Bug 20317 - Segmentation fault in ld; invalid write in bfd_section_from_shdr
Summary: Segmentation fault in ld; invalid write in bfd_section_from_shdr
Status: RESOLVED OBSOLETE
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.22
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-30 00:25 UTC by Dan Povey
Modified: 2016-06-30 02:30 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Povey 2016-06-30 00:25:43 UTC
This problem occurs when compiling the software OpenFst version 1.5.3 on Debian 7.10 using gcc 4.7.2 and 'ld' version 7.10.
It manifests itself by 'ld' crashing with a segmentation fault.
I found the 'ld' command line by running the g++ link line with -Wl,-debug, and ran it with valgrind, and this is what I found.  I hope this is enough for someone familiar with the code to locate the bug.

Sorry the gdb output below is so long- it looks like it couldn't follow the stack properly- but I think it may provide enough information.

jtrmal@a12  ~/soft/openfst-1.5.3/src/script  $  valgrind --db-attach=yes /usr/bin/ld --sysroot=/ --build-id --no-add-needed --eh-frame-hdr -m elf_x86_64 --hash-style=both -shared -o .libs/libfstscript.so.4.0.0 -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o .libs/arciterator-class.o .libs/arcsort.o .libs/closure.o .libs/compile.o .libs/compose.o .libs/concat.o .libs/connect.o .libs/convert.o .libs/decode.o .libs/determinize.o .libs/difference.o .libs/disambiguate.o .libs/draw.o .libs/encode.o .libs/encodemapper-class.o .libs/epsnormalize.o .libs/equal.o .libs/equivalent.o .libs/fst-class.o .libs/info.o .libs/intersect.o .libs/invert.o .libs/isomorphic.o .libs/map.o .libs/minimize.o .libs/print.o .libs/project.o .libs/prune.o .libs/push.o .libs/randequivalent.o .libs/randgen.o .libs/relabel.o .libs/replace.o .libs/reverse.o .libs/reweight.o .libs/rmepsilon.o .libs/script-impl.o .libs/shortest-distance.o .libs/shortest-path.o .libs/stateiterator-class.o .libs/synchronize.o .libs/text-io.o .libs/topsort.o .libs/union.o .libs/weight-class.o .libs/verify.o -rpath /home/jtrmal/soft/openfst-1.5.3/src/lib/.libs ../lib/.libs/libfst.so -ldl -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o -soname libfstscript.so.4
==44639== Memcheck, a memory error detector
==44639== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==44639== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==44639== Command: /usr/bin/ld --sysroot=/ --build-id --no-add-needed --eh-frame-hdr -m elf_x86_64 --hash-style=both -shared -o .libs/libfstscript.so.4.0.0 -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o .libs/arciterator-class.o .libs/arcsort.o .libs/closure.o .libs/compile.o .libs/compose.o .libs/concat.o .libs/connect.o .libs/convert.o .libs/decode.o .libs/determinize.o .libs/difference.o .libs/disambiguate.o .libs/draw.o .libs/encode.o .libs/encodemapper-class.o .libs/epsnormalize.o .libs/equal.o .libs/equivalent.o .libs/fst-class.o .libs/info.o .libs/intersect.o .libs/invert.o .libs/isomorphic.o .libs/map.o .libs/minimize.o .libs/print.o .libs/project.o .libs/prune.o .libs/push.o .libs/randequivalent.o .libs/randgen.o .libs/relabel.o .libs/replace.o .libs/reverse.o .libs/reweight.o .libs/rmepsilon.o .libs/script-impl.o .libs/shortest-distance.o .libs/shortest-path.o .libs/stateiterator-class.o .libs/synchronize.o .libs/text-io.o .libs/topsort.o .libs/union.o .libs/weight-class.o .libs/verify.o -rpath /home/jtrmal/soft/openfst-1.5.3/src/lib/.libs ../lib/.libs/libfst.so -ldl -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o -soname libfstscript.so.4
==44639==
==44639== Invalid write of size 4
==44639==    at 0x4E9D3B4: bfd_section_from_shdr (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E8FCBD: bfd_elf64_object_p (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E7239F: bfd_check_format_matches (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x41DD11: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x41E39B: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x4128E7: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x413602: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x415A19: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x405186: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x556DEAC: (below main) (libc-start.c:244)
==44639==  Address 0x117d6130 is 0 bytes after a block of size 3,344 alloc'd
==44639==    at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==44639==    by 0x4EF3E74: _objalloc_alloc (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E73DE8: bfd_alloc (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E73EA5: bfd_zalloc (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E9D15E: bfd_section_from_shdr (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E9DF07: bfd_section_from_shdr (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E8FCBD: bfd_elf64_object_p (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x4E7239F: bfd_check_format_matches (in /usr/lib/libbfd-2.22-system.so)
==44639==    by 0x41DD11: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x41E39B: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x4128E7: ??? (in /usr/bin/ld.bfd)
==44639==    by 0x413602: ??? (in /usr/bin/ld.bfd)
==44639==
==44639==
==44639== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
==44639== starting debugger with cmd: /usr/bin/gdb -nw /proc/47491/fd/1024 47491
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /proc/47491/fd/1024...(no debugging symbols found)...done.
Attaching to program: /proc/47491/fd/1024, process 47491
Reading symbols from /usr/lib/valgrind/vgpreload_core-amd64-linux.so...Reading symbols from /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so...done.
done.
Loaded symbols for /usr/lib/valgrind/vgpreload_core-amd64-linux.so
Reading symbols from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so...Reading symbols from /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so...done.
done.
Loaded symbols for /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
Reading symbols from /usr/lib/libbfd-2.22-system.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libbfd-2.22-system.so
Reading symbols from /lib/x86_64-linux-gnu/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libz.so.1
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libdl-2.13.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libdl.so.2
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libc-2.13.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Failed to read a valid object file image from memory.
0x0000000004e9d3b4 in bfd_section_from_shdr () from /usr/lib/libbfd-2.22-system.so
(gdb) bt
#0  0x0000000004e9d3b4 in bfd_section_from_shdr () from /usr/lib/libbfd-2.22-system.so
#1  0x0000000004e8fcbe in bfd_elf64_object_p () from /usr/lib/libbfd-2.22-system.so
#2  0x0000000004e723a0 in bfd_check_format_matches () from /usr/lib/libbfd-2.22-system.so
#3  0x000000000041dd12 in ?? ()
#4  0x000000000041e39c in ?? ()
#5  0x00000000004128e8 in ?? ()
#6  0x0000000000413603 in ?? ()
#7  0x0000000000415a1a in ?? ()
#8  0x0000000000405187 in ?? ()
#9  0x000000000556dead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fefffa48) at libc-start.c:244
#10 0x00000000004056c9 in ?? ()
#11 0x00000007fefffa48 in ?? ()
#12 0x000000000000001c in ?? ()
#13 0x0000000000000057 in ?? ()
#14 0x00000007feffff73 in ?? ()
#15 0x00000007feffff7f in ?? ()
#16 0x00000007feffff8b in ?? ()
#17 0x00000007feffff96 in ?? ()
#18 0x00000007feffffa6 in ?? ()
#19 0x00000007feffffb5 in ?? ()
#20 0x00000007feffffb8 in ?? ()
#21 0x00000007feffffc3 in ?? ()
#22 0x00000007feffffd5 in ?? ()
#23 0x00000007feffffdd in ?? ()
#24 0x00000007feffffe0 in ?? ()
#25 0x00000007fefffffc in ?? ()
#26 0x00000007ff000020 in ?? ()
#27 0x00000007ff00005e in ?? ()
#28 0x00000007ff000092 in ?? ()
#29 0x00000007ff0000aa in ?? ()
#30 0x00000007ff0000b8 in ?? ()
#31 0x00000007ff0000d4 in ?? ()
#32 0x00000007ff0000e6 in ?? ()
#33 0x00000007ff000113 in ?? ()
#34 0x00000007ff000137 in ?? ()
---Type <return> to continue, or q <return> to quit---
#35 0x00000007ff000175 in ?? ()
#36 0x00000007ff0001a9 in ?? ()
#37 0x00000007ff0001c1 in ?? ()
#38 0x00000007ff0001cf in ?? ()
#39 0x00000007ff0001eb in ?? ()
#40 0x00000007ff0001fd in ?? ()
#41 0x00000007ff00022a in ?? ()
#42 0x00000007ff00026d in ?? ()
#43 0x00000007ff00029b in ?? ()
#44 0x00000007ff0002b5 in ?? ()
#45 0x00000007ff0002c5 in ?? ()
#46 0x00000007ff0002d5 in ?? ()
#47 0x00000007ff0002e5 in ?? ()
#48 0x00000007ff0002f5 in ?? ()
#49 0x00000007ff000304 in ?? ()
#50 0x00000007ff000314 in ?? ()
#51 0x00000007ff000324 in ?? ()
#52 0x00000007ff000333 in ?? ()
#53 0x00000007ff000347 in ?? ()
#54 0x00000007ff00035a in ?? ()
#55 0x00000007ff00036f in ?? ()
#56 0x00000007ff00037c in ?? ()
#57 0x00000007ff00038b in ?? ()
#58 0x00000007ff0003a6 in ?? ()
#59 0x00000007ff0003bb in ?? ()
#60 0x00000007ff0003c9 in ?? ()
#61 0x00000007ff0003dc in ?? ()
#62 0x00000007ff0003ee in ?? ()
#63 0x00000007ff0003fb in ?? ()
#64 0x00000007ff00040d in ?? ()
#65 0x00000007ff00041c in ?? ()
#66 0x00000007ff00042f in ?? ()
#67 0x00000007ff00043b in ?? ()
#68 0x00000007ff00044c in ?? ()
#69 0x00000007ff00045a in ?? ()
#70 0x00000007ff00046a in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.

Program received signal SIGSTOP, Stopped (signal).
0x0000000004e9d3b4 in bfd_section_from_shdr () from /usr/lib/libbfd-2.22-system.so
(gdb) c
Continuing.

Program received signal SIGSTOP, Stopped (signal).
0x0000000004e9d3b4 in bfd_section_from_shdr () from /usr/lib/libbfd-2.22-system.so
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
ptmalloc_init () at arena.c:527
527 arena.c: No such file or directory.
(gdb) bt
#0  ptmalloc_init () at arena.c:527
#1  0x00000000055c9d07 in malloc_hook_ini (sz=93161280, caller=0x0) at hooks.c:37
#2  0x0000000004ef3df0 in _objalloc_alloc () from /usr/lib/libbfd-2.22-system.so
#3  0x0000000004e73de9 in bfd_alloc () from /usr/lib/libbfd-2.22-system.so
#4  0x0000000004e73ea6 in bfd_zalloc () from /usr/lib/libbfd-2.22-system.so
#5  0x0000000004e92b92 in _bfd_elf_new_section_hook () from /usr/lib/libbfd-2.22-system.so
#6  0x0000000004e75a6f in ?? () from /usr/lib/libbfd-2.22-system.so
#7  0x0000000004e9c455 in _bfd_elf_make_section_from_shdr () from /usr/lib/libbfd-2.22-system.so
#8  0x0000000004e9d22b in bfd_section_from_shdr () from /usr/lib/libbfd-2.22-system.so
#9  0x0000000004e8fcbe in bfd_elf64_object_p () from /usr/lib/libbfd-2.22-system.so
#10 0x0000000004e723a0 in bfd_check_format_matches () from /usr/lib/libbfd-2.22-system.so
#11 0x000000000041dd12 in ?? ()
#12 0x000000000041e39c in ?? ()
#13 0x00000000004128e8 in ?? ()
#14 0x0000000000413603 in ?? ()
#15 0x0000000000415a1a in ?? ()
#16 0x0000000000405187 in ?? ()
#17 0x000000000556dead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fefffa48) at libc-start.c:244
#18 0x00000000004056c9 in ?? ()
#19 0x00000007fefffa48 in ?? ()
#20 0x000000000000001c in ?? ()
#21 0x0000000000000057 in ?? ()
#22 0x00000007feffff73 in ?? ()
#23 0x00000007feffff7f in ?? ()
#24 0x00000007feffff8b in ?? ()
#25 0x00000007feffff96 in ?? ()
#26 0x00000007feffffa6 in ?? ()
#27 0x00000007feffffb5 in ?? ()
#28 0x00000007feffffb8 in ?? ()
#29 0x00000007feffffc3 in ?? ()
#30 0x00000007feffffd5 in ?? ()
#31 0x00000007feffffdd in ?? ()
#32 0x00000007feffffe0 in ?? ()
#33 0x00000007fefffffc in ?? ()
#34 0x00000007ff000020 in ?? ()
---Type <return> to continue, or q <return> to quit---
#35 0x00000007ff00005e in ?? ()
#36 0x00000007ff000092 in ?? ()
#37 0x00000007ff0000aa in ?? ()
#38 0x00000007ff0000b8 in ?? ()
#39 0x00000007ff0000d4 in ?? ()
#40 0x00000007ff0000e6 in ?? ()
#41 0x00000007ff000113 in ?? ()
#42 0x00000007ff000137 in ?? ()
#43 0x00000007ff000175 in ?? ()
#44 0x00000007ff0001a9 in ?? ()
#45 0x00000007ff0001c1 in ?? ()
#46 0x00000007ff0001cf in ?? ()
#47 0x00000007ff0001eb in ?? ()
#48 0x00000007ff0001fd in ?? ()
#49 0x00000007ff00022a in ?? ()
#50 0x00000007ff00026d in ?? ()
#51 0x00000007ff00029b in ?? ()
#52 0x00000007ff0002b5 in ?? ()
#53 0x00000007ff0002c5 in ?? ()
#54 0x00000007ff0002d5 in ?? ()
#55 0x00000007ff0002e5 in ?? ()
#56 0x00000007ff0002f5 in ?? ()
#57 0x00000007ff000304 in ?? ()
#58 0x00000007ff000314 in ?? ()
#59 0x00000007ff000324 in ?? ()
#60 0x00000007ff000333 in ?? ()
#61 0x00000007ff000347 in ?? ()
#62 0x00000007ff00035a in ?? ()
#63 0x00000007ff00036f in ?? ()
#64 0x00000007ff00037c in ?? ()
#65 0x00000007ff00038b in ?? ()
#66 0x00000007ff0003a6 in ?? ()
#67 0x00000007ff0003bb in ?? ()
#68 0x00000007ff0003c9 in ?? ()
#69 0x00000007ff0003dc in ?? ()
#70 0x00000007ff0003ee in ?? ()
---Type <return> to continue, or q <return> to quit---
Comment 1 Dan Povey 2016-06-30 01:08:00 UTC
OK, I compiled binutils from source with debug, and I got it in a debugger.

The error occurs in bfd.c line 2084, in the statement
 sections_being_created [shindex] = FALSE;
where shindex is 832, and it looks like the size of the 'sections_being_created' array is also 832.
I don't understand what the code is doing but I printed some variables that seem to be relevant, please see below.
Dan


---------
jtrmal@a12  /usr/src/binutils/binutils-2.22  $   cd  ~jtrmal/soft/openfst-1.5.3/src/script
jtrmal@a12  ~/soft/openfst-1.5.3/src/script  $  valgrind --db-attach=yes /usr/src/binutils/binutils-2.22/ld/ld-new --sysroot=/ --build-id --no-add-needed --eh-frame-hdr -m elf_x86_64 --hash-style=both -shared -o .libs/libfstscript.so.4.0.0 -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o .libs/arciterator-class.o .libs/arcsort.o .libs/closure.o .libs/compile.o .libs/compose.o .libs/concat.o .libs/connect.o .libs/convert.o .libs/decode.o .libs/determinize.o .libs/difference.o .libs/disambiguate.o .libs/draw.o .libs/encode.o .libs/encodemapper-class.o .libs/epsnormalize.o .libs/equal.o .libs/equivalent.o .libs/fst-class.o .libs/info.o .libs/intersect.o .libs/invert.o .libs/isomorphic.o .libs/map.o .libs/minimize.o .libs/print.o .libs/project.o .libs/prune.o .libs/push.o .libs/randequivalent.o .libs/randgen.o .libs/relabel.o .libs/replace.o .libs/reverse.o .libs/reweight.o .libs/rmepsilon.o .libs/script-impl.o .libs/shortest-distance.o .libs/shortest-path.o .libs/stateiterator-class.o .libs/synchronize.o .libs/text-io.o .libs/topsort.o .libs/union.o .libs/weight-class.o .libs/verify.o -rpath /home/jtrmal/soft/openfst-1.5.3/src/lib/.libs ../lib/.libs/libfst.so -ldl -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o -soname libfstscript.so.4
==17439== Memcheck, a memory error detector
==17439== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==17439== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==17439== Command: /usr/src/binutils/binutils-2.22/ld/ld-new --sysroot=/ --build-id --no-add-needed --eh-frame-hdr -m elf_x86_64 --hash-style=both -shared -o .libs/libfstscript.so.4.0.0 -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o .libs/arciterator-class.o .libs/arcsort.o .libs/closure.o .libs/compile.o .libs/compose.o .libs/concat.o .libs/connect.o .libs/convert.o .libs/decode.o .libs/determinize.o .libs/difference.o .libs/disambiguate.o .libs/draw.o .libs/encode.o .libs/encodemapper-class.o .libs/epsnormalize.o .libs/equal.o .libs/equivalent.o .libs/fst-class.o .libs/info.o .libs/intersect.o .libs/invert.o .libs/isomorphic.o .libs/map.o .libs/minimize.o .libs/print.o .libs/project.o .libs/prune.o .libs/push.o .libs/randequivalent.o .libs/randgen.o .libs/relabel.o .libs/replace.o .libs/reverse.o .libs/reweight.o .libs/rmepsilon.o .libs/script-impl.o .libs/shortest-distance.o .libs/shortest-path.o .libs/stateiterator-class.o .libs/synchronize.o .libs/text-io.o .libs/topsort.o .libs/union.o .libs/weight-class.o .libs/verify.o -rpath /home/jtrmal/soft/openfst-1.5.3/src/lib/.libs ../lib/.libs/libfst.so -ldl -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o -soname libfstscript.so.4
==17439==
==17439== Invalid write of size 4
==17439==    at 0x460B24: bfd_section_from_shdr (elf.c:2084)
==17439==    by 0x4536BD: bfd_elf64_object_p (elfcode.h:807)
==17439==    by 0x4385EF: bfd_check_format_matches (format.c:172)
==17439==    by 0x41C2D1: ldfile_try_open_bfd (ldfile.c:316)
==17439==    by 0x41C95B: ldfile_open_file (ldfile.c:428)
==17439==    by 0x410EA7: load_symbols (ldlang.c:2703)
==17439==    by 0x411BC2: open_input_bfds (ldlang.c:3296)
==17439==    by 0x413FD9: lang_process (ldlang.c:6570)
==17439==    by 0x403746: main (ldmain.c:405)
==17439==  Address 0x114d1130 is 0 bytes after a block of size 3,344 alloc'd
==17439==    at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==17439==    by 0x4B9FF4: _objalloc_alloc (objalloc.c:143)
==17439==    by 0x43A0A8: bfd_alloc (opncls.c:931)
==17439==    by 0x43A165: bfd_zalloc (opncls.c:980)
==17439==    by 0x4608DE: bfd_section_from_shdr (elf.c:1614)
==17439==    by 0x461667: bfd_section_from_shdr (elf.c:1904)
==17439==    by 0x4536BD: bfd_elf64_object_p (elfcode.h:807)
==17439==    by 0x4385EF: bfd_check_format_matches (format.c:172)
==17439==    by 0x41C2D1: ldfile_try_open_bfd (ldfile.c:316)
==17439==    by 0x41C95B: ldfile_open_file (ldfile.c:428)
==17439==    by 0x410EA7: load_symbols (ldlang.c:2703)
==17439==    by 0x411BC2: open_input_bfds (ldlang.c:3296)
==17439==
==17439==
==17439== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
==17439== starting debugger with cmd: /usr/bin/gdb -nw /proc/19907/fd/1024 19907
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /proc/19907/fd/1024...done.
Attaching to program: /proc/19907/fd/1024, process 19907
Reading symbols from /usr/lib/valgrind/vgpreload_core-amd64-linux.so...Reading symbols from /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so...done.
done.
Loaded symbols for /usr/lib/valgrind/vgpreload_core-amd64-linux.so
Reading symbols from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so...Reading symbols from /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so...done.
done.
Loaded symbols for /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
Reading symbols from /lib/x86_64-linux-gnu/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libz.so.1
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libdl-2.13.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libdl.so.2
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libc-2.13.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Failed to read a valid object file image from memory.
bfd_section_from_shdr (abfd=abfd@entry=0x1153aa90, shindex=shindex@entry=832) at elf.c:2084
2084     sections_being_created [shindex] = FALSE;
(gdb) p shindex
$1 = 832
(gdb) p num_sec
No symbol "num_sec" in current context.
(gdb) p abfd->tdata.elf_obj_data->num_elf_sections
$2 = 3434
(gdb) p nesting
$3 = 3
(gdb) p sections_being_created_abfd
$4 = (bfd *) 0x113c6f90
(gdb) p abfd
$5 = (bfd *) 0x1153aa90
(gdb) p sections_being_created_abfd->tdata.elf_obj_data->num_elf_sections
$6 = 832
(gdb)


(gdb) p *(abfd->tdata.elf_obj_data)
$9 = {
  elf_header = {{
      e_ident = "\177ELF\002\001\001\003\000\000\000\000\000\000\000",
      e_entry = 0,
      e_phoff = 0,
      e_shoff = 335600,
      e_version = 1,
      e_flags = 0,
      e_type = 1,
      e_machine = 62,
      e_ehsize = 64,
      e_phentsize = 0,
      e_phnum = 0,
      e_shentsize = 64,
      e_shnum = 3434,
      e_shstrndx = 3431
    }},
  elf_sect_ptr = 0x11589070,
  phdr = 0x0,
  segment_map = 0x0,
  strtab_ptr = 0x0,
  num_locals = 0,
  num_globals = 0,
  num_elf_sections = 3434,
  num_section_syms = 0,
  section_syms = 0x0,
  symtab_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
---Type <return> to continue, or q <return> to quit---
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  shstrtab_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  strtab_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  dynsymtab_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
---Type <return> to continue, or q <return> to quit---
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  dynstrtab_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  dynversym_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
---Type <return> to continue, or q <return> to quit---
    contents = 0x0
  },
  dynverref_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  dynverdef_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  symtab_shndx_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
---Type <return> to continue, or q <return> to quit---
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  symtab_section = 0,
  shstrtab_section = 0,
  strtab_section = 0,
  dynsymtab_section = 0,
  symtab_shndx_section = 0,
  dynversym_section = 0,
  dynverdef_section = 0,
  dynverref_section = 0,
  next_file_pos = 0,
  gp = 0,
  gp_size = 0,
  core_signal = 0,
  core_pid = 0,
  core_lwpid = 0,
  core_program = 0x0,
  core_command = 0x0,
  sym_hashes = 0x0,
  local_got = {
    refcounts = 0x0,
    offsets = 0x0,
    ents = 0x0
  },
  dt_name = 0x0,
  dt_audit = 0x0,
  program_header_size = 18446744073709551615,
  line_info = 0x0,
  find_line_info = 0x0,
  dwarf1_find_line_info = 0x0,
---Type <return> to continue, or q <return> to quit---
  dwarf2_find_line_info = 0x0,
  local_stubs = 0x0,
  local_call_stubs = 0x0,
  eh_frame_hdr = 0x0,
  group_sect_ptr = 0x0,
  num_group = 0,
  cverdefs = 0,
  cverrefs = 0,
  stack_flags = 0,
  verdef = 0x0,
  verref = 0x0,
  elf_data_symbol = 0x0,
  elf_text_symbol = 0x0,
  elf_data_section = 0x0,
  elf_text_section = 0x0,
  eh_frame_section = 0x0,
  dyn_lib_class = DYN_NORMAL,
  linker = 0,
  bad_symtab = 0,
  flags_init = 0,
  symbuf = 0x0,
  known_obj_attributes = {{{
        type = 0,
        i = 0,
        s = 0x0
      } <repeats 71 times>}, {{
        type = 0,
        i = 0,
        s = 0x0
      } <repeats 71 times>}},
  other_obj_attributes = {0x0, 0x0},
  after_write_object_contents = 0,
  after_write_object_contents_info = 0x0,
  build_id_size = 0,
  build_id = 0x0,
  sdt_note_head = 0x0,
---Type <return> to continue, or q <return> to quit---
  has_gnu_symbols = 0,
  object_id = X86_64_ELF_DATA
}
(gdb)
(gdb) p *(sections_being_created_abfd->tdata.elf_obj_data)
$10 = {
  elf_header = {{
      e_ident = "\177ELF\002\001\001\003\000\000\000\000\000\000\000",
      e_entry = 0,
      e_phoff = 0,
      e_shoff = 85440,
      e_version = 1,
      e_flags = 0,
      e_type = 1,
      e_machine = 62,
      e_ehsize = 64,
      e_phentsize = 0,
      e_phnum = 0,
      e_shentsize = 64,
      e_shnum = 832,
      e_shstrndx = 829
    }},
  elf_sect_ptr = 0x113e27f0,
  phdr = 0x0,
  segment_map = 0x0,
  strtab_ptr = 0x0,
  num_locals = 0,
  num_globals = 0,
  num_elf_sections = 832,
  num_section_syms = 0,
  section_syms = 0x0,
  symtab_hdr = {
    sh_name = 1,
    sh_type = 2,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 138688,
    sh_size = 29568,
    sh_link = 831,
    sh_info = 785,
    sh_addralign = 8,
---Type <return> to continue, or q <return> to quit---
    sh_entsize = 24,
    bfd_section = 0x0,
    contents = 0x0
  },
  shstrtab_hdr = {
    sh_name = 17,
    sh_type = 3,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 58104,
    sh_size = 27331,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 1,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x113e4240 ""
  },
  strtab_hdr = {
    sh_name = 9,
    sh_type = 3,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 168256,
    sh_size = 39567,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 1,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x114d3bb0 ""
  },
  dynsymtab_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
---Type <return> to continue, or q <return> to quit---
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  dynstrtab_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  dynversym_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
---Type <return> to continue, or q <return> to quit---
    contents = 0x0
  },
  dynverref_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  dynverdef_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  symtab_shndx_hdr = {
    sh_name = 0,
    sh_type = 0,
    sh_flags = 0,
    sh_addr = 0,
    sh_offset = 0,
---Type <return> to continue, or q <return> to quit---
    sh_size = 0,
    sh_link = 0,
    sh_info = 0,
    sh_addralign = 0,
    sh_entsize = 0,
    bfd_section = 0x0,
    contents = 0x0
  },
  symtab_section = 830,
  shstrtab_section = 0,
  strtab_section = 0,
  dynsymtab_section = 0,
  symtab_shndx_section = 0,
  dynversym_section = 0,
  dynverdef_section = 0,
  dynverref_section = 0,
  next_file_pos = 0,
  gp = 0,
  gp_size = 8,
  core_signal = 0,
  core_pid = 0,
  core_lwpid = 0,
  core_program = 0x0,
  core_command = 0x0,
  sym_hashes = 0x1151afc0,
  local_got = {
    refcounts = 0x0,
    offsets = 0x0,
    ents = 0x0
  },
  dt_name = 0x0,
  dt_audit = 0x0,
  program_header_size = 18446744073709551615,
  line_info = 0x0,
  find_line_info = 0x0,
  dwarf1_find_line_info = 0x0,
---Type <return> to continue, or q <return> to quit---
  dwarf2_find_line_info = 0x0,
  local_stubs = 0x0,
  local_call_stubs = 0x0,
  eh_frame_hdr = 0x0,
  group_sect_ptr = 0x114d1180,
  num_group = 307,
  cverdefs = 0,
  cverrefs = 0,
  stack_flags = 0,
  verdef = 0x0,
  verref = 0x0,
  elf_data_symbol = 0x0,
  elf_text_symbol = 0x0,
  elf_data_section = 0x0,
  elf_text_section = 0x0,
  eh_frame_section = 0x0,
  dyn_lib_class = DYN_NORMAL,
  linker = 0,
  bad_symtab = 0,
  flags_init = 0,
  symbuf = 0x0,
  known_obj_attributes = {{{
        type = 0,
        i = 0,
        s = 0x0
      } <repeats 71 times>}, {{
        type = 0,
        i = 0,
        s = 0x0
      } <repeats 71 times>}},
  other_obj_attributes = {0x0, 0x0},
  after_write_object_contents = 0,
  after_write_object_contents_info = 0x0,
  build_id_size = 0,
  build_id = 0x0,
  sdt_note_head = 0x0,
---Type <return> to continue, or q <return> to quit---
  has_gnu_symbols = 0,
  object_id = X86_64_ELF_DATA
}
(gdb)
(gdb)
Comment 2 Dan Povey 2016-06-30 01:32:49 UTC
OK, it looks like this problem might have been resolved in more recent versions of binutils.
From 
https://fossies.org/dox/binutils-2.26/elf_8c_source.html
I see that the code is now:

 2289   if (sections_being_created && sections_being_created_abfd == abfd)
 2290     sections_being_created [shindex] = FALSE;

while it used to read just:

  if (sections_being_created)
    sections_being_created [shindex] = FALSE;

... and this change would have fixed the bug.  
I think it would make sense, though, to backport the bug-fix to older versions of binutils-- if that's something that you do.
Comment 3 Alan Modra 2016-06-30 02:30:24 UTC
This bug is not present on any of master, binutils-2_26-branch, binutils-2_25-branch or previous versions of binutils.  It seems likely that the debian version of binutils has cherry-picked patches to apply to their 2.22 based version, and missed a followup patch.