Bug 21939 - Binutils-2.29 invalid free()
Summary: Binutils-2.29 invalid free()
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: gas (show other bugs)
Version: 2.29
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-10 08:36 IST by Pierre Muller
Modified: 2017-08-10 16:18 IST (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
system.s source (renamed because of transfer necessities) (177.12 KB, text/plain)
2017-08-10 08:36 IST, Pierre Muller
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre Muller 2017-08-10 08:36:40 IST
Created attachment 10334 [details]
system.s source (renamed because of transfer necessities)

i386-darwin-as
is a cross-assembler
on gcc20 (linux x86_64 machine)
from GNU binutils version 2.29
configured with --target=i386-unknown-darwin  --disable-intl --disable-libtool

CFLAGS="-gdwarf-4 -O0"

I have no clue why qsort() generates a problem here ...

Pierre Muller

muller@gcc20:~/pas/trunk/fpcsrc/compiler$ gdb --args /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as -o ./../rtl/units/i386-darwin/system.o  ./../rtl/units/i386-darwin/system.s
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as...done.
(gdb) r
Starting program: /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as -o ./../rtl/units/i386-darwin/system.o ./../rtl/units/i386-darwin/system.s
*** glibc detected *** /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as: free(): invalid next size (normal): 0x0000000000c4a320 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7ffff78c1bb6]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7ffff78c695c]
/lib/x86_64-linux-gnu/libc.so.6(fclose+0x14d)[0x7ffff78b2afd]
/lib/x86_64-linux-gnu/libc.so.6(+0xdc4aa)[0x7ffff79284aa]
/lib/x86_64-linux-gnu/libc.so.6(__sysconf+0x385)[0x7ffff78fbb95]
/lib/x86_64-linux-gnu/libc.so.6(qsort_r+0x2ca)[0x7ffff7881fea]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x4629cf]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x46401b]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x464745]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x4540f6]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x42f00a]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x453edb]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x42fdc2]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x405b52]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ffff786aead]
/home/muller/pas/fpc-3.0.2/bin/i386-darwin-as[0x4028e9]
======= Memory map: ========
00400000-00578000 r-xp 00000000 08:11 873493                             /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as
00778000-0077a000 rw-p 00178000 08:11 873493                             /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as
0077a000-00c54000 rw-p 00000000 00:00 0                                  [heap]
7fffec000000-7fffec021000 rw-p 00000000 00:00 0
7fffec021000-7ffff0000000 ---p 00000000 00:00 0
7ffff0ae6000-7ffff0afb000 r-xp 00000000 08:11 15336329                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff0afb000-7ffff0cfb000 ---p 00015000 08:11 15336329                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff0cfb000-7ffff0cfc000 rw-p 00015000 08:11 15336329                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff0cfc000-7ffff0e7f000 rw-p 00000000 00:00 0
7ffff0e7f000-7ffff784c000 r--p 00000000 08:11 14026878                   /usr/lib/locale/locale-archive
7ffff784c000-7ffff79d0000 r-xp 00000000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7ffff79d0000-7ffff7bcf000 ---p 00184000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7bcf000-7ffff7bd3000 r--p 00183000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7bd3000-7ffff7bd4000 rw-p 00187000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7bd4000-7ffff7bd9000 rw-p 00000000 00:00 0
7ffff7bd9000-7ffff7bdb000 r-xp 00000000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff7bdb000-7ffff7ddb000 ---p 00002000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff7ddb000-7ffff7ddc000 r--p 00002000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff7ddc000-7ffff7ddd000 rw-p 00003000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff7ddd000-7ffff7dfd000 r-xp 00000000 08:11 15338438                   /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7e5a000-7ffff7fe0000 rw-p 00000000 00:00 0
7ffff7ff9000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0001f000 08:11 15338438                   /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7ffe000 rw-p 00020000 08:11 15338438                   /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff787e125 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff787e125 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff78813a0 in *__GI_abort () at abort.c:92
#2  0x00007ffff78b835b in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff78c1bb6 in malloc_printerr (action=3, str=0x7ffff799e840 "free(): invalid next size (normal)", ptr=<optimized out>) at malloc.c:6312
#4  0x00007ffff78c695c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738
#5  0x00007ffff78b2afd in _IO_new_fclose (fp=0xc4a320) at iofclose.c:88
#6  0x00007ffff79284aa in phys_pages_info (format=0x7ffff799c021 "MemTotal: %ld kB") at ../sysdeps/unix/sysv/linux/getsysstats.c:257
#7  0x00007ffff78fbb95 in posix_sysconf (name=<optimized out>) at ../sysdeps/posix/sysconf.c:634
#8  linux_sysconf (name=<optimized out>) at ../sysdeps/unix/sysv/linux/x86_64/../sysconf.c:136
#9  *__GI___sysconf (name=85) at ../sysdeps/unix/sysv/linux/x86_64/sysconf.c:37
#10 0x00007ffff7881fea in *(int0_t, long double) (b=<optimized out>, n=8523, s=6, cmp=0x462709 <bfd_mach_o_cf_symbols>, arg=0x0) at msort.c:188
#11 0x00000000004629cf in bfd_mach_o_mangle_symbols (abfd=0x79e170) at ../../../binutils-2.29/bfd/mach-o.c:2391
#12 0x000000000046401b in bfd_mach_o_build_commands (abfd=0x79e170) at ../../../binutils-2.29/bfd/mach-o.c:3047
#13 0x0000000000464745 in bfd_mach_o_set_section_contents (abfd=0x79e170, section=0x79f570, location=0x7c6980, offset=0, count=26) at ../../../binutils-2.29/bfd/mach-o.c:3249
#14 0x00000000004540f6 in bfd_set_section_contents (abfd=0x79e170, section=0x79f570, location=0x7c6980, offset=0, count=26) at ../../../binutils-2.29/bfd/section.c:1533
#15 0x000000000042f00a in write_contents (abfd=0x79e170, sec=0x79f570, xxx=0x0) at ../../../binutils-2.29/gas/write.c:1585
#16 0x0000000000453edb in bfd_map_over_sections (abfd=0x79e170, operation=0x42ef31 <write_contents>, user_storage=0x0) at ../../../binutils-2.29/bfd/section.c:1395
#17 0x000000000042fdc2 in write_object_file () at ../../../binutils-2.29/gas/write.c:2231
#18 0x0000000000405b52 in main (argc=2, argv=0x787e90) at ../../../binutils-2.29/gas/as.c:1333
(gdb) f 11
#11 0x00000000004629cf in bfd_mach_o_mangle_symbols (abfd=0x79e170) at ../../../binutils-2.29/bfd/mach-o.c:2391
2391      qsort ((void *) symbols, (size_t) bfd_get_symcount (abfd),
(gdb) f 10
#10 0x00007ffff7881fea in *(int0_t, long double) (b=<optimized out>, n=8523, s=6, cmp=0x462709 <bfd_mach_o_cf_symbols>, arg=0x0) at msort.c:188
188     msort.c: No such file or directory.
(gdb) f 9
#9  *__GI___sysconf (name=85) at ../sysdeps/unix/sysv/linux/x86_64/sysconf.c:37
37      ../sysdeps/unix/sysv/linux/x86_64/sysconf.c: No such file or directory.
(gdb)


muller@gcc20:~/pas/trunk/fpcsrc/rtl/units/i386-darwin$ i386-darwin-as-disabled -o system.o system.s
*** glibc detected *** i386-darwin-as-disabled: free(): invalid next size (normal): 0x0000000001d1f2f0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7f274346cbb6]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7f274347195c]
/lib/x86_64-linux-gnu/libc.so.6(fclose+0x14d)[0x7f274345dafd]
/lib/x86_64-linux-gnu/libc.so.6(+0xdc4aa)[0x7f27434d34aa]
/lib/x86_64-linux-gnu/libc.so.6(__sysconf+0x385)[0x7f27434a6b95]
/lib/x86_64-linux-gnu/libc.so.6(qsort_r+0x2ca)[0x7f274342cfea]
i386-darwin-as-disabled[0x4629cf]
i386-darwin-as-disabled[0x46401b]
i386-darwin-as-disabled[0x464745]
i386-darwin-as-disabled[0x4540f6]
i386-darwin-as-disabled[0x42f00a]
i386-darwin-as-disabled[0x453edb]
i386-darwin-as-disabled[0x42fdc2]
i386-darwin-as-disabled[0x405b52]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f2743415ead]
i386-darwin-as-disabled[0x4028e9]
======= Memory map: ========
00400000-00578000 r-xp 00000000 08:11 873493                             /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as-disabled
00778000-0077a000 rw-p 00178000 08:11 873493                             /home/muller/pas/fpc-3.0.2/bin/i386-darwin-as-disabled
0077a000-00787000 rw-p 00000000 00:00 0
0185c000-01d29000 rw-p 00000000 00:00 0                                  [heap]
7f2738000000-7f2738021000 rw-p 00000000 00:00 0
7f2738021000-7f273c000000 ---p 00000000 00:00 0
7f273c691000-7f273c6a6000 r-xp 00000000 08:11 15336329                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f273c6a6000-7f273c8a6000 ---p 00015000 08:11 15336329                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f273c8a6000-7f273c8a7000 rw-p 00015000 08:11 15336329                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f273c8a7000-7f273ca2a000 rw-p 00000000 00:00 0
7f273ca2a000-7f27433f7000 r--p 00000000 08:11 14026878                   /usr/lib/locale/locale-archive
7f27433f7000-7f274357b000 r-xp 00000000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7f274357b000-7f274377a000 ---p 00184000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7f274377a000-7f274377e000 r--p 00183000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7f274377e000-7f274377f000 rw-p 00187000 08:11 15338440                   /lib/x86_64-linux-gnu/libc-2.13.so
7f274377f000-7f2743784000 rw-p 00000000 00:00 0
7f2743784000-7f2743786000 r-xp 00000000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7f2743786000-7f2743986000 ---p 00002000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7f2743986000-7f2743987000 r--p 00002000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7f2743987000-7f2743988000 rw-p 00003000 08:11 15338435                   /lib/x86_64-linux-gnu/libdl-2.13.so
7f2743988000-7f27439a8000 r-xp 00000000 08:11 15338438                   /lib/x86_64-linux-gnu/ld-2.13.so
7f2743a06000-7f2743b8c000 rw-p 00000000 00:00 0
7f2743ba5000-7f2743ba7000 rw-p 00000000 00:00 0
7f2743ba7000-7f2743ba8000 r--p 0001f000 08:11 15338438                   /lib/x86_64-linux-gnu/ld-2.13.so
7f2743ba8000-7f2743ba9000 rw-p 00020000 08:11 15338438                   /lib/x86_64-linux-gnu/ld-2.13.so
7f2743ba9000-7f2743baa000 rw-p 00000000 00:00 0
7fff34b22000-7fff34b43000 rw-p 00000000 00:00 0                          [stack]
7fff34b71000-7fff34b72000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
system.s: Assembler messages:
system.s: Internal error (Aborted).
Please report this bug.
^C

muller@gcc20:~/pas/trunk/fpcsrc/rtl/units/i386-darwin$ i386-darwin-as-disabled --version
GNU assembler (GNU Binutils) 2.29
Copyright (C) 2017 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or later.
This program has absolutely no warranty.
This assembler was configured for a target of `i386-unknown-darwin'.
Comment 1 Nick Clifton 2017-08-10 10:04:57 IST
Hi Pierre,

  Right - this was a fun one. The reason why qsort is triggering the abort
  is because it is mapped onto the qsort_r function.  This function allocates
  its own region of memory to contain a copy of the pointer array that is
  going to be sorted.  Naturally when the sort is finished, the sorted array
  is copied back over the real array, and the copy is freed.

  The interesting thing here is that nothing has gone wrong in qsort_r.  The
  memory was corrupted much earlier, but the corruption is only detected when
  qsort_r calls free().  If you compile the assembler with address sanitization
  enabled then the memory corruption is detected where it actually occurs.

  Now the bug itself is in the assembler's processing of mach-o indirect
  symbols.  The assembler creates an internal array to hold pointers to these
  symbols, but the array is not big enough.  Unfortunately I am not a mach-o 
  expert, so I do not know whether the array size computation is wrong, or
  else the detection of indirect symbols is wrong.  So as a workaround for
  the problem I have updated to the code so that it allocates an array big
  enough to hold every symbol.  This is probably overkill, but it should be
  safe.

  I am currently running some local tests on the patch, and assuming that
  everything is OK, I will check it in shortly.

Cheers
  Nick
Comment 2 cvs-commit@gcc.gnu.org 2017-08-10 10:52:53 IST
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4c2da80c2bdff7761eb5b3d9c03ffa0c9958b6b9

commit 4c2da80c2bdff7761eb5b3d9c03ffa0c9958b6b9
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Aug 10 11:51:42 2017 +0100

    Fix memory corruption when assembling an i386 darwin source file.
    
    	PR gas/21939
    	* config/obj-macho.c (obj_mach_o_set_indirect_symbols): Increase
    	size of indirect_syms array so that it is large enough to hold
    	every symbol if necessary.
Comment 3 Nick Clifton 2017-08-10 10:54:09 IST
Patch applied.
Comment 4 cvs-commit@gcc.gnu.org 2017-08-10 16:18:35 IST
The binutils-2_29-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5d8b1671b694ae3a2fe45cf9e033e5f35a26fafd

commit 5d8b1671b694ae3a2fe45cf9e033e5f35a26fafd
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Aug 10 17:17:20 2017 +0100

    Backport fix for a Darwin x86 assembler bug from the mainline.
    
    	PR gas/21939
    	* config/obj-macho.c (obj_mach_o_set_indirect_symbols): Increase
    	size of indirect_syms array so that it is large enough to hold
    	every symbol if necessary.