[GHC] #11133: Misaligned stack leads to dynamic linker crash
#11133: Misaligned stack leads to dynamic linker crash --------------------------------------+---------------------------------- Reporter: trippels | Owner: Type: bug | Status: new Priority: normal | Milestone: Component: Compiler | Version: 7.10.2 Keywords: | Operating System: Linux Architecture: x86_64 (amd64) | Type of failure: Runtime crash Test Case: | Blocked By: Blocking: | Related Tickets: Differential Rev(s): | Wiki Page: --------------------------------------+---------------------------------- {{{ Running programs compiled with ghc leads to a crash of the glibc dynamic linker. This happens because ghc doesn't align the stack correctly during lazy symbol resolution. Example: markus@x4 glibc-build % gdb --args /var/tmp/glibc-build/elf/ld- linux-x86-64.so.2 /home/markus/bin/xmonad Reading symbols from /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2...done. (gdb) run Starting program: /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2 /home/markus/bin/xmonad [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. _dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb", undef_map=0x7ffff76494d0, ref=ref@entry=0x7fffffffa170, symbol_scope=0x7ffff7649828, version=0x0, type_class=type_class@entry=1, flags=1, skip_map=0x0) at dl- lookup.c:809 809 struct sym_val current_value = { NULL, NULL }; (gdb) bt #0 _dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb", undef_map=0x7ffff76494d0, ref=ref@entry=0x7fffffffa170, symbol_scope=0x7ffff7649828, version=0x0, type_class=type_class@entry=1, flags=1, skip_map=0x0) at dl- lookup.c:809 #1 0x0000555555564413 in _dl_fixup (l=<optimized out>, reloc_arg=<optimized out>) at ../elf/dl-runtime.c:111 #2 0x000055555556ce1f in _dl_runtime_resolve_sse () at ../sysdeps/x86_64 /dl-trampoline.h:112 #3 0x00007ffff762093a in __gmpn_divrem_1 () from /usr/lib/libgmp.so.10 #4 0xee6b280000000000 in ?? () #5 0x00007ffff6b0b138 in ?? () #6 0x00007ffff6b057d0 in ?? () #7 0x00000000ffffffe2 in ?? () #8 0x00007ffff6b057b8 in ?? () #9 0x00007ffff6b051b0 in ?? () #10 0x00007ffff6b0b1b0 in ?? () #11 0x00000000006b47d8 in ?? () #12 0x00000000006142a9 in ?? () #13 0x0000000000000000 in ?? () (gdb) disass Dump of assembler code for function _dl_lookup_symbol_x: ... => 0x000055555555e93a <+154>: movaps %xmm0,-0x80(%rbp) The crash happens because the incoming stack alignment is wrong: rax 0xffffffff 4294967295 rbx 0x7ffff763c360 140737343898464 rcx 0x7ffff75cb3d7 140737343435735 rdx 0x0 0 rsi 0x33f9b936d4fb49a0 3745228210287888800 rdi 0x7ffff75cb3c5 140737343435717 rbp 0x7fffffffa148 0x7fffffffa148 rsp 0x7fffffffa058 0x7fffffffa058 r8 0x0 0 r9 0x1 1 r10 0x7ffff76494d0 140737343952080 r11 0x7ffff7620840 140737343785024 r12 0x0 0 r13 0x0 0 r14 0x7ffff76494d0 140737343952080 r15 0x7fffffffa170 140737488331120 rip 0x55555555e93a 0x55555555e93a <_dl_lookup_symbol_x+154> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 0000000000001470 <_dl_lookup_symbol_x>: 1470: 55 push %rbp 1471: 48 89 e5 mov %rsp,%rbp 1474: 41 57 push %r15 1476: 41 56 push %r14 1478: 41 55 push %r13 147a: 41 54 push %r12 147c: 49 89 d5 mov %rdx,%r13 147f: 53 push %rbx 1480: 49 89 f7 mov %rsi,%r15 1483: 4d 89 c6 mov %r8,%r14 1486: 48 81 ec a8 00 00 00 sub $0xa8,%rsp 148d: 0f b6 17 movzbl (%rdi),%edx 1490: 48 89 bd 68 ff ff ff mov %rdi,-0x98(%rbp) 1497: 48 89 8d 50 ff ff ff mov %rcx,-0xb0(%rbp) 149e: 44 89 8d 5c ff ff ff mov %r9d,-0xa4(%rbp) 14a5: 4c 8b 65 18 mov 0x18(%rbp),%r12 14a9: 84 d2 test %dl,%dl 14ab: 0f 84 cb 02 00 00 je 177c <_dl_lookup_symbol_x+0x30c> 14b1: 48 89 f9 mov %rdi,%rcx 14b4: b8 05 15 00 00 mov $0x1505,%eax 14b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 14c0: 48 89 c6 mov %rax,%rsi 14c3: 48 83 c1 01 add $0x1,%rcx 14c7: 48 c1 e6 05 shl $0x5,%rsi 14cb: 48 01 f0 add %rsi,%rax 14ce: 48 01 d0 add %rdx,%rax 14d1: 0f b6 11 movzbl (%rcx),%edx 14d4: 84 d2 test %dl,%dl 14d6: 75 e8 jne 14c0 <_dl_lookup_symbol_x+0x50> 14d8: 89 c0 mov %eax,%eax 14da: 48 89 85 60 ff ff ff mov %rax,-0xa0(%rbp) 14e1: 66 0f ef c0 pxor %xmm0,%xmm0 14e5: b8 ff ff ff ff mov $0xffffffff,%eax 14ea: 4d 85 f6 test %r14,%r14 14ed: 48 89 85 78 ff ff ff mov %rax,-0x88(%rbp) => 14f4: 0f 29 45 80 movaps %xmm0,-0x80(%rbp) (0x7fffffffa058 + 0xa8) % 16 == 0 (instead of the correct 8) Please see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68537 for further info. }}} -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/11133 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#11133: Misaligned stack leads to dynamic linker crash ----------------------------------+-------------------------------------- Reporter: trippels | Owner: Type: bug | Status: closed Priority: normal | Milestone: Component: Compiler | Version: 7.10.2 Resolution: invalid | Keywords: Operating System: Linux | Architecture: x86_64 (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | ----------------------------------+-------------------------------------- Changes (by trippels): * status: new => closed * resolution: => invalid Comment: It turned out to be a GMP bug. From the GMP 6.1.0 release notes: Fixed ABI incompatible stack alignment in calls from assembly code. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/11133#comment:1 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#11133: Misaligned stack leads to dynamic linker crash ----------------------------------+-------------------------------------- Reporter: trippels | Owner: Type: bug | Status: closed Priority: normal | Milestone: Component: Compiler | Version: 7.10.2 Resolution: invalid | Keywords: Operating System: Linux | Architecture: x86_64 (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | ----------------------------------+-------------------------------------- Comment (by rwbarton): This kind of report is still super helpful since others may encounter the same issue. Thanks! Do you happen to know whether this GMP bug was introduced in a recent version of GMP? -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/11133#comment:2 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#11133: Misaligned stack leads to dynamic linker crash ----------------------------------+-------------------------------------- Reporter: trippels | Owner: Type: bug | Status: closed Priority: normal | Milestone: Component: Compiler | Version: 7.10.2 Resolution: invalid | Keywords: Operating System: Linux | Architecture: x86_64 (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | ----------------------------------+-------------------------------------- Comment (by trippels): I assume it was introduced in GMP 6.0.0, that was released in March 2014. Unfortunately they have no public source repository, so one cannot easily double check. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/11133#comment:3 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#11133: Misaligned stack leads to dynamic linker crash ----------------------------------+-------------------------------------- Reporter: trippels | Owner: Type: bug | Status: closed Priority: normal | Milestone: Component: Compiler | Version: 7.10.2 Resolution: invalid | Keywords: Operating System: Linux | Architecture: x86_64 (amd64) Type of failure: Runtime crash | Test Case: Blocked By: | Blocking: Related Tickets: | Differential Rev(s): Wiki Page: | ----------------------------------+-------------------------------------- Comment (by trippels): Oh, it turns out they actually have one. See: https://gmplib.org/repo/gmp/log?rev=stack (the fixes from July 2014) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/11133#comment:4 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
participants (1)
-
GHC