request for help debugging a segfault in _dl_relocate_object
James Washer
washer@trlp.com
Mon Apr 28 18:26:00 GMT 2008
I'm fairly new at digging through libc code and have been trying to
determine the cause of a segfault in _dl_relocate_object.
On a system running RHEL4U6 we have an application coredump from a
segfault. glibc-2.3.4-2.38 provides the ld-linux.so that I'm looking at
The program in question has done a dlopen on
"/opt/netcool/platform/linux2x86/jre_1.5.4/jre/bin/libawt.so" with flags
of RTLD_NOW.
Further up the stack (or down the stack if you prefer) we end up in
_dl_relocate_object and segfault on a null pointer. The pointer in
question came from
const char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);
See near the bottom of this disassembly the comment "BANG" showing the
instruction that faulted.
Any pointers (no pun intended) as to why l_info[DT_STRTAB] might be null
would be appreciated.
- jim
00207b40 <_dl_reloc_bad_type>:
207b40: 55 push %ebp
207b41: c1 e1 05 shl $0x5,%ecx
207b44: 89 e5 mov %esp,%ebp
207b46: 83 ec 38 sub $0x38,%esp
207b49: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
207b4c: e8 8a 90 00 00 call 210bdb
<__i686.get_pc_thunk.bx>
207b51: 81 c3 83 d4 00 00 add $0xd483,%ebx
207b57: 89 7d fc mov %edi,0xfffffffc(%ebp)
207b5a: 8d bc 0b 4c c0 ff ff lea 0xffffc04c(%ebx,%ecx,1),%
edi
207b61: 89 75 f8 mov %esi,0xfffffff8(%ebp)
207b64: 89 d6 mov %edx,%esi
207b66: 89 7c 24 04 mov %edi,0x4(%esp)
207b6a: 8d 7d d4 lea 0xffffffd4(%ebp),%edi
207b6d: 89 45 d0 mov %eax,0xffffffd0(%ebp)
207b70: 89 3c 24 mov %edi,(%esp)
207b73: e8 a8 8f 00 00 call 210b20 <__stpcpy>
207b78: c6 40 02 00 movb $0x0,0x2(%eax)
207b7c: 89 f2 mov %esi,%edx
207b7e: 8d 8b cc c6 ff ff lea 0xffffc6cc(%ebx),%ecx
207b84: c1 ea 04 shr $0x4,%edx
207b87: 83 e6 0f and $0xf,%esi
207b8a: 83 e2 0f and $0xf,%edx
207b8d: 0f b6 14 11 movzbl (%ecx,%edx,1),%edx
207b91: 88 10 mov %dl,(%eax)
207b93: 0f b6 14 31 movzbl (%ecx,%esi,1),%edx
207b97: 31 c9 xor %ecx,%ecx
207b99: 88 50 01 mov %dl,0x1(%eax)
207b9c: 8b 45 d0 mov 0xffffffd0(%ebp),%eax
207b9f: 8b 50 04 mov 0x4(%eax),%edx
207ba2: 89 3c 24 mov %edi,(%esp)
207ba5: 31 c0 xor %eax,%eax
207ba7: e8 54 27 00 00 call 20a300 <_dl_signal_error>
207bac: 8d 74 26 00 lea 0x0(%esi),%esi
00207bb0 <_dl_relocate_object>:
207bb0: 55 push %ebp
207bb1: 89 e5 mov %esp,%ebp
207bb3: 8d 45 08 lea 0x8(%ebp),%eax
207bb6: 57 push %edi
207bb7: 56 push %esi
207bb8: 53 push %ebx
207bb9: 81 ec 0c 01 00 00 sub $0x10c,%esp
move the link_map pointer "l" to edi
207bbf: 8b 7d 08 mov 0x8(%ebp),%edi
207bc2: 89 45 ec mov %eax,0xffffffec(%ebp)
207bc5: e8 11 90 00 00 call 210bdb
<__i686.get_pc_thunk.bx>
207bca: 81 c3 0a d4 00 00 add $0xd40a,%ebx
207bd0: f6 87 80 01 00 00 04 testb $0x4,0x180(%edi)
207bd7: c7 45 98 00 00 00 00 movl $0x0,0xffffff98(%ebp)
return;
207bde: 0f 85 6c 04 00 00 jne 208050
<_dl_relocate_object+0x4a0
>
if (!consider_profiling
&& __builtin_expect (l->l_info[DT_BIND_NOW] != NULL, 0))
lazy = 0;
move "consider_profiling" to %edx
207be4: 8b 55 14 mov 0x14(%ebp),%edx
207be7: 85 d2 test %edx,%edx
207be9: 0f 84 69 04 00 00 je 208058
<_dl_relocate_object+0x4a8
>
208058: 8b b7 80 00 00 00 mov 0
WASHER: 0x80(%edi)== l->l_info[DT_BIND_NOW]
20805e: b9 00 00 00 00 mov $0x0,%ecx
208063: 85 f6 test %esi,%esi
208065: 0f 44 4d 10 cmove 0x10(%
ebp),%ecx
lazy=0
208069: 89 4d 10 mov %
ecx,0x10(%ebp)
20806c: e9 7e fb ff ff jmp 207bef
<_dl_reloc
ate_object+0x3f>
if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_RELOC, 0))
_dl_debug_printf ("\nrelocation processing: %s%s\n",
l->l_name[0] ? l->l_name : rtld_progname,
lazy ? " (lazy)" : "");
207bef: f6 83 cc fc ff ff 20 testb $0x20,0xfffffccc(%ebx)
207bf6: 0f 85 95 10 00 00 jne 208c91 <.L847+0x191>
208c91: 8b 4d 10 mov 0x10(%
ebp),%ecx
208c94: 8d 83 d0 cc ff ff lea
0xffffccd0(%ebx),
%eax
208c9a: 8d 93 de c9 ff ff lea
0xffffc9de(%ebx),
%edx
208ca0: 85 c9 test %ecx,%ecx
208ca2: 0f 44 c2 cmove %edx,%eax
208ca5: 89 44 24 08 mov %
eax,0x8(%esp)
208ca9: 8b 47 04 mov 0x4(%
edi),%eax
208cac: 80 38 00 cmpb $0x0,(%
eax)
208caf: 75 08 jne 208cb9
<.L847+0x1
b9>
208cb1: 8b bb 9c fe ff ff mov
0xfffffe9c(%ebx),
%edi
208cb7: 8b 07 mov (%edi),%
eax
208cb9: 89 44 24 04 mov %
eax,0x4(%esp)
208cbd: 8d b3 d8 cc ff ff lea
0xffffccd8(%ebx),
%esi
208cc3: 89 34 24 mov %esi,(%
esp)
208cc6: e8 f5 26 00 00 call 20b3c0
<_dl_debug
_printf>
208ccb: 8b 7d 08 mov 0x8(%
ebp),%edi
208cce: e9 29 ef ff ff jmp 207bfc
<_dl_reloc
ate_object+0x4c>
207bfc: 8b 47 78 mov 0x78(%edi),%eax WASHER:
0x78(%ed
i)==l->l_info[DT_TEXTREL]
207bff: 85 c0 test %eax,%eax
Here we skip around the HUGE block of code
207c01: 0f 85 cc 10 00 00 jne 208cd3 <.L847+0x1d3>
207c07: 8b 77 7c mov 0x7c(%edi),%esi
const char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);
207c0a: 8b 4f 34 mov 0x34(%edi),%ecx
207c0d: 85 f6 test %esi,%esi
WASHER BANG
207c0f: 8b 51 04 mov 0x4(%ecx),%edx
207c12: 0f 95 c1 setne %cl
More information about the Libc-help
mailing list