I encountered several different, but reproducible, segfaults in
_bfd_dwarf2_find_nearest_line() in bfd/dwarf2.c. Currently, I'm using
binutils-2.19.51, but I've seen this happening with 2.16, and 2.18 too.
uname: Linux dop131 2.6.31.12-0.1-default #1 SMP 2010-01-27 08:20:11 +0100
x86_64 x86_64 x86_64 GNU/Linux
I can trigger these segfaults as follows:
1) Create a program that allocates chunks of memory that are never freed. Size
doesn't really matter; I used 1MiB chunks.
2) Write a terminate handler that generates a backtrace, using the bfd-routines
to translate addresses to filename and line number, etc.
3) Create a script that gradually trims down the amount of virtual memory
available and run the program over and over. I usually get segfaults when the
amount of vmem is a little over 100MB, but YMMV. There appear to be several
"sweet spots" that can trigger it.
Most of the times, however, the program will neatly abort, after printing a
(partial) backtrace, only sometimes it segfaults. IMHO this is due to the fact
that in bfd/dwarf2.c there are several places where memory is allocated with
bfd_alloc (or bfd_zalloc), but the return value is never checked. This can
result in dereferencing a null pointer.
Here's a sample gdb backtrace:
#0 add_line_info (table=0x620cd0, address=4197759, filename=0x6233c0
"/export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/test/tBacktrace.cc",
line=38, column=0, end_sequence=<value optimized out>) at ../../bfd/dwarf2.c:984
#1 0x00007ffff79ccf36 in decode_line_info (unit=<value optimized out>,
stash=<value optimized out>) at ../../bfd/dwarf2.c:1418
#2 0x00007ffff79cddba in comp_unit_find_nearest_line (unit=0x6, addr=4197686,
filename_ptr=<value optimized out>, functionname_ptr=<value optimized out>,
linenumber_ptr=<value optimized out>, stash=<value optimized out>) at
../../bfd/dwarf2.c:2271
#3 0x00007ffff79cef1d in find_line (abfd=<value optimized out>, section=<value
optimized out>, offset=<value optimized out>, symbol=<value optimized out>,
symbols=<value optimized out>, filename_ptr=<value optimized out>,
functionname_ptr=0x7fffffffd6f0,
linenumber_ptr=0x7fffffffd6f8, addr_size=4, pinfo=0x605638) at
../../bfd/dwarf2.c:3210
#4 0x00007ffff79cf6f7 in _bfd_dwarf2_find_nearest_line (abfd=0x6,
section=0x4000000, symbols=0x0, offset=0, filename_ptr=<value optimized out>,
functionname_ptr=<value optimized out>, linenumber_ptr=0x7fffffffd6f8,
addr_size=0, pinfo=0x605638)
at ../../bfd/dwarf2.c:3245
#5 0x00007ffff79da4aa in _bfd_elf_find_nearest_line (abfd=0x6050f0,
section=0x613298, symbols=0x606250, offset=246, filename_ptr=0x7fffffffd6e8,
functionname_ptr=0x7fffffffd6f0, line_ptr=0x7fffffffd6f8) at
../../bfd/elf.c:7155
#6 0x00007ffff79b613a in LOFAR::AddressTranslator::do_find_address_in_section
(this=0x7fffffffd6e0, abfd=0x6050f0, section=0x613298) at
/export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/src/AddressTranslator.cc:155
#7 0x00007ffff79b604f in LOFAR::AddressTranslator::find_address_in_section
(abfd=0x6050f0, section=0x613298, data=0x7fffffffd6e0) at
/export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/src/AddressTranslator.cc:130
#8 0x00007ffff79c4dac in bfd_map_over_sections (abfd=0x6050f0,
operation=0x7ffff79b601c
<LOFAR::AddressTranslator::find_address_in_section(bfd*, asection*, void*)>,
user_storage=0x7fffffffd6e0) at ../../bfd/section.c:1232
#9 0x00007ffff79b5e9f in LOFAR::AddressTranslator::operator()
(this=0x7fffffffd6e0, trace=std::vector of length 10, capacity 10 = {...},
addr=0x7fffffffd770, size=10) at
/export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/src/AddressTranslator.cc:85
#10 0x00007ffff79b73b2 in LOFAR::Backtrace::print (this=0x7fffffffd770, os=...)
at /export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/src/Backtrace.cc:55
#11 0x00007ffff79b764a in LOFAR::operator<< (os=..., st=...) at
/export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/src/Backtrace.cc:82
#12 0x00007ffff79761f7 in LOFAR::Exception::terminate () at
/export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/src/Exception.cc:81
#13 0x00007ffff69231f6 in __cxxabiv1::__terminate (handler=0x6) at
../../../../libstdc++-v3/libsupc++/eh_terminate.cc:38
#14 0x00007ffff6923223 in std::terminate () at
../../../../libstdc++-v3/libsupc++/eh_terminate.cc:48
#15 0x00007ffff692331e in __cxxabiv1::__cxa_throw (obj=<value optimized out>,
tinfo=<value optimized out>, dest=<value optimized out>) at
../../../../libstdc++-v3/libsupc++/eh_throw.cc:83
#16 0x00007ffff69237ad in operator new (sz=200000) at
../../../../libstdc++-v3/libsupc++/new_op.cc:58
#17 0x00007ffff6923869 in operator new[] (sz=6) at
../../../../libstdc++-v3/libsupc++/new_opv.cc:32
#18 0x0000000000400d36 in main () at
/export/home/loose/work/LOFAR_Bug1390/LOFAR/LCS/Common/test/tBacktrace.cc:35
--
Summary: Segfault in _bfd_dwarf2_find_nearest_line
Product: binutils
Version: 2.19
Status: NEW
Severity: normal
Priority: P2
Component: binutils
AssignedTo: unassigned at sources dot redhat dot com
ReportedBy: loose at astron dot nl
CC: bug-binutils at gnu dot org
http://sourceware.org/bugzilla/show_bug.cgi?id=11302
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-binutils
