1628206 – latrace leads the traced program to segfault in glibc

Bug 1628206 - latrace leads the traced program to segfault in glibc

Summary: latrace leads the traced program to segfault in glibc

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	latrace
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jiri Olsa
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-12 13:08 UTC by Jan Pokorný [poki]
Modified:	2019-09-22 11:30 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-09-22 11:30:13 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pokorný [poki] 2018-09-12 13:08:22 UTC

$ latrace cat
> 
> cat finished - killed by signal 1

Diagnostics:

> #0  _int_malloc
> 
> #1  __GI___libc_malloc
>     (bytes=bytes@entry=44)
>     at malloc.c:3041
> 
> #2  allocate_dtv_entry
>     (size=44, alignment=8)
>     at ../elf/dl-tls.c:582
> 
> #3  allocate_and_init
>     (map=0x7fcac4a1d4f0)
>     at ../elf/dl-tls.c:607
> 
> #4  tls_get_addr_tail
>     (dtv=0x7fcac4a1d3e0, the_map=0x7fcac4a1d4f0, ti=<optimized out>,
>     ti=<optimized out>)
>     at ../elf/dl-tls.c:787
> 
> #5  __tls_get_addr
>     at ../sysdeps/x86_64/tls_get_addr.S:55
> 
> #6  ??
> 
> #7  ??
> 
> #8  ??
> 
> #9  ??
> 
> #10 _dl_process_pt_note
>     (l=0x56156f4f8318, ph=0x7fff5db4e160, fd=301989889, fbp=<optimized
>     out>)
>     at ../sysdeps/x86/dl-prop.h:140
> 
> Backtrace stopped: previous frame inner to this frame (corrupt stack?)

3623│   if (in_smallbin_range (nb))
3624│     {
3625│       idx = smallbin_index (nb);
3626│       bin = bin_at (av, idx);
3627│
3628│       if ((victim = last (bin)) != bin)
3629│         {
3630├>          bck = victim->bk;
3631│           if (__glibc_unlikely (bck->fd != victim))
3632│             malloc_printerr ("malloc(): smallbin double linked list corrupted");
3633│           set_inuse_bit_at_offset (victim, nb);
3634│           bin->bk = bck;
3635│           bck->fd = bin;

(gdb) p	victim
> $1 = (mchunkptr) 0x0

(gdb) info proc mappings
> Mapped address spaces:
> 
>           Start Addr           End Addr       Size     Offset objfile
>       0x56156f4f8000     0x56156f4fa000     0x2000        0x0 /usr/bin/cat
>       0x56156f4fa000     0x56156f4ff000     0x5000     0x2000 /usr/bin/cat
>       0x56156f4ff000     0x56156f502000     0x3000     0x7000 /usr/bin/cat
>       0x56156f502000     0x56156f503000     0x1000     0x9000 /usr/bin/cat
>       0x56156f503000     0x56156f504000     0x1000     0xa000 /usr/bin/cat
>       0x7fcac4600000     0x7fcac4622000    0x22000        0x0 /usr/lib64/libc-2.28.9000.so
>       0x7fcac4622000     0x7fcac476f000   0x14d000    0x22000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac476f000     0x7fcac47bb000    0x4c000   0x16f000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac47bb000     0x7fcac47bc000     0x1000   0x1bb000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac47bc000     0x7fcac47c0000     0x4000   0x1bb000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac47c0000     0x7fcac47c2000     0x2000   0x1bf000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac47c8000     0x7fcac47ea000    0x22000        0x0 /usr/lib64/libc-2.28.9000.so
>       0x7fcac47ea000     0x7fcac4937000   0x14d000    0x22000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac4937000     0x7fcac4983000    0x4c000   0x16f000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac4983000     0x7fcac4984000     0x1000   0x1bb000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac4984000     0x7fcac4988000     0x4000   0x1bb000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac4988000     0x7fcac498a000     0x2000   0x1bf000 /usr/lib64/libc-2.28.9000.so
>       0x7fcac498e000     0x7fcac49bc000    0x2e000        0x0 /etc/ld.so.cache            
>       0x7fcac49bc000     0x7fcac49c3000     0x7000        0x0 /usr/lib64/libltaudit.so.0.5.11
>       0x7fcac49c3000     0x7fcac49e2000    0x1f000     0x7000 /usr/lib64/libltaudit.so.0.5.11
>       0x7fcac49e2000     0x7fcac49eb000     0x9000    0x26000 /usr/lib64/libltaudit.so.0.5.11
>       0x7fcac49eb000     0x7fcac49ec000     0x1000    0x2f000 /usr/lib64/libltaudit.so.0.5.11
>       0x7fcac49ec000     0x7fcac49ee000     0x2000    0x2f000 /usr/lib64/libltaudit.so.0.5.11
>       0x7fcac49ee000     0x7fcac49ef000     0x1000    0x31000 /usr/lib64/libltaudit.so.0.5.11
>       0x7fcac4a1e000     0x7fcac4a1f000     0x1000        0x0 /usr/lib64/ld-2.28.9000.so     
>       0x7fcac4a1f000     0x7fcac4a3f000    0x20000     0x1000 /usr/lib64/ld-2.28.9000.so
>       0x7fcac4a3f000     0x7fcac4a47000     0x8000    0x21000 /usr/lib64/ld-2.28.9000.so

$ rpm -q latrace glibc
> latrace-0.5.11-16.fc30.x86_64
> glibc-2.28.9000-6.fc30.x86_64
> glibc-2.28.9000-6.fc30.i686

Comment 1 Jan Pokorný [poki] 2018-09-12 13:10:47 UTC

Sorry for mispaste:

> cat finished - killed by signal 11

Comment 2 Jan Pokorný [poki] 2018-09-13 12:26:34 UTC

I should have mentioned that void, argument-less invocation of latrace
won't exhibit anything bad.

Troubling invocation with verbose diagnostics:

$ latrace -vvv cat
> [2965 lt_fifo_notify_fd:00122] fifo notification set to: /tmp/lt-config-M8PeUM/fifo
> [2965 process:00168] doing pipe
> [2966 run_child:00383] executing cat
> [2966 get_names:00126] names: [_setjmp] max: 50
> [2966 get_names:00144] got: _setjmp
> [2966 get_names:00152] got 1 entries
> [2966 audit_init:00258] global_symbols 0
> [2966 la_activity:00277] entry
> [2966 check_names:00059] return 0 for name _dl_find_dso_for_object
> [2966 sym_entry:00091] _dl_find_dso_for_object@/lib64/ld-linux-x86-64.so.2
> 
> cat finished - killed by signal 11
> [2965 remove_dir:00273] removing /tmp/lt-config-M8PeUM
> [2965 remove_dir:00273] removing /tmp/lt-config-M8PeUM/fifo2

However, everything seems to work correctly when auditing is disabled:

$ latrace -vvv -q cat </dev/null
> [3086 lt_fifo_notify_fd:00122] fifo notification set to: /tmp/lt-config-Jr30Q0/fifo
> [3086 process:00168] doing pipe
> [3087 run_child:00383] executing cat
> [3087 get_names:00126] names: [_setjmp] max: 50
> [3087 get_names:00144] got: _setjmp
> [3087 get_names:00152] got 1 entries
> [3087 audit_init:00258] global_symbols 0
> [3087 la_activity:00277] entry
> [3087 check_names:00059] return 0 for name _dl_find_dso_for_object
> [3087 check_names:00059] return 0 for name __tunable_get_val
> [3087 la_activity:00277] entry
> [3087 la_preinit:00290] entry
> [3087 check_names:00059] return 0 for name strrchr
> [3087 check_names:00059] return 0 for name setlocale
> [3087 check_names:00059] return 0 for name malloc
> [3087 check_names:00059] return 0 for name free
> [3087 check_names:00059] return 0 for name realloc
> [3087 check_names:00059] return 0 for name bindtextdomain
> [3087 check_names:00059] return 0 for name textdomain
> [3087 check_names:00059] return 0 for name __cxa_atexit
> [3087 check_names:00059] return 0 for name getopt_long
> [3087 check_names:00059] return 0 for name __fxstat
> [3087 check_names:00059] return 0 for name getpagesize
> [3087 check_names:00059] return 0 for name posix_fadvise
> [3087 check_names:00059] return 0 for name malloc
> [3087 check_names:00059] return 0 for name read
> [3087 check_names:00059] return 0 for name free
> [3087 check_names:00059] return 0 for name close
> [3087 check_names:00059] return 0 for name __fpending
> [3087 check_names:00059] return 0 for name fileno
> [3087 check_names:00059] return 0 for name __freading
> [3087 check_names:00059] return 0 for name fflush
> [3087 check_names:00059] return 0 for name fclose
> 
> cat finished - exited, status=0
> [3086 remove_dir:00273] removing /tmp/lt-config-Jr30Q0
> [3086 remove_dir:00273] removing /tmp/lt-config-Jr30Q0/fifo

Comment 3 Ben Cotton 2019-08-13 17:05:29 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 4 Ben Cotton 2019-08-13 19:44:35 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 5 Miro Hrončok 2019-09-22 11:30:13 UTC

Automation has figured out the package is retired in Fedora 31.

If you like it to be unretired, please open a ticket at https://pagure.io/releng/new_issue?template=package_unretirement

Note You need to log in before you can comment on or make changes to this bug.