This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH 1/2] Linux/x86: Update cancel_jmp_buf to match __jmp_buf_tag [BZ #22563]

On Mon, Dec 18, 2017 at 3:49 AM, Florian Weimer <> wrote:
> On 12/18/2017 12:42 PM, H.J. Lu wrote:
>> We need to restore shadow stack pointer here so that we can jump back
>> to the function where __sigsetjmp  is called.
> But neither __sigsetjmp (when called the second time) nor the function that
> calls it return normally during cancellation, so it is still completely
> unclear to me what issue you are observing.
> Could you post a backtrace from the CET verification failure, please?

Here is your testcase with full debug info:

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /export/build/gnu/glibc-cet/build-x86_64-linux/nptl/tst-foo
warning: Unable to find libthread_db matching inferior's thread
library, thread debugging will not be available.

Breakpoint 1, main () at tst-foo.c:52
52 {
(gdb) ena 2
(gdb) c
[Switching to LWP 18711]

Thread 2 "tst-foo" hit Breakpoint 2, __sigsetjmp () at
26 ENTRY (__sigsetjmp)
(gdb) bt
#0  __sigsetjmp () at ../sysdeps/unix/sysv/linux/x86_64/setjmp.S:26
#1  0x0000000000400e15 in threadfunc (closure=<optimized out>) at tst-foo.c:44
#2  0x00007ffff7bbfcde in start_thread (arg=<optimized out>) at
#3  0x00007ffff78f5f73 in clone () at
(gdb) f 1
#1  0x0000000000400e15 in threadfunc (closure=<optimized out>) at tst-foo.c:44
44   pthread_cleanup_push (handler1, NULL);

Here we call __sigsetjmp with cancel_jmp_buf.  There is a shadow stack for
the normal call stack.  We need to save shadow stack pointer so that we can
lonjmp back here later.

(gdb) dis 2
(gdb) ena 3
(gdb) c

Thread 2 "tst-foo" hit Breakpoint 3, __longjmp () at
30 ENTRY(__longjmp)
(gdb) bt
#0  __longjmp () at ../sysdeps/unix/sysv/linux/x86_64/__longjmp.S:30

If we don't restore shadow stack pointer, when we jump back to  tst-foo.c:45,
shadow stack won't match call stack when threadfunc () returns.

#1  0x00007ffff7837f5f in __libc_siglongjmp
(env=env@entry=0x7ffff7800ca0, val=val@entry=1) at longjmp.c:39
#2  0x00007ffff7bc899d in unwind_stop (version=<optimized out>,
actions=<optimized out>, exc_class=<optimized out>,
    exc_obj=<optimized out>, context=<optimized out>,
stop_parameter=0x7ffff7800ca0) at unwind.c:94
#3  0x00007ffff6df9b1e in _Unwind_ForcedUnwind_Phase2
    at /export/gnu/import/git/sources/gcc/libgcc/
#4  0x00007ffff6dfa170 in _Unwind_ForcedUnwind (exc=0x7ffff7801d70,
stop=stop@entry=0x7ffff7bc88e0 <unwind_stop>,
    stop_argument=<optimized out>) at
#5  0x00007ffff7bc8a84 in __GI___pthread_unwind (buf=<optimized out>)
at unwind.c:121
#6  0x00007ffff7bbe46a in __do_cancel () at ./pthreadP.h:297
#7  sigcancel_handler (sig=<optimized out>, si=0x7ffff78007f0,
ctx=<optimized out>) at nptl-init.c:216
#8  <signal handler called>
#9  0x00007ffff7bc99b2 in __libc_pause () at
#10 0x0000000000400d95 in pausefunc () at tst-foo.c:27
#11 0x0000000000400dca in handlerfunc () at tst-foo.c:35
#12 0x0000000000400e2a in threadfunc (closure=<optimized out>) at tst-foo.c:45
#13 0x00007ffff7bbfcde in start_thread (arg=<optimized out>) at
#14 0x00007ffff78f5f73 in clone () at
(gdb) f 6
#6  0x00007ffff7bbe46a in __do_cancel () at ./pthreadP.h:297
297   __pthread_unwind ((__pthread_unwind_buf_t *)
(gdb) list
292   struct pthread *self = THREAD_SELF;
294   /* Make sure we get no more cancellations.  */
295   THREAD_ATOMIC_BIT_SET (self, cancelhandling, EXITING_BIT);
297   __pthread_unwind ((__pthread_unwind_buf_t *)
298     THREAD_GETMEM (self, cleanup_jmp_buf));
299 }

Does it answer your question?


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]