[Bug binutils/29170] New: Integer divide by zero, which results in SIGFPE during the processing of program input

[nils_b...@t-online.de]

https://sourceware.org/bugzilla/show_bug.cgi?id=29170

            Bug ID: 29170
           Summary: Integer divide by zero, which results in SIGFPE during
                    the processing of program input
           Product: binutils
           Version: 2.38
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: nils_b...@t-online.de
  Target Milestone: ---

Created attachment 14112
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14112&action=edit
Reproduction scripts and bug triggering input.

Integer divide by zero, which results in SIGFPE during the processing of
program input

# Description
During processing of the attached input file via
```
/binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p -r -R -s -S -G -t
--dynamic-syms --special-syms -x /testcase
```
an SIGFPE is triggered. 

For reproduction of the crash, I attach a Docker container. Run
./build_upstream.sh to build the Docker image and ./reproduce-upstream.sh to
reproduce the crash. 
If you need further details, please feel free to ask.

# Version
The input was tested on branch binutils-2_38 of
git://sourceware.org/git/binutils-gdb.git commit
20756b0fbe065a84710aa38f2457563b57546440.

# Valgrind
[+] Running valgrind /binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p
-r -R -s -S -G -t --dynamic-syms --special-syms -x /testcase
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: /binutils-gdb/binutils/objdump -a -C -g -D -f -F -h -l -p -r -R
-s -S -G -t --dynamic-syms --special-syms -x /testcase
==1== 
/binutils-gdb/binutils/objdump: warning: /testcase has a section extending past
end of file

/testcase:     file format elf32-little
/testcase
architecture: UNKNOWN!, flags 0x00000000:

start address 0xedff04f0

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .debug_names  00000100  00001d00  00001d00  00000034  2**0
                  CONTENTS, READONLY, DEBUGGING, OCTETS
/binutils-gdb/binutils/objdump: /testcase: not a dynamic object
/binutils-gdb/binutils/objdump: can't disassemble for architecture UNKNOWN!

SYMBOL TABLE:
no symbols


DYNAMIC SYMBOL TABLE:
no symbols


Contents of section .debug_names:  (Starting at file offset: 0x34)
 1d00 7d000000 05000000 00000000 01000000  }...............
 1d10 00000000 00000000 02000000 15000000  ................
 1d20 00000000 00000500 00000000 00000000  ................
 1d30 00000000 00000000 00ff00b4 00000000  ................
 1d40 00000000 0000f6ff 00000400 00000000  ................
 1d50 02000000 00000000 0f00fffa 00000000  ................
 1d60 6c00fdff deff0008 48080000 d9ec0000  l.......H.......
 1d70 01de0800 0fe70000 00000000 00000000  ................
 1d80 002e7355 92747274 ff62002e 64656275  ..sU.trt.b..debu
 1d90 675f6e61 6d657300 00000076 00000040  g_names....v...@
 1da0 00001500 00000000 00000000 0000002a  ...............*
 1db0 00000000 00000000 64d00000 00000000  ........d.......
 1dc0 00000000 0b000000 0b000007 00000000  ................
 1dd0 001d0000 34000000 00010000 00000000  ....4...........
 1de0 00000000 01000000 10000000 01000000  ................
 1df0 03000000 00000000 00000200 b4000000  ................
Contents of the .debug_names section (loaded from /testcase):

Version 5
/binutils-gdb/binutils/objdump: Warning: Compilation unit count must be >= 1 in
.debug_names
==1== 
==1== Process terminating with default action of signal 8 (SIGFPE): dumping
core
==1==  Integer divide by zero at address 0x1009667D6C
==1==    at 0x188FEC: display_debug_names (dwarf.c:9787)
==1==    by 0x173EE3: dump_dwarf_section (objdump.c:3982)
==1==    by 0x1F10D6: bfd_map_over_sections (section.c:1383)
==1==    by 0x16CB53: dump_dwarf (objdump.c:4020)
==1==    by 0x16FAC8: dump_bfd (objdump.c:5184)
==1==    by 0x16FCEC: display_object_bfd (objdump.c:5221)
==1==    by 0x16FCEC: display_any_bfd (objdump.c:5311)
==1==    by 0x169C57: display_file (objdump.c:5332)
==1==    by 0x169C57: display_file (objdump.c:5315)
==1==    by 0x169C57: main (objdump.c:5700)
Augmentation string:  ("")
CU table:

TU table:
[  0] 0x50000

Foreign TU table:

Used 0 of 0 buckets.
==1== 
==1== HEAP SUMMARY:
==1==     in use at exit: 45,698 bytes in 10 blocks
==1==   total heap usage: 26 allocs, 16 frees, 131,756 bytes allocated
==1== 
==1== LEAK SUMMARY:
==1==    definitely lost: 0 bytes in 0 blocks
==1==    indirectly lost: 0 bytes in 0 blocks
==1==      possibly lost: 0 bytes in 0 blocks
==1==    still reachable: 45,698 bytes in 10 blocks
==1==         suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1== 
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

valgrind: the 'impossible' happened:
   main(): signal was supposed to be fatal

host stacktrace:
==1==    at 0x58046FFA: ??? (in
/usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux)
==1==    by 0x58047127: ??? (in
/usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux)
==1==    by 0x58047390: ??? (in
/usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux)
==1==    by 0x580473C0: ??? (in
/usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux)
==1==    by 0x580BA566: ??? (in
/usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux)
==1==    by 0x580F6117: ??? (in
/usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

-- 
You are receiving this mail because:
You are on the CC list for the bug.