Bugzilla – Bug 588293
systemtap crashes during preload build
Last modified: 2019-02-18 09:02:05 UTC
100% reproducible ;( Program received signal SIGSEGV, Segmentation fault. #0 0x00007ffff7bd2755 in ebl_abi_cfi (ebl=0xbabababababababa, abi_info=0x7fffffff9c70) at eblabicfi.c:62 #1 0x00007ffff7bbf68e in cie_cache_initial_state (cache=0x2daa818, fde=0x2ea9c40, address=18446744071580105296, frame=0x7fffffff9d78) at cfi.c:429 #2 __libdw_frame_at_address (cache=0x2daa818, fde=0x2ea9c40, address=18446744071580105296, frame=0x7fffffff9d78) at cfi.c:480 #3 0x00007ffff7bbfc75 in dwarf_cfi_addrframe (cache=0x2daa818, address=18446744071580105296, frame=<value optimized out>) at dwarf_cfi_addrframe.c:70 #4 0x00000000004fd4c7 in dwflpp::get_cfa_ops (this=0x1967a60, pc=18446744071580105296) at dwflpp.cxx:2835 #5 0x0000000000504e1c in dwflpp::translate_location (this=0x1967a60, pool=0x7fffffff9f70, attr=0x7fffffffa030, pc=18446744071580105296, fb_attr=0x7fffffffa050, tail=0x7fffffffa118, e=0x2db49f0) at dwflpp.cxx:1731 #6 0x0000000000508d98 in dwflpp::literal_stmt_for_local (this=0x1967a60, scopes=..., pc=18446744071580105296, local=<value optimized out>, e=0x2db49f0, lvalue=false, ty=@0x2db4bb8) at dwflpp.cxx:2341 #7 0x00000000004a5241 in dwarf_var_expanding_visitor::visit_target_symbol (this=0x7fffffffa6f0, e=0x2db49f0) at tapsets.cxx:2422 #8 0x000000000043a2a9 in require<expression> (this=0x7fffffffa6f0, e=0x2db49a0) at staptree.h:866 #9 replace<expression> (this=0x7fffffffa6f0, e=0x2db49a0) at staptree.h:882 #10 update_visitor::visit_functioncall (this=0x7fffffffa6f0, e=0x2db49a0) at staptree.cxx:2436 #11 0x00000000004399df in require<expression> (this=0x7fffffffa6f0, e=0x1979f70) at staptree.h:866 #12 replace<expression> (this=0x7fffffffa6f0, e=0x1979f70) at staptree.h:882 #13 update_visitor::visit_concatenation (this=0x7fffffffa6f0, e=0x1979f70) at staptree.cxx:2381 #14 0x0000000000438da9 in require<expression> (this=0x7fffffffa6f0, e=0x2db5010) at staptree.h:866 #15 replace<expression> (this=0x7fffffffa6f0, e=0x2db5010) at staptree.h:882 #16 update_visitor::visit_print_format (this=0x7fffffffa6f0, e=0x2db5010) at staptree.cxx:2444 #17 0x0000000000436e3f in require<expression> (this=0x7fffffffa6f0, s=0x2db5240) at staptree.h:866 #18 replace<expression> (this=0x7fffffffa6f0, s=0x2db5240) at staptree.h:882 #19 update_visitor::visit_expr_statement (this=0x7fffffffa6f0, s=0x2db5240) at staptree.cxx:2238 #20 0x00000000004368a9 in require<statement> (this=0x7fffffffa6f0, s=0x2276690) at staptree.h:866 #21 replace<statement> (this=0x7fffffffa6f0, s=0x2276690) at staptree.h:882 #22 update_visitor::visit_block (this=0x7fffffffa6f0, s=0x2276690) at staptree.cxx:2219 #23 0x0000000000491fb6 in require<statement> (this=0x2db5130, funcname=<value optimized out>, filename=<value optimized out>, line=1326, module=..., section=..., dwfl_addr=18446744071580105296, addr=1259712, q=..., scope_die=0x2276608) at staptree.h:866 #24 replace<statement> (this=0x2db5130, funcname=<value optimized out>, filename=<value optimized out>, line=1326, module=..., section=..., dwfl_addr=18446744071580105296, addr=1259712, q=..., scope_die=0x2276608) at staptree.h:882 #25 dwarf_derived_probe::dwarf_derived_probe (this=0x2db5130, funcname=<value optimized out>, filename=<value optimized out>, line=1326, module=..., section=..., dwfl_addr=18446744071580105296, addr=1259712, q=..., scope_die=0x2276608) at tapsets.cxx:2917 #26 0x0000000000494294 in dwarf_query::add_probe_point (this=0x7fffffffb070, funcname=..., filename=<value optimized out>, line=<value optimized out>, scope_die=<value optimized out>, addr=18446744071580105296) at tapsets.cxx:1071 #27 0x000000000049454a in query_statement (func=..., file=<value optimized out>, line=-25224, scope_die=0x1, stmt_addr=186, q=0x7fffffffb070) at tapsets.cxx:1158 #28 0x00000000004945f3 in query_func_info (entrypc=<value optimized out>, fi=<value optimized out>, q=0x7fffffffb070) at tapsets.cxx:1349 #29 0x0000000000495a2f in query_cu (cudie=0x7fffffff9c70, arg=0x7fffffffb070) at tapsets.cxx:1616 #30 0x0000000000500295 in dwflpp::iterate_over_cus (this=<value optimized out>, callback=0x4957a0 <query_cu(Dwarf_Die*, void*)>, data=0x7fffffffb070) at dwflpp.cxx:416 #31 0x0000000000495558 in dwarf_query::handle_query_module (this=0x7fffffffb070) at tapsets.cxx:883 #32 0x000000000049cbd7 in query_module (mod=0x196a940, name=<value optimized out>, addr=<value optimized out>, arg=0x7fffffffb070) at tapsets.cxx:1811 #33 0x00007ffff7bc45aa in dwfl_getmodules (dwfl=0x1967fe0, callback=0x49ca00 <query_module(Dwfl_Module*, void**, char const*, Dwarf_Addr, void*)>, arg=0x7fffffffb070, offset=<value optimized out>) at dwfl_getmodules.c:103 #34 0x0000000000493448 in dwarf_builder::build (this=<value optimized out>, sess=<value optimized out>, base=<value optimized out>, location=<value optimized out>, parameters=..., finished_results=<value optimized out>) at tapsets.cxx:4137 #35 0x0000000000445b44 in match_node::find_and_build (this=0x1963930, s=<value optimized out>, p=<value optimized out>, loc=<value optimized out>, pos=2, results=<value optimized out>) at elaborate.cxx:388 #36 0x0000000000445eae in match_node::find_and_build (this=0x19607d0, s=<value optimized out>, p=<value optimized out>, loc=<value optimized out>, pos=1, results=<value optimized out>) at elaborate.cxx:477 #37 0x0000000000445eae in match_node::find_and_build (this=0x758f10, s=<value optimized out>, p=<value optimized out>, loc=<value optimized out>, pos=0, results=<value optimized out>) at elaborate.cxx:477 #38 0x0000000000448ea0 in derive_probes (s=..., p=0x807570, dps=..., optional=<value optimized out>) at elaborate.cxx:715 #39 0x0000000000450b4d in semantic_pass_symbols (s=...) at elaborate.cxx:1210 #40 semantic_pass (s=...) at elaborate.cxx:1494 #41 0x000000000040fe3f in main (argc=<value optimized out>, argv=<value optimized out>) at main.cxx:1190 ==21537== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==21537== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info ==21537== Command: stap -s 3 -p 4 -DMAXSTRINGSIZE=300 -DMAXSKIPPED=2000 -r 2.6.33-5-default -m preloadtrace obj/default/preloadtrace.stp ==21537== ==21537== Conditional jump or move depends on uninitialised value(s) ==21537== at 0x4E4A8CB: __libdwfl_set_cfi (dwfl_module_dwarf_cfi.c:57) ==21537== by 0x4FD491: dwflpp::get_cfa_ops(unsigned long) (dwflpp.cxx:2829) ==21537== by 0x504E1B: dwflpp::translate_location(obstack*, Dwarf_Attribute*, unsigned long, Dwarf_Attribute*, location**, target_symbol const*) (dwflpp.cxx:1731) ==21537== by 0x508D97: dwflpp::literal_stmt_for_local(std::vector<Dwarf_Die, std::allocator<Dwarf_Die> >&, unsigned long, std::string const&, target_symbol const*, bool, exp_type&) (dwflpp.cxx:2341) ==21537== by 0x4A5240: dwarf_var_expanding_visitor::visit_target_symbol(target_symbol*) (tapsets.cxx:2422) ==21537== by 0x43A2A8: update_visitor::visit_functioncall(functioncall*) (staptree.h:866) ==21537== by 0x4399DE: update_visitor::visit_concatenation(concatenation*) (staptree.h:866) ==21537== by 0x438DA8: update_visitor::visit_print_format(print_format*) (staptree.h:866) ==21537== by 0x436E3E: update_visitor::visit_expr_statement(expr_statement*) (staptree.h:866) ==21537== by 0x4368A8: update_visitor::visit_block(block*) (staptree.h:866) ==21537== by 0x491FB5: dwarf_derived_probe::dwarf_derived_probe(std::string const&, std::string const&, int, std::string const&, std::string const&, unsigned long, unsigned long, dwarf_query&, Dwarf_Die*) (staptree.h:866) ==21537== by 0x494293: dwarf_query::add_probe_point(std::string const&, char const*, int, Dwarf_Die*, unsigned long) (tapsets.cxx:1071) ==21537==
note that ebl=0xbabababababababa means it points into a free()ed memory area. without MALLOC_PERTURB_ (the glibc feature that marks freed memory as such) stap runs fine.
> 100% reproducible ;( Great. If there is no standalone testcase, then some info on the steps necessary to reproduce would be very much appreciated. Thanks!
well, checkout the preload package from factory, take out the unset MALLOC_PERTURB_ from %build and build for factory. That should actually be the easiest way to reproduce it - at least it was for me :)
Appears to be fixed in elfutils-0.145, I'll look into a version update. I love how the local patches (most of which still apply) have absolutely no comment header or bugreferences. Peachy.
sr 40007 pending for base:system (I don't have privs to accept). sorry for delay, seems many of the patches were 'test' patches from jbl that should never have been in factory but he couldn't recall what they were testing ... so I've had to do a lot of testing. rpm/debuginfo generation and stap usage have been verified. I was planning on pushing stap 1.2 also but there is an i586 build id issue.
fixed?
Yes, fixed. Sorry I forgot to update once package was accepted.
This is an autogenerated message for OBS integration: This bug (588293) was mentioned in https://build.opensuse.org/request/show/34774 Factory / preload https://build.opensuse.org/request/show/40226 Factory / elfutils
This is an autogenerated message for OBS integration: This bug (588293) was mentioned in https://build.opensuse.org/request/show/676940 Factory / elfutils