Bug#548894: Strange segfaults at exit, suspected: gcc optimisation.

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#548894: Strange segfaults at exit, suspected: gcc optimisation.
From: "Artur R. Czechowski" <arturcz@hell.pl>
Date: Tue, 29 Sep 2009 15:27:39 +0200
Message-id: <[🔎] 20090929132739.19728.51458.reportbug@jalapeno.czesiu.lan>
Reply-to: "Artur R. Czechowski" <arturcz@hell.pl>, 548894@bugs.debian.org

Package: vtun
Version: 3.0.2-1.1
Severity: important

Hello,

Disclaimer 1: this bug appears both in 3.0.2-1.1 available in lenny and in
3.0.2-2 compiled on my own using lenny toolchain/chroot - I only made one
change - I've commented dh_strip from debian/rules to be able to run
gdb.

Disclaimer 2: I am Cc-ing gcc maintainers because I suspect this could be
the main reason of this bug. Please reassing the bug to gcc package if
appropriate.

I noticed that vtund is segfaulting at exit on both client and server side.
Results of debugging the client side are strange.

First: tail of gdb output from original 3.0.2-1.1 package after using kill PID:
Program received signal SIGTERM, Terminated.
0xb7f07424 in __kernel_vsyscall ()
(gdb) c
Continuing.
vtund[21632]: Closing connection

Program received signal SIGSEGV, Segmentation fault.
0xb7c811bb in strlen () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7c811bb in strlen () from /lib/i686/cmov/libc.so.6
#1  0xb7c4d648 in vfprintf () from /lib/i686/cmov/libc.so.6
#2  0xb7c6bcdc in vsprintf () from /lib/i686/cmov/libc.so.6
#3  0x0804e714 in ?? ()
#4  0xbff23185 in ?? ()
#5  0x08055e07 in ?? ()
#6  0xbff23294 in ?? ()
#7  0x00000000 in ?? ()

Now: gdb output from 3.0.2-2 (with debug symbols):
Program received signal SIGTERM, Terminated.
0xb7f72424 in __kernel_vsyscall ()
(gdb) c
Continuing.
vtund[23222]: Closing connection

Program received signal SIGSEGV, Segmentation fault.
0xb7cec1bb in strlen () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7cec1bb in strlen () from /lib/i686/cmov/libc.so.6
#1  0xb7cb8648 in vfprintf () from /lib/i686/cmov/libc.so.6
#2  0xb7cd6cdc in vsprintf () from /lib/i686/cmov/libc.so.6
#3  0x0804e714 in set_title (fmt=0x8055e07 "%s running down commands")
    at lib.c:102
#4  0x0804f62d in tunnel (host=0x9f85300) at tunnel.c:225
#5  0x0804df2a in client (host=0x9f853f8) at client.c:141
#6  0x0804a917 in main (argc=4, argv=0xbfd8e384, env=0xbfd8e398) at main.c:218

Look at value of host parameter in frames 4 and 5.

Let's look at line 223 of tunnel.c file:
 
opt = linkfd(host);

Just before this line host has vaule 0x9f853f8 - it's correct.
Just after return from linkfd function there is 0x9f85300.

Segfault comes from piece of code running from next line:

set_title("%s running down commands", host->host);

Because host points to invalid fragment of memory and then reference to
host->host causes segfault.

But there is more.

File linkfd.c, line 350. Just at the beginning of linkfd function
host has still value 0x9f853f8. End of this function is:

     setpriority(PRIO_PROCESS,0,old_prio);

     return linker_term;
}

between setpriority and return lines host still has value 0x9f853f8. And
suddenly, after returning to tunnel function host is 0x9f85300.

Why I suspect it could be gcc problem?
First I applied followinf patch to the sources:
--- vtun-3.0.2.orig/linkfd.c
+++ vtun-3.0.2/linkfd.c
@@ -353,6 +353,7 @@
      int old_prio;
 
      lfd_host = host;
+     vtun_syslog(LOG_NOTICE,"linkfd begin - host=%p",host);
  
      old_prio=getpriority(PRIO_PROCESS,0);
      setpriority(PRIO_PROCESS,0,LINKFD_PRIO);
@@ -419,5 +420,6 @@
 
      setpriority(PRIO_PROCESS,0,old_prio);
 
+     vtun_syslog(LOG_NOTICE,"linkfd end - host=%p",host);
      return linker_term;
 }
--- vtun-3.0.2.orig/tunnel.c
+++ vtun-3.0.2/tunnel.c
@@ -220,7 +220,9 @@
 	   break;
      }
 
+     vtun_syslog(LOG_NOTICE,"tunnel.c pre - host=%p",host);
      opt = linkfd(host);
+     vtun_syslog(LOG_NOTICE,"tunnel.c post - host=%p",host);
 
      set_title("%s running down commands", host->host);
      llist_trav(&host->down, run_cmd, &host->sopt);

---- here is end of patch ----
and everything went smoothly. After killing the client it closed itself
without segfaults.

My next step was removing mentioned patch and adding DEB_BUILD_OPTIONS=noopt.
vtun compiled with -O0 instead of -O2 works correctly and closes without
segfault.

If you wish to compare binaries I use, I put all of them here:
http://hell.pl/arturcz/vtun/
ac0 is default 3.0.2-2 but without dh_strip
ac1 is like ac0 but with additional syslog messages (mentioned above patch)
ac2 is like ac0 but compiled with -O0 instead of -O2.

For compilation of all above I used freshly update pbuilder image
of lenny with following gcc version:
root@szczaw:/# gcc --version
gcc (Debian 4.3.2-1.1) 4.3.2
Copyright (C) 2008 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Best regards
	Artur

-- System Information:
Debian Release: 5.0.3
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages vtun depends on:
ii  debconf [debconf-2.0]  1.5.24            Debian configuration management sy
ii  libc6                  2.9-6             GNU C Library: Shared libraries
ii  liblzo2-2              2.03-1            data compression library
ii  libssl0.9.8            0.9.8g-15+lenny5  SSL shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

vtun recommends no packages.

vtun suggests no packages.

-- no debconf information

Reply to:

Prev by Date: [bts-link] source package gnat-4.4
Next by Date: [Bug target/41327] [4.4 regression] ICE (segmentation fault) with -O3
Previous by thread: [bts-link] source package gnat-4.4
Next by thread: [Bug libmudflap/28077] [4.3 regression] pass39-frag.c produces mudflap violation on alpha
Index(es):
- Date
- Thread