0x8540b98 "IsupA95")
    at build/OCISUP/code/MIB/IsupCircuit.C:163
#10 0x080ab1e2 in IsupNavigator::getMessageSetName (this=0x848e9a0,
P_msgSetName=@0xbfffef40, P_lpc=@0x8544ea8, 
    P_msgSet=@0xbfffeffc) at build/OCISUP/code/protocol/IsupNavigator.C:3605
#11 0x080aae71 in IsupNavigator::getMessageSetName (this=0x85408b8, P_file=7,
P_section=@0xbffff0b0, P_lpc=@0x8544ea8, 
    P_msgSet=@0xbfffeffc) at build/OCISUP/code/protocol/IsupNavigator.C:3555
#12 0x080b533e in IsupNavigator::addDpc (this=0x85408b8, P_mocLpc=0x8544ea8,
P_file=7, P_section=@0xbffff0b0, P_mocDpc=@0xbffff0a8)
    at build/OCISUP/code/protocol/IsupNavigator.C:6213
#13 0x080a498f in IsupNavigator::initMocCircuitFromConfig (this=0x85408b8, P_file=7)
    at build/OCISUP/code/protocol/IsupNavigator.C:1378
#14 0x080a7b3c in IsupNavigator::instance (P_status=@0xbffff1d0, P_applicationId=0)
    at build/OCISUP/code/protocol/IsupNavigator.C:2236
#15 0x080688b5 in IsupMgr::init (P_applicationId=0) at
build/OCISUP/code/isupcore/IsupMgr.C:384
#16 0x08068e87 in IsupMgr::init (P_mgr=@0x84e7e58, P_applicationId=0) at
build/OCISUP/code/isupcore/IsupMgr.C:479
#17 0x08053744 in main (argc=14, argv=0xbffff3b4) at
build/OCISUP/code/isupgen/isupgen.C:1265
#18 0x42017589 in ?? ()
Comment 1 Francois-Xavier 'FiX' KOWALSKI 2002-11-12 16:22:24 UTC 
Created attachment 84684 [details]
pre-processed offending source code
Comment 2 Francois-Xavier 'FiX' KOWALSKI 2002-11-12 16:23:45 UTC 
Created attachment 84685 [details]
assembly code generated using -ggdb
Comment 3 Francois-Xavier 'FiX' KOWALSKI 2002-11-12 16:24:27 UTC 
Created attachment 84686 [details]
asembly code generated using -pg -a -ggdb
Comment 4 Alan Cox 2002-12-16 02:08:18 UTC 
Seems happy with gcc 3.2 / RH 8.0
Comment 5 Francois-Xavier 'FiX' KOWALSKI 2002-12-17 08:33:14 UTC 
Did attempt to duplicate on the 2.96 source-code baseline?
Comment 6 Richard Henderson 2004-10-03 10:39:49 UTC 
This was "fixed" by removing the -a option, which never did work right.
There are other alternative profiling options in current gcc releases.