RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1117841 - stack overflow in splay_tree_foreach_helper
Summary: stack overflow in splay_tree_foreach_helper
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: gdb
Version: 6.5
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Sergio Durigan Junior
QA Contact: Miroslav Franc
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-09 13:35 UTC by Miroslav Franc
Modified: 2016-02-01 02:29 UTC (History)
5 users (show)

Fixed In Version: gdb-7.2-80.el6
Doc Type: Bug Fix
Doc Text:
Cause: GDB uses internally a splay tree to store elements related to address maps. The implementation of the an iterator of this splay tree was recursive. Consequence: When iterating through splay trees that were really big, the recursion of the iterator would cause GDB to run out of stack, which then generated a segmentation fault. Fix: The implementation of the iterator function for splay trees has been improved and is now non-recursive. Result: This improves the efficiency of the splay tree iterator and makes GDB more robust, avoiding the failure that was happening because of the recursion.
Clone Of:
Environment:
Last Closed: 2015-07-22 06:34:15 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1325 0 normal SHIPPED_LIVE gdb bug fix update 2015-07-20 17:53:09 UTC

Description Miroslav Franc 2014-07-09 13:35:04 UTC
Description of problem:
SSIA.  Does not seem to be a regression within rhel6.  Reproducible on ppc64 and s390x only.


Version-Release number of selected component (if applicable):
device-mapper-persistent-data-debuginfo-0.2.8-2.el6.{ppc64,s390x}
any rhel6 version of gdb on ppc64 and s390x


How reproducible:
all the time


Steps to Reproduce:
1. gdb --args gdb -q -nx -readnow /usr/lib/debug/usr/sbin/thin_dump.debug


Actual results:
#0  0x000000001034ad78 in splay_tree_foreach_helper (sp=0x12da24e0, node=0x13c341a0, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:209
#1  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#2  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#3  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#4  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#5  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#6  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#7  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#8  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#9  0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#10 0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#11 0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
...
...
#78598 0x000000001034add4 in splay_tree_foreach_helper (sp=0x12da24e0, node=<value optimized out>, fn=@0x104e8ad8: 0x100fd3f0 <splay_foreach_count>, data=0xfffffffe468) at ../../libiberty/splay-tree.c:215
#78599 0x00000000100fd744 in addrmap_mutable_create_fixed (this=<value optimized out>, obstack=0x1071ce68) at ../../gdb/addrmap.c:437
#78600 0x00000000100fd14c in addrmap_create_fixed (original=<value optimized out>, obstack=<value optimized out>) at ../../gdb/addrmap.c:73
#78601 0x00000000101bf0d8 in make_blockvector (end_addr=<value optimized out>, objfile=0x1071ce10, section=<value optimized out>) at ../../gdb/buildsym.c:494
#78602 end_symtab (end_addr=<value optimized out>, objfile=0x1071ce10, section=<value optimized out>) at ../../gdb/buildsym.c:1024
#78603 0x00000000101ea74c in process_full_comp_unit (objfile=<value optimized out>, per_cu=<value optimized out>) at ../../gdb/dwarf2read.c:4512
#78604 process_queue (objfile=<value optimized out>, per_cu=<value optimized out>) at ../../gdb/dwarf2read.c:4271
#78605 dw2_do_instantiate_symtab (objfile=<value optimized out>, per_cu=<value optimized out>) at ../../gdb/dwarf2read.c:1692
#78606 0x00000000101ea948 in dw2_instantiate_symtab (objfile=0x1071ce10, per_cu=0xfffb1a49268) at ../../gdb/dwarf2read.c:1712
#78607 0x00000000101eb134 in dw2_expand_all_symtabs (objfile=0x1071ce10) at ../../gdb/dwarf2read.c:2371
#78608 0x000000001015e888 in symbol_file_add_with_addrs_or_offsets (abfd=<value optimized out>, add_flags=<value optimized out>, addrs=0x0, flags=<value optimized out>, num_offsets=0, offsets=0x0)
    at ../../gdb/symfile.c:1141
#78609 0x000000001015f120 in symbol_file_add_main_1 (args=<value optimized out>, from_tty=<value optimized out>, flags=<value optimized out>) at ../../gdb/symfile.c:1252
#78610 0x0000000010185aac in catch_command_errors (command=@0x104ecb48: 0x1015f2f0 <symbol_file_add_main>, arg=0xffffffff4b0 "/usr/lib/debug/usr/sbin/thin_dump.debug", from_tty=<value optimized out>, 
    mask=<value optimized out>) at ../../gdb/exceptions.c:534
#78611 0x000000001000ce24 in captured_main (data=<value optimized out>) at ../../gdb/main.c:949
#78612 0x0000000010185b98 in catch_errors (func=@0x104ddeb8: 0x1000bab0 <captured_main>, func_args=0xfffffffecf0, errstring=0x1036b598 "", mask=<value optimized out>) at ../../gdb/exceptions.c:518
#78613 0x000000001000b544 in gdb_main (args=<value optimized out>) at ../../gdb/main.c:1076
#78614 0x000000001000b4dc in main (argc=<value optimized out>, argv=<value optimized out>) at ../../gdb/gdb.c:48


Expected results:
no stack overflow

Comment 1 Sergio Durigan Junior 2015-02-11 07:15:51 UTC
I investigated this, and found that the bug is fixed upstream.  The commit that fixes it is:

commit 98f0b5d4e51f85fd717cda948174ec5c43305e08
Author: DJ Delorie <dj>
Date:   Wed Dec 8 16:24:43 2010 +0000

The patch applies cleanly on the tree and seems to be pretty straightforward.  However, there is always the problem of having a testcase for the problem...  I still did not come up with a testcase, and I don't know if I will have time to investigate the failure and create one.  Maybe Jan or someone else can take a look and try to understand what is causing the failure here.  If not, my proposal is to go ahead and push this fix, leaving the test to QA.  I will wait a few more days until we discuss this and decide what to do; if nothing is decided, I will postpone this to 6.8.

Comment 2 Jan Kratochvil 2015-02-11 21:36:20 UTC
The testcase could be put into RH Beaker testsuite I think.
It could even use lower `ulimit -s'.

Comment 4 Sergio Durigan Junior 2015-02-11 21:46:39 UTC
I think this is good enough.  I will push the fix soon.  The real problem will be to write a CCFR for this...

Comment 5 Sergio Durigan Junior 2015-02-12 18:34:23 UTC
Fix pushed to the RHEL-6.7 branch.

QA: No testcase attached.  You can create a testcase on the RH Beaker testsuite (as proposed by Jan above).

Comment 8 errata-xmlrpc 2015-07-22 06:34:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1325.html


Note You need to log in before you can comment on or make changes to this bug.