request for help debugging a segfault in _dl_relocate_object

James Washer washer@trlp.com
Mon Apr 28 18:26:00 GMT 2008


I'm fairly new at digging through libc code and have been trying to
determine the cause of a segfault in _dl_relocate_object.

On a system running RHEL4U6 we have an application coredump from a
segfault. glibc-2.3.4-2.38 provides the ld-linux.so that I'm looking at



The program in question has done a dlopen on
"/opt/netcool/platform/linux2x86/jre_1.5.4/jre/bin/libawt.so" with flags
of RTLD_NOW.

Further up the stack (or down the stack if you prefer) we end up in
_dl_relocate_object and segfault on a null pointer. The pointer in
question came from 


const char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);

See near the bottom of this disassembly the comment "BANG" showing the 
instruction that faulted.

Any pointers (no pun intended) as to why l_info[DT_STRTAB] might be null
would be appreciated.


 - jim




00207b40 <_dl_reloc_bad_type>:
  207b40:       55                      push   %ebp
  207b41:       c1 e1 05                shl    $0x5,%ecx
  207b44:       89 e5                   mov    %esp,%ebp
  207b46:       83 ec 38                sub    $0x38,%esp
  207b49:       89 5d f4                mov    %ebx,0xfffffff4(%ebp)
  207b4c:       e8 8a 90 00 00          call   210bdb
<__i686.get_pc_thunk.bx>
  207b51:       81 c3 83 d4 00 00       add    $0xd483,%ebx
  207b57:       89 7d fc                mov    %edi,0xfffffffc(%ebp)
  207b5a:       8d bc 0b 4c c0 ff ff    lea    0xffffc04c(%ebx,%ecx,1),%
edi
  207b61:       89 75 f8                mov    %esi,0xfffffff8(%ebp)
  207b64:       89 d6                   mov    %edx,%esi
  207b66:       89 7c 24 04             mov    %edi,0x4(%esp)
  207b6a:       8d 7d d4                lea    0xffffffd4(%ebp),%edi
  207b6d:       89 45 d0                mov    %eax,0xffffffd0(%ebp)
  207b70:       89 3c 24                mov    %edi,(%esp)
  207b73:       e8 a8 8f 00 00          call   210b20 <__stpcpy>
  207b78:       c6 40 02 00             movb   $0x0,0x2(%eax)
  207b7c:       89 f2                   mov    %esi,%edx
  207b7e:       8d 8b cc c6 ff ff       lea    0xffffc6cc(%ebx),%ecx
  207b84:       c1 ea 04                shr    $0x4,%edx
  207b87:       83 e6 0f                and    $0xf,%esi
  207b8a:       83 e2 0f                and    $0xf,%edx
  207b8d:       0f b6 14 11             movzbl (%ecx,%edx,1),%edx
  207b91:       88 10                   mov    %dl,(%eax)
  207b93:       0f b6 14 31             movzbl (%ecx,%esi,1),%edx
  207b97:       31 c9                   xor    %ecx,%ecx
  207b99:       88 50 01                mov    %dl,0x1(%eax)
  207b9c:       8b 45 d0                mov    0xffffffd0(%ebp),%eax
  207b9f:       8b 50 04                mov    0x4(%eax),%edx
  207ba2:       89 3c 24                mov    %edi,(%esp)
  207ba5:       31 c0                   xor    %eax,%eax
  207ba7:       e8 54 27 00 00          call   20a300 <_dl_signal_error>
  207bac:       8d 74 26 00             lea    0x0(%esi),%esi

00207bb0 <_dl_relocate_object>:
  207bb0:       55                      push   %ebp
  207bb1:       89 e5                   mov    %esp,%ebp
  207bb3:       8d 45 08                lea    0x8(%ebp),%eax
  207bb6:       57                      push   %edi
  207bb7:       56                      push   %esi
  207bb8:       53                      push   %ebx
  207bb9:       81 ec 0c 01 00 00       sub    $0x10c,%esp

move the link_map pointer "l" to edi
  207bbf:       8b 7d 08                mov    0x8(%ebp),%edi
  207bc2:       89 45 ec                mov    %eax,0xffffffec(%ebp)
  207bc5:       e8 11 90 00 00          call   210bdb
<__i686.get_pc_thunk.bx>
  207bca:       81 c3 0a d4 00 00       add    $0xd40a,%ebx
  207bd0:       f6 87 80 01 00 00 04    testb  $0x4,0x180(%edi)
  207bd7:       c7 45 98 00 00 00 00    movl   $0x0,0xffffff98(%ebp)

return;
  207bde:       0f 85 6c 04 00 00       jne    208050
<_dl_relocate_object+0x4a0
>



  if (!consider_profiling
      && __builtin_expect (l->l_info[DT_BIND_NOW] != NULL, 0))
    lazy = 0;

move "consider_profiling" to %edx
  207be4:       8b 55 14                mov    0x14(%ebp),%edx
  207be7:       85 d2                   test   %edx,%edx


  207be9:       0f 84 69 04 00 00       je     208058
<_dl_relocate_object+0x4a8
>
                  208058:       8b b7 80 00 00 00       mov    0
 WASHER: 0x80(%edi)== l->l_info[DT_BIND_NOW]
                  20805e:       b9 00 00 00 00          mov    $0x0,%ecx
                  208063:       85 f6                   test   %esi,%esi
                  208065:       0f 44 4d 10             cmove  0x10(%
ebp),%ecx
                lazy=0
                  208069:       89 4d 10                mov    %
ecx,0x10(%ebp)
                  20806c:       e9 7e fb ff ff          jmp    207bef
<_dl_reloc
ate_object+0x3f>


  if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_RELOC, 0))
    _dl_debug_printf ("\nrelocation processing: %s%s\n",
                      l->l_name[0] ? l->l_name : rtld_progname,
                      lazy ? " (lazy)" : "");


  207bef:       f6 83 cc fc ff ff 20    testb  $0x20,0xfffffccc(%ebx)
  207bf6:       0f 85 95 10 00 00       jne    208c91 <.L847+0x191>

                  208c91:       8b 4d 10                mov    0x10(%
ebp),%ecx
                  208c94:       8d 83 d0 cc ff ff       lea
0xffffccd0(%ebx),
%eax
                  208c9a:       8d 93 de c9 ff ff       lea
0xffffc9de(%ebx),
%edx
                  208ca0:       85 c9                   test   %ecx,%ecx
                  208ca2:       0f 44 c2                cmove  %edx,%eax
                  208ca5:       89 44 24 08             mov    %
eax,0x8(%esp)
                  208ca9:       8b 47 04                mov    0x4(%
edi),%eax
                  208cac:       80 38 00                cmpb   $0x0,(%
eax)
                  208caf:       75 08                   jne    208cb9
<.L847+0x1
b9>
                  208cb1:       8b bb 9c fe ff ff       mov
0xfffffe9c(%ebx),
%edi
                  208cb7:       8b 07                   mov    (%edi),%
eax
                  208cb9:       89 44 24 04             mov    %
eax,0x4(%esp)
                  208cbd:       8d b3 d8 cc ff ff       lea
0xffffccd8(%ebx),
%esi
                  208cc3:       89 34 24                mov    %esi,(%
esp)
                  208cc6:       e8 f5 26 00 00          call   20b3c0
<_dl_debug
_printf>
                  208ccb:       8b 7d 08                mov    0x8(%
ebp),%edi
                  208cce:       e9 29 ef ff ff          jmp    207bfc
<_dl_reloc
ate_object+0x4c>


  207bfc:       8b 47 78                mov    0x78(%edi),%eax  WASHER:
0x78(%ed
i)==l->l_info[DT_TEXTREL]
  207bff:       85 c0                   test   %eax,%eax
Here we skip around the HUGE block of code
  207c01:       0f 85 cc 10 00 00       jne    208cd3 <.L847+0x1d3>


  207c07:       8b 77 7c                mov    0x7c(%edi),%esi


    const char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);
  207c0a:       8b 4f 34                mov    0x34(%edi),%ecx



  207c0d:       85 f6                   test   %esi,%esi
WASHER BANG
  207c0f:       8b 51 04                mov    0x4(%ecx),%edx
  207c12:       0f 95 c1                setne  %cl





More information about the Libc-help mailing list