Re: [PATCH][BZ #18508] S390: Fix "backtrace() returns infinitely deep stack frames with makecontext()".

[Stefan Liebler <stli at linux dot vnet dot ibm dot com>]

On 07/07/2015 09:02 PM, Carlos O'Donell wrote:
> On 07/07/2015 01:47 PM, H.J. Lu wrote:
> > I opened:
> > https://sourceware.org/bugzilla/show_bug.cgi?id=18635
>
> Stefan,
>
> Please fix this promptly as glibc 2.22 will be released
> shortly and the test results should be clean. If we can't
> fix it promptly, then we should revert the test changes.
>
> Cheers,
> Carlos.
Hi,

the testcase seems to be okay, but there is a bug in i686 backtrace 
handling if the context was set via makecontext.
If we revert the test changes, the test case will pass, but the bug is 
only hidden.

If you call backtrace() function in such a context, you'll get a 
segmentation fault, too. backtrace () also uses _Unwind_Backtrace.

The "exitcode"-block within __makecontext in 
sysdeps/unix/sysv/linux/i386/makecontext.S is surrounded by cfi_endproc 
and cfi_startproc.
The start addresses of these cfi's seems okay, but the end addresses are 
strange - see readelf/objdump output below.

readelf --debug-dump=frames libc.so:
000043dc 00000014 000043e0 FDE cie=00000000 pc=0003f610..0e44f810
Augmentation data: 41 0e 04 10 00 00 00 f8

000043f4 00000010 000043f8 FDE cie=00000000 pc=0003f67e..0003f67e
Augmentation data: 00 00 00 0c 44 00 00 d8 43 ec ff a6 00 00 00 0

objdump -d libc.so:
/* ENTRY(__makecontext) */
0003f610 <makecontext>:
3f610: 8b 44 24 04 mov 0x4(%esp),%eax
...
/* cfi_endproc  in makecontext.S.  */
/* L(exitcode): */
3f65b: 8d 24 9c lea (%esp,%ebx,4),%esp
3f65e: e8 00 00 00 00 call 3f663 <makecontext+0x53>
3f663: 5b pop %ebx
3f664: 81 c3 91 39 16 00 add $0x163991,%ebx
3f66a: 83 3c 24 00 cmpl $0x0,(%esp)
3f66e: 74 08 je 3f678 <makecontext+0x68>
3f670: e8 2b ff ff ff call 3f5a0 <setcontext>
3f675: 89 04 24 mov %eax,(%esp)
3f678: e8 13 01 ff ff call 2f790 <exit>
3f67d: f4 hlt
/* cfi_startproc in makecontext.S.  */
/* END(__makecontext)  */
3f67e: 90 nop
3f67f: 90 nop


For a quick test, I extracted the exitcode-block to a new function with 
ENTRY/END-macros and undefined cfi_start/end_proc, like it is done in 
s390-makecontext_ret - see attached patch. Afterwards _Unwind_backtrace 
does not segfault anymore.

Please test/comment.

Bye Stefan

diff --git a/sysdeps/unix/sysv/linux/i386/makecontext.S b/sysdeps/unix/sysv/linux/i386/makecontext.S
index 8364fb9..f88abf9 100644
--- a/sysdeps/unix/sysv/linux/i386/makecontext.S
+++ b/sysdeps/unix/sysv/linux/i386/makecontext.S
@@ -85,6 +85,7 @@ ENTRY(__makecontext)
 #endif
 	/* 'makecontext' returns no value.  */
 	ret
+END(__makecontext)
 
 	/* This is the helper code which gets called if a function which
 	   is registered with 'makecontext' returns.  In this case we
@@ -92,7 +93,11 @@ ENTRY(__makecontext)
 	   the context 'makecontext' manipulated at the time of the
 	   'makecontext' call.  If the pointer is NULL the process must
 	   terminate.  */
-	cfi_endproc
+#undef cfi_startproc
+#define cfi_startproc
+#undef cfi_endproc
+#define cfi_endproc
+ENTRY(__makecontext_ret)
 L(exitcode):
 	/* This removes the parameters passed to the function given to
 	   'makecontext' from the stack.  EBX contains the number of
@@ -116,7 +121,6 @@ L(exitcode):
 	/* The 'exit' call should never return.  In case it does cause
 	   the process to terminate.  */
 	hlt
-	cfi_startproc
-END(__makecontext)
+END(__makecontext_ret)
 
 weak_alias (__makecontext, makecontext)