Bug#626001: sigseg in memset (powerpc)

To: 626001@bugs.debian.org
Subject: Bug#626001: sigseg in memset (powerpc)
From: Jörg Sommer <joerg@alea.gnuu.de>
Date: Tue, 10 May 2011 12:27:18 +0200
Message-id: <[🔎] 20110510102717.GA30472@alea.gnuu.de>
Reply-to: Jörg Sommer <joerg@alea.gnuu.de>, 626001@bugs.debian.org
In-reply-to: <[🔎] 20110510012825.GB25110@elie>
References: <[🔎] 20110507163437.GA838@alea.gnuu.de> <[🔎] 20110507220644.GB7158@elie> <[🔎] 20110510010611.GA4054@alea.gnuu.de> <[🔎] 20110510012825.GB25110@elie>
Jonathan Nieder hat am Mon 09. May, 20:28 (-0500) geschrieben:
> Jörg Sommer wrote:
> > Jonathan Nieder hat am Sat 07. May, 17:06 (-0500) geschrieben:
> [...]
> > #1  0x0fed241c in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4123
> >         av = 0xffc9268
> >         oldtop = 0x103fcd18
> >         bytes = 4
> >         csz = <value optimized out>
> >         oldtopsize = 82664
> >         mem = 0xffc9265
> >         clearsize = <value optimized out>
> >         nclears = <value optimized out>
> >         __func__ = "__libc_calloc"
> > #2  0x10018700 in xrealloc (p=<value optimized out>, n=<value optimized out>) at xmalloc.c:61
> > No locals.
> 
> Hm, this seems odd --- wouldn't xrealloc call realloc (which calls malloc),
> not calloc?

Yes, xrealloc calls realloc (grep/lib/xmalloc.c:54):

void *
xrealloc (void *p, size_t n)
{
  p = realloc (p, n);
  if (!p && n != 0)
    xalloc_die ();
  return p;
}

> So I suppose output from "frame 2; disas; frame 3; disas" would still
> be useful,

(gdb) f 2
#2  0x10018700 in xrealloc (p=<value optimized out>, n=<value optimized out>) at xmalloc.c:61
61      xmalloc.c: Datei oder Verzeichnis nicht gefunden.
        in xmalloc.c
(gdb) disas
Dump of assembler code for function xrealloc:
   0x100186d0 <+0>:     stwu    r1,-16(r1)
   0x100186d4 <+4>:     mflr    r0
   0x100186d8 <+8>:     stw     r31,12(r1)
   0x100186dc <+12>:    stw     r0,20(r1)
   0x100186e0 <+16>:    mr      r31,r4
   0x100186e4 <+20>:    bl      0x10019d50 <realloc@plt>
   0x100186e8 <+24>:    cmpwi   r3,0
   0x100186ec <+28>:    beq     0x10018710 <xrealloc+64>
   0x100186f0 <+32>:    lwz     r0,20(r1)
   0x100186f4 <+36>:    lwz     r31,12(r1)
   0x100186f8 <+40>:    addi    r1,r1,16
   0x100186fc <+44>:    mtlr    r0
=> 0x10018700 <+48>:    blr
   0x10018704 <+52>:    nop
   0x10018708 <+56>:    nop
   0x1001870c <+60>:    nop
   0x10018710 <+64>:    cmpwi   cr7,r31,0
   0x10018714 <+68>:    beq     cr7,0x100186f0 <xrealloc+32>
   0x10018718 <+72>:    bl      0x100131b0 <xalloc_die>
End of assembler dump.
(gdb) up
#3  0x1000f260 in build_state_zero (d=0x1, begin=0x103fcd18 "", end=0xffc7ff4 "", newline=4, count=0xffc9268, 
    backref=0xbfa127ec) at dfa.c:2325
2325    dfa.c: Datei oder Verzeichnis nicht gefunden.
        in dfa.c
(gdb) disas
Dump of assembler code for function dfaexec:
   0x1000ebc0 <+0>:     stwu    r1,-112(r1)
   0x1000ebc4 <+4>:     mfcr    r12
   0x1000ebc8 <+8>:     mflr    r0
   0x1000ebcc <+12>:    stw     r29,100(r1)
   0x1000ebd0 <+16>:    stw     r28,96(r1)
   0x1000ebd4 <+20>:    lis     r29,4099
   0x1000ebd8 <+24>:    mr      r28,r4
   0x1000ebdc <+28>:    addi    r29,r29,-10536
   0x1000ebe0 <+32>:    stw     r0,116(r1)
   0x1000ebe4 <+36>:    stw     r15,44(r1)
   0x1000ebe8 <+40>:    mr      r15,r8
   0x1000ebec <+44>:    stw     r25,84(r1)
   0x1000ebf0 <+48>:    stw     r26,88(r1)
   0x1000ebf4 <+52>:    mr      r25,r7
   0x1000ebf8 <+56>:    mr      r26,r6
   0x1000ebfc <+60>:    stw     r27,92(r1)
   0x1000ec00 <+64>:    stw     r30,104(r1)
   0x1000ec04 <+68>:    mr      r30,r5
   0x1000ec08 <+72>:    lwz     r0,104(r29)
   0x1000ec0c <+76>:    lbz     r27,12(r29)
   0x1000ec10 <+80>:    stw     r31,108(r1)
   0x1000ec14 <+84>:    stw     r14,40(r1)
   0x1000ec18 <+88>:    mr      r31,r3
   0x1000ec1c <+92>:    cmpwi   cr7,r0,0
   0x1000ec20 <+96>:    stw     r16,48(r1)
   0x1000ec24 <+100>:   stw     r17,52(r1)
   0x1000ec28 <+104>:   stw     r18,56(r1)
   0x1000ec2c <+108>:   stw     r19,60(r1)
   0x1000ec30 <+112>:   stw     r20,64(r1)
   0x1000ec34 <+116>:   stw     r21,68(r1)
   0x1000ec38 <+120>:   stw     r22,72(r1)
   0x1000ec3c <+124>:   stw     r23,76(r1)
   0x1000ec40 <+128>:   stw     r24,80(r1)
   0x1000ec44 <+132>:   stw     r12,36(r1)
   0x1000ec48 <+136>:   bne     cr7,0x1000ecbc <dfaexec+252>
   0x1000ec4c <+140>:   li      r0,1
   0x1000ec50 <+144>:   stw     r0,104(r29)
   0x1000ec54 <+148>:   bl      0x10019f40 <__ctype_b_loc@plt>
   0x1000ec58 <+152>:   addi    r9,r29,108
   0x1000ec5c <+156>:   li      r11,1
   0x1000ec60 <+160>:   li      r8,2
   0x1000ec64 <+164>:   lwz     r10,0(r3)
   0x1000ec68 <+168>:   b       0x1000ec88 <dfaexec+200>
   0x1000ec6c <+172>:   nop
   0x1000ec70 <+176>:   li      r0,1
   0x1000ec74 <+180>:   stw     r0,0(r9)
   0x1000ec78 <+184>:   bgt     cr7,0x1000ecac <dfaexec+236>
   0x1000ec7c <+188>:   addi    r10,r10,2
   0x1000ec80 <+192>:   addi    r11,r11,1
   0x1000ec84 <+196>:   addi    r9,r9,4
   0x1000ec88 <+200>:   lhz     r0,0(r10)
   0x1000ec8c <+204>:   cmpwi   cr7,r11,255
   0x1000ec90 <+208>:   cmpwi   cr6,r11,96
   0x1000ec94 <+212>:   andi.   r6,r0,2048
   0x1000ec98 <+216>:   li      r0,2
   0x1000ec9c <+220>:   bne     0x1000ec74 <dfaexec+180>
   0x1000eca0 <+224>:   bne     cr6,0x1000ec70 <dfaexec+176>
   0x1000eca4 <+228>:   stw     r8,0(r9)
   0x1000eca8 <+232>:   b       0x1000ec7c <dfaexec+188>
   0x1000ecac <+236>:   rlwinm  r9,r27,2,0,29
   0x1000ecb0 <+240>:   add     r9,r29,r9
   0x1000ecb4 <+244>:   li      r0,4
   0x1000ecb8 <+248>:   stw     r0,108(r9)
   0x1000ecbc <+252>:   lwz     r0,80(r31)
   0x1000ecc0 <+256>:   cmpwi   cr7,r0,0
   0x1000ecc4 <+260>:   beq     cr7,0x1000f210 <dfaexec+1616>
   0x1000ecc8 <+264>:   lbz     r16,0(r30)
   0x1000eccc <+268>:   lwz     r24,88(r31)
   0x1000ecd0 <+272>:   stb     r27,0(r30)
   0x1000ecd4 <+276>:   stw     r28,8(r1)
   0x1000ecd8 <+280>:   lwz     r0,36(r31)
   0x1000ecdc <+284>:   cmplwi  cr7,r0,1
   0x1000ece0 <+288>:   ble     cr7,0x1000ede8 <dfaexec+552>
   0x1000ece4 <+292>:   subf    r19,r28,r30
   0x1000ece8 <+296>:   stw     r28,24(r29)
   0x1000ecec <+300>:   stw     r30,100(r29)
   0x1000ecf0 <+304>:   addi    r17,r29,1132
   0x1000ecf4 <+308>:   addi    r23,r19,2
   0x1000ecf8 <+312>:   mr      r3,r23
   0x1000ecfc <+316>:   bl      0x10018720 <xmalloc>
   0x1000ed00 <+320>:   stw     r3,20(r29)
   0x1000ed04 <+324>:   rlwinm  r3,r23,2,0,29
   0x1000ed08 <+328>:   bl      0x10018720 <xmalloc>
   0x1000ed0c <+332>:   li      r0,0
   0x1000ed10 <+336>:   cmpwi   cr7,r19,0
   0x1000ed14 <+340>:   stw     r0,4(r17)
   0x1000ed18 <+344>:   stw     r0,1132(r29)
   0x1000ed1c <+348>:   li      r9,0
   0x1000ed20 <+352>:   li      r23,0
   0x1000ed24 <+356>:   stw     r3,16(r29)
   0x1000ed28 <+360>:   blt     cr7,0x1000edcc <dfaexec+524>
   0x1000ed2c <+364>:   addi    r20,r19,1
   0x1000ed30 <+368>:   li      r21,0
   0x1000ed34 <+372>:   li      r22,0
   0x1000ed38 <+376>:   li      r18,0
   0x1000ed3c <+380>:   mr      r14,r29
   0x1000ed40 <+384>:   b       0x1000ed78 <dfaexec+440>
   0x1000ed44 <+388>:   nop
   0x1000ed48 <+392>:   nop
   0x1000ed4c <+396>:   nop
   0x1000ed50 <+400>:   lwz     r9,20(r29)
   0x1000ed54 <+404>:   stbx    r22,r9,r23
   0x1000ed58 <+408>:   addi    r22,r22,-1
   0x1000ed5c <+412>:   lwz     r9,16(r29)
   0x1000ed60 <+416>:   stwx    r18,r9,r21
   0x1000ed64 <+420>:   addi    r23,r23,1
   0x1000ed68 <+424>:   addi    r21,r21,4
   0x1000ed6c <+428>:   cmpw    cr7,r19,r23
   0x1000ed70 <+432>:   addi    r20,r20,-1
   0x1000ed74 <+436>:   blt     cr7,0x1000edc8 <dfaexec+520>
   0x1000ed78 <+440>:   cmpwi   cr7,r22,0
   0x1000ed7c <+444>:   bne     cr7,0x1000ed50 <dfaexec+400>
   0x1000ed80 <+448>:   lwz     r3,16(r29)
   0x1000ed84 <+452>:   add     r4,r28,r23
   0x1000ed88 <+456>:   mr      r5,r20
   0x1000ed8c <+460>:   mr      r6,r17
   0x1000ed90 <+464>:   add     r3,r3,r21
   0x1000ed94 <+468>:   bl      0x10019e60 <mbrtowc@plt>
   0x1000ed98 <+472>:   cmpwi   r3,0
   0x1000ed9c <+476>:   cmpwi   cr7,r3,1
   0x1000eda0 <+480>:   ble     0x1000f1d4 <dfaexec+1556>
   0x1000eda4 <+484>:   beq     cr7,0x1000f1f4 <dfaexec+1588>
   0x1000eda8 <+488>:   lwz     r9,20(r29)
   0x1000edac <+492>:   addi    r22,r3,-1
   0x1000edb0 <+496>:   addi    r21,r21,4
   0x1000edb4 <+500>:   addi    r20,r20,-1
   0x1000edb8 <+504>:   stbx    r3,r9,r23
   0x1000edbc <+508>:   addi    r23,r23,1
   0x1000edc0 <+512>:   cmpw    cr7,r19,r23
   0x1000edc4 <+516>:   bge     cr7,0x1000ed78 <dfaexec+440>
   0x1000edc8 <+520>:   rlwinm  r9,r23,2,0,29
   0x1000edcc <+524>:   lwz     r11,20(r29)
   0x1000edd0 <+528>:   li      r0,0
   0x1000edd4 <+532>:   li      r10,0
   0x1000edd8 <+536>:   stbx    r0,r11,r23
   0x1000eddc <+540>:   lwz     r11,16(r29)
   0x1000ede0 <+544>:   lwz     r0,36(r31)
   0x1000ede4 <+548>:   stwx    r10,r11,r9
   0x1000ede8 <+552>:   mr      r23,r1
   0x1000edec <+556>:   cmpwi   cr3,r26,0
   0x1000edf0 <+560>:   li      r22,0
   0x1000edf4 <+564>:   li      r28,0
   0x1000edf8 <+568>:   mr      r26,r29
   0x1000edfc <+572>:   cmpwi   cr4,r25,0
   0x1000ee00 <+576>:   lwzu    r8,8(r23)
   0x1000ee04 <+580>:   cmplwi  cr7,r0,1
   0x1000ee08 <+584>:   ble     cr7,0x1000f090 <dfaexec+1232>
   0x1000ee0c <+588>:   rlwinm  r0,r28,2,0,29
   0x1000ee10 <+592>:   mr      r9,r28
   0x1000ee14 <+596>:   mr      r6,r0
   0x1000ee18 <+600>:   lwzx    r7,r24,r0
   0x1000ee1c <+604>:   cmpwi   cr7,r7,0
   0x1000ee20 <+608>:   beq     cr7,0x1000ef38 <dfaexec+888>
   0x1000ee24 <+612>:   nop
   0x1000ee28 <+616>:   nop
   0x1000ee2c <+620>:   nop
   0x1000ee30 <+624>:   cmplw   cr7,r30,r8
   0x1000ee34 <+628>:   blt     cr7,0x1000ef3c <dfaexec+892>
   0x1000ee38 <+632>:   cmpwi   cr7,r28,0
   0x1000ee3c <+636>:   bne     cr7,0x1000eee8 <dfaexec+808>
   0x1000ee40 <+640>:   lwz     r11,24(r29)
   0x1000ee44 <+644>:   lwz     r4,16(r29)
   0x1000ee48 <+648>:   subf    r0,r11,r8
   0x1000ee4c <+652>:   rlwinm  r9,r0,2,0,29
   0x1000ee50 <+656>:   lwzx    r9,r4,r9
   0x1000ee54 <+660>:   cmpwi   cr7,r9,0
   0x1000ee58 <+664>:   bne     cr7,0x1000eee0 <dfaexec+800>
   0x1000ee5c <+668>:   lwz     r10,20(r26)
   0x1000ee60 <+672>:   lbzx    r9,r10,r0
   0x1000ee64 <+676>:   cmpwi   cr7,r9,0
   0x1000ee68 <+680>:   beq     cr7,0x1000eee0 <dfaexec+800>
   0x1000ee6c <+684>:   lwz     r5,100(r26)
   0x1000ee70 <+688>:   cmplw   cr7,r5,r8
   0x1000ee74 <+692>:   ble     cr7,0x1000eee0 <dfaexec+800>
   0x1000ee78 <+696>:   addi    r9,r8,1
   0x1000ee7c <+700>:   add     r10,r10,r0
   0x1000ee80 <+704>:   subf    r11,r11,r9
   0x1000ee84 <+708>:   cmplw   cr7,r5,r9
   0x1000ee88 <+712>:   subf    r5,r9,r5
   0x1000ee8c <+716>:   rlwinm  r11,r11,2,0,29
   0x1000ee90 <+720>:   addi    r5,r5,1
   0x1000ee94 <+724>:   add     r11,r4,r11
   0x1000ee98 <+728>:   mtctr   r5
   0x1000ee9c <+732>:   bge     cr7,0x1000eec8 <dfaexec+776>
   0x1000eea0 <+736>:   b       0x1000f2b4 <dfaexec+1780>
   0x1000eea4 <+740>:   nop
   0x1000eea8 <+744>:   nop
   0x1000eeac <+748>:   nop
   0x1000eeb0 <+752>:   lbz     r0,1(r10)
   0x1000eeb4 <+756>:   addi    r9,r9,1
   0x1000eeb8 <+760>:   addi    r10,r10,1
   0x1000eebc <+764>:   cmpwi   cr7,r0,0
   0x1000eec0 <+768>:   beq     cr7,0x1000eee0 <dfaexec+800>
   0x1000eec4 <+772>:   bdz     0x1000eee0 <dfaexec+800>
   0x1000eec8 <+776>:   lwz     r0,0(r11)
   0x1000eecc <+780>:   stw     r9,8(r1)
   0x1000eed0 <+784>:   addi    r11,r11,4
   0x1000eed4 <+788>:   mr      r8,r9
   0x1000eed8 <+792>:   cmpwi   cr7,r0,0
   0x1000eedc <+796>:   beq     cr7,0x1000eeb0 <dfaexec+752>
   0x1000eee0 <+800>:   cmplw   cr7,r30,r8
   0x1000eee4 <+804>:   ble     cr7,0x1000f1b8 <dfaexec+1528>
   0x1000eee8 <+808>:   lwz     r0,60(r31)
   0x1000eeec <+812>:   rlwinm  r9,r28,5,0,26
   0x1000eef0 <+816>:   subf    r6,r6,r9
   0x1000eef4 <+820>:   add     r6,r0,r6
   0x1000eef8 <+824>:   lwz     r0,24(r6)
   0x1000eefc <+828>:   cmpwi   cr7,r0,0
   0x1000ef00 <+832>:   bne     cr7,0x1000f030 <dfaexec+1136>
   0x1000ef04 <+836>:   lbz     r0,0(r8)
   0x1000ef08 <+840>:   addi    r8,r8,1
   0x1000ef0c <+844>:   stw     r8,8(r1)
   0x1000ef10 <+848>:   rlwinm  r0,r0,2,0,29
   0x1000ef14 <+852>:   lwzx    r3,r7,r0
   0x1000ef18 <+856>:   mr      r22,r28
   0x1000ef1c <+860>:   mr      r28,r3
   0x1000ef20 <+864>:   rlwinm  r0,r28,2,0,29
   0x1000ef24 <+868>:   mr      r9,r28
   0x1000ef28 <+872>:   mr      r6,r0
   0x1000ef2c <+876>:   lwzx    r7,r24,r0
   0x1000ef30 <+880>:   cmpwi   cr7,r7,0
   0x1000ef34 <+884>:   bne     cr7,0x1000ee30 <dfaexec+624>
   0x1000ef38 <+888>:   lwz     r8,8(r1)
   0x1000ef3c <+892>:   cmpwi   cr7,r28,0
   0x1000ef40 <+896>:   blt     cr7,0x1000f050 <dfaexec+1168>
   0x1000ef44 <+900>:   cmplw   cr6,r30,r8
   0x1000ef48 <+904>:   blt     cr6,0x1000f050 <dfaexec+1168>
   0x1000ef4c <+908>:   lwz     r11,96(r31)
   0x1000ef50 <+912>:   lwzx    r10,r11,r0
   0x1000ef54 <+916>:   cmpwi   cr6,r10,0
   0x1000ef58 <+920>:   beq     cr6,0x1000f050 <dfaexec+1168>
   0x1000ef5c <+924>:   lbz     r11,0(r8)
   0x1000ef60 <+928>:   lwz     r6,100(r31)
   0x1000ef64 <+932>:   rlwinm  r11,r11,2,0,29
   0x1000ef68 <+936>:   add     r7,r29,r11
   0x1000ef6c <+940>:   lwzx    r0,r6,r0
   0x1000ef70 <+944>:   lwz     r7,108(r7)
   0x1000ef74 <+948>:   and.    r6,r7,r0
   0x1000ef78 <+952>:   beq     0x1000f174 <dfaexec+1460>
   0x1000ef7c <+956>:   cmpwi   cr7,r15,0
   0x1000ef80 <+960>:   beq     cr7,0x1000efa8 <dfaexec+1000>
   0x1000ef84 <+964>:   rlwinm  r0,r9,5,0,26
   0x1000ef88 <+968>:   lwz     r11,60(r31)
   0x1000ef8c <+972>:   rlwinm  r9,r9,2,0,29
   0x1000ef90 <+976>:   subf    r0,r9,r0
   0x1000ef94 <+980>:   add     r9,r11,r0
   0x1000ef98 <+984>:   lbz     r0,14(r9)
   0x1000ef9c <+988>:   neg     r0,r0
   0x1000efa0 <+992>:   rlwinm  r0,r0,1,31,31
   0x1000efa4 <+996>:   stw     r0,0(r15)
   0x1000efa8 <+1000>:  lwz     r0,36(r31)
   0x1000efac <+1004>:  cmplwi  cr7,r0,1
   0x1000efb0 <+1008>:  ble     cr7,0x1000efc4 <dfaexec+1028>
   0x1000efb4 <+1012>:  lwz     r3,20(r29)
   0x1000efb8 <+1016>:  bl      0x10019e90 <free@plt>
   0x1000efbc <+1020>:  lwz     r3,16(r29)
   0x1000efc0 <+1024>:  bl      0x10019e90 <free@plt>
   0x1000efc4 <+1028>:  stb     r16,0(r30)
   0x1000efc8 <+1032>:  lwz     r3,8(r1)
   0x1000efcc <+1036>:  lwz     r0,116(r1)
   0x1000efd0 <+1040>:  lwz     r12,36(r1)
   0x1000efd4 <+1044>:  lwz     r14,40(r1)
   0x1000efd8 <+1048>:  lwz     r15,44(r1)
   0x1000efdc <+1052>:  mtlr    r0
   0x1000efe0 <+1056>:  lwz     r16,48(r1)
   0x1000efe4 <+1060>:  lwz     r17,52(r1)
   0x1000efe8 <+1064>:  mtcrf   16,r12
   0x1000efec <+1068>:  lwz     r18,56(r1)
   0x1000eff0 <+1072>:  lwz     r19,60(r1)
   0x1000eff4 <+1076>:  mtcrf   8,r12
   0x1000eff8 <+1080>:  lwz     r20,64(r1)
   0x1000effc <+1084>:  lwz     r21,68(r1)
   0x1000f000 <+1088>:  lwz     r22,72(r1)
   0x1000f004 <+1092>:  lwz     r23,76(r1)
   0x1000f008 <+1096>:  lwz     r24,80(r1)
   0x1000f00c <+1100>:  lwz     r25,84(r1)
   0x1000f010 <+1104>:  lwz     r26,88(r1)
   0x1000f014 <+1108>:  lwz     r27,92(r1)
   0x1000f018 <+1112>:  lwz     r28,96(r1)
   0x1000f01c <+1116>:  lwz     r29,100(r1)
   0x1000f020 <+1120>:  lwz     r30,104(r1)
   0x1000f024 <+1124>:  lwz     r31,108(r1)
   0x1000f028 <+1128>:  addi    r1,r1,112
   0x1000f02c <+1132>:  blr
   0x1000f030 <+1136>:  mr      r3,r31
   0x1000f034 <+1140>:  mr      r4,r28
   0x1000f038 <+1144>:  mr      r5,r23
   0x1000f03c <+1148>:  bl      0x1000e5e0 <transit_state>
   0x1000f040 <+1152>:  lwz     r24,88(r31)
   0x1000f044 <+1156>:  lwz     r8,8(r1)
   0x1000f048 <+1160>:  b       0x1000ef18 <dfaexec+856>
   0x1000f04c <+1164>:  nop
   0x1000f050 <+1168>:  beq     cr4,0x1000f274 <dfaexec+1716>
   0x1000f054 <+1172>:  cmplw   cr6,r30,r8
   0x1000f058 <+1176>:  bge     cr6,0x1000f124 <dfaexec+1380>
   0x1000f05c <+1180>:  lwz     r0,36(r31)
   0x1000f060 <+1184>:  cmplwi  cr7,r0,1
   0x1000f064 <+1188>:  ble     cr7,0x1000f078 <dfaexec+1208>
   0x1000f068 <+1192>:  lwz     r3,20(r29)
   0x1000f06c <+1196>:  bl      0x10019e90 <free@plt>
   0x1000f070 <+1200>:  lwz     r3,16(r29)
   0x1000f074 <+1204>:  bl      0x10019e90 <free@plt>
   0x1000f078 <+1208>:  stb     r16,0(r30)
   0x1000f07c <+1212>:  li      r3,0
   0x1000f080 <+1216>:  b       0x1000efcc <dfaexec+1036>
   0x1000f084 <+1220>:  nop
   0x1000f088 <+1224>:  nop
   0x1000f08c <+1228>:  nop
   0x1000f090 <+1232>:  rlwinm  r0,r28,2,0,29
   0x1000f094 <+1236>:  mr      r9,r28
   0x1000f098 <+1240>:  lwzx    r11,r24,r0
   0x1000f09c <+1244>:  cmpwi   cr7,r11,0
   0x1000f0a0 <+1248>:  beq     cr7,0x1000ef38 <dfaexec+888>
   0x1000f0a4 <+1252>:  lbz     r0,0(r8)
   0x1000f0a8 <+1256>:  addi    r8,r8,1
   0x1000f0ac <+1260>:  stw     r8,8(r1)
   0x1000f0b0 <+1264>:  rlwinm  r0,r0,2,0,29
   0x1000f0b4 <+1268>:  b       0x1000f0fc <dfaexec+1340>
   0x1000f0b8 <+1272>:  nop
   0x1000f0bc <+1276>:  nop
   0x1000f0c0 <+1280>:  lbz     r0,0(r8)
   0x1000f0c4 <+1284>:  mr      r10,r8
   0x1000f0c8 <+1288>:  addi    r8,r8,1
   0x1000f0cc <+1292>:  stw     r8,8(r1)
   0x1000f0d0 <+1296>:  rlwinm  r0,r0,2,0,29
   0x1000f0d4 <+1300>:  lwzx    r28,r11,r0
   0x1000f0d8 <+1304>:  rlwinm  r0,r28,2,0,29
   0x1000f0dc <+1308>:  mr      r9,r28
   0x1000f0e0 <+1312>:  lwzx    r11,r24,r0
   0x1000f0e4 <+1316>:  cmpwi   cr7,r11,0
   0x1000f0e8 <+1320>:  beq     cr7,0x1000ef3c <dfaexec+892>
   0x1000f0ec <+1324>:  addi    r8,r10,2
   0x1000f0f0 <+1328>:  lbz     r0,1(r10)
   0x1000f0f4 <+1332>:  stw     r8,8(r1)
   0x1000f0f8 <+1336>:  rlwinm  r0,r0,2,0,29
   0x1000f0fc <+1340>:  lwzx    r22,r11,r0
   0x1000f100 <+1344>:  rlwinm  r0,r22,2,0,29
   0x1000f104 <+1348>:  mr      r9,r22
   0x1000f108 <+1352>:  lwzx    r11,r24,r0
   0x1000f10c <+1356>:  cmpwi   cr7,r11,0
   0x1000f110 <+1360>:  bne     cr7,0x1000f0c0 <dfaexec+1280>
   0x1000f114 <+1364>:  mr      r11,r28
   0x1000f118 <+1368>:  mr      r28,r22
   0x1000f11c <+1372>:  mr      r22,r11
   0x1000f120 <+1376>:  b       0x1000ef3c <dfaexec+892>
   0x1000f124 <+1380>:  lbz     r0,-1(r8)
   0x1000f128 <+1384>:  cmpw    cr6,r0,r27
   0x1000f12c <+1388>:  beq     cr6,0x1000f1a8 <dfaexec+1512>
   0x1000f130 <+1392>:  blt     cr7,0x1000f158 <dfaexec+1432>
   0x1000f134 <+1396>:  mr      r3,r28
   0x1000f138 <+1400>:  mr      r4,r31
   0x1000f13c <+1404>:  bl      0x1000de90 <build_state>
   0x1000f140 <+1408>:  mr      r3,r28
   0x1000f144 <+1412>:  lwz     r24,88(r31)
   0x1000f148 <+1416>:  lwz     r8,8(r1)
   0x1000f14c <+1420>:  lwz     r0,36(r31)
   0x1000f150 <+1424>:  mr      r28,r3
   0x1000f154 <+1428>:  b       0x1000ee04 <dfaexec+580>
   0x1000f158 <+1432>:  lbz     r0,-1(r8)
   0x1000f15c <+1436>:  cmpw    cr7,r0,r27
   0x1000f160 <+1440>:  beq     cr7,0x1000f280 <dfaexec+1728>
   0x1000f164 <+1444>:  li      r3,0
   0x1000f168 <+1448>:  lwz     r0,36(r31)
   0x1000f16c <+1452>:  mr      r28,r3
   0x1000f170 <+1456>:  b       0x1000ee04 <dfaexec+580>
   0x1000f174 <+1460>:  lwz     r0,36(r31)
   0x1000f178 <+1464>:  cmplwi  cr7,r0,1
   0x1000f17c <+1468>:  ble     cr7,0x1000f29c <dfaexec+1756>
   0x1000f180 <+1472>:  mr      r4,r28
   0x1000f184 <+1476>:  mr      r3,r31
   0x1000f188 <+1480>:  mr      r5,r23
   0x1000f18c <+1484>:  mr      r22,r28
   0x1000f190 <+1488>:  bl      0x1000e5e0 <transit_state>
   0x1000f194 <+1492>:  lwz     r24,88(r31)
   0x1000f198 <+1496>:  lwz     r8,8(r1)
   0x1000f19c <+1500>:  lwz     r0,36(r31)
   0x1000f1a0 <+1504>:  mr      r28,r3
   0x1000f1a4 <+1508>:  b       0x1000ee04 <dfaexec+580>
   0x1000f1a8 <+1512>:  lwz     r0,0(r25)
   0x1000f1ac <+1516>:  addic   r0,r0,1
   0x1000f1b0 <+1520>:  stw     r0,0(r25)
   0x1000f1b4 <+1524>:  b       0x1000f130 <dfaexec+1392>
   0x1000f1b8 <+1528>:  lwz     r3,20(r29)
   0x1000f1bc <+1532>:  bl      0x10019e90 <free@plt>
   0x1000f1c0 <+1536>:  lwz     r3,16(r29)
   0x1000f1c4 <+1540>:  bl      0x10019e90 <free@plt>
   0x1000f1c8 <+1544>:  stb     r16,0(r30)
   0x1000f1cc <+1548>:  li      r3,0
   0x1000f1d0 <+1552>:  b       0x1000efcc <dfaexec+1036>
   0x1000f1d4 <+1556>:  lwz     r9,16(r14)
   0x1000f1d8 <+1560>:  lbzx    r0,r28,r23
   0x1000f1dc <+1564>:  add     r9,r9,r21
   0x1000f1e0 <+1568>:  lwz     r11,20(r29)
   0x1000f1e4 <+1572>:  li      r7,0
   0x1000f1e8 <+1576>:  stw     r0,0(r9)
   0x1000f1ec <+1580>:  stbx    r7,r11,r23
   0x1000f1f0 <+1584>:  b       0x1000ed64 <dfaexec+420>
   0x1000f1f4 <+1588>:  lwz     r11,16(r14)
   0x1000f1f8 <+1592>:  lbzx    r10,r28,r23
   0x1000f1fc <+1596>:  add     r9,r11,r21
   0x1000f200 <+1600>:  lwzx    r0,r11,r21
   0x1000f204 <+1604>:  cmpw    cr7,r0,r10
   0x1000f208 <+1608>:  bne     cr7,0x1000eda8 <dfaexec+488>
   0x1000f20c <+1612>:  b       0x1000f1e0 <dfaexec+1568>
   0x1000f210 <+1616>:  li      r9,1
   0x1000f214 <+1620>:  stw     r0,84(r31)
   0x1000f218 <+1624>:  li      r4,4
   0x1000f21c <+1628>:  stw     r9,80(r31)
   0x1000f220 <+1632>:  li      r3,2
   0x1000f224 <+1636>:  bl      0x100186a0 <xcalloc>
   0x1000f228 <+1640>:  li      r4,4
   0x1000f22c <+1644>:  addi    r0,r3,4
   0x1000f230 <+1648>:  stw     r3,92(r31)
   0x1000f234 <+1652>:  lwz     r3,80(r31)
   0x1000f238 <+1656>:  stw     r0,88(r31)
   0x1000f23c <+1660>:  bl      0x100186a0 <xcalloc>
   0x1000f240 <+1664>:  lwz     r0,80(r31)
   0x1000f244 <+1668>:  stw     r3,96(r31)
   0x1000f248 <+1672>:  rlwinm  r3,r0,2,0,29
   0x1000f24c <+1676>:  bl      0x10018720 <xmalloc>
   0x1000f250 <+1680>:  lwz     r0,80(r31)
   0x1000f254 <+1684>:  stw     r3,100(r31)
   0x1000f258 <+1688>:  rlwinm  r3,r0,2,0,29
   0x1000f25c <+1692>:  bl      0x10018720 <xmalloc>
=> 0x1000f260 <+1696>:  mr      r4,r31
   0x1000f264 <+1700>:  stw     r3,104(r31)
   0x1000f268 <+1704>:  li      r3,0
   0x1000f26c <+1708>:  bl      0x1000de90 <build_state>
   0x1000f270 <+1712>:  b       0x1000ecc8 <dfaexec+264>
   0x1000f274 <+1716>:  cmplw   cr6,r30,r8
   0x1000f278 <+1720>:  bge     cr6,0x1000f130 <dfaexec+1392>
   0x1000f27c <+1724>:  b       0x1000f05c <dfaexec+1180>
   0x1000f280 <+1728>:  beq     cr3,0x1000f164 <dfaexec+1444>
   0x1000f284 <+1732>:  lwz     r11,104(r31)
   0x1000f288 <+1736>:  lwz     r0,36(r31)
   0x1000f28c <+1740>:  rlwinm  r9,r22,2,0,29
   0x1000f290 <+1744>:  lwzx    r3,r11,r9
   0x1000f294 <+1748>:  mr      r28,r3
   0x1000f298 <+1752>:  b       0x1000ee04 <dfaexec+580>
   0x1000f29c <+1756>:  lwzx    r3,r10,r11
   0x1000f2a0 <+1760>:  addi    r8,r8,1
   0x1000f2a4 <+1764>:  mr      r22,r28
   0x1000f2a8 <+1768>:  stw     r8,8(r1)
   0x1000f2ac <+1772>:  mr      r28,r3
   0x1000f2b0 <+1776>:  b       0x1000ee04 <dfaexec+580>
   0x1000f2b4 <+1780>:  li      r0,1
   0x1000f2b8 <+1784>:  mtctr   r0
   0x1000f2bc <+1788>:  b       0x1000eec8 <dfaexec+776>
End of assembler dump.

According to libc's malloc.c the size of the block to empty was bigger
than 36 bytes. malloc.c:4114:

  /* Unroll clear of <= 36 bytes (72 if 8byte sizes).  We know that
     contents have an odd number of INTERNAL_SIZE_T-sized words;
     minimally 3.  */
  d = (INTERNAL_SIZE_T*)mem;
  clearsize = csz - SIZE_SZ;
  nclears = clearsize / sizeof(INTERNAL_SIZE_T);
  assert(nclears >= 3);

  if (nclears > 9)
    MALLOC_ZERO(d, clearsize);

I don't know the internal memory managment of libc, but I think this is
interesting to you:

#define mem2chunk(mem) ((mchunkptr)((char*)(mem) - 2*SIZE_SZ))

#define chunksize(p)         ((p)->size & ~(SIZE_BITS))

malloc.c:4093
  p = mem2chunk(mem);
…
malloc.c:4105
  csz = chunksize(p);

and the code from above. Here is a memory dump. Maybe you can see what
are the values of csz and clearsize.

(gdb) f 1
#1  0x0fed241c in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4123
4123    in malloc.c
(gdb) i locals
av = 0xffc9268
oldtop = 0x103fcd18
bytes = 4
csz = <value optimized out>
oldtopsize = 82664
mem = 0xffc9265
clearsize = <value optimized out>
nclears = <value optimized out>
__func__ = "__libc_calloc"
(gdb) x /64x mem-8
0xffc925d <save_arena+1>:       0x00000000      0x00000200      0x00000000      0x00000000
0xffc926d <main_arena+5>:       0x00000100      0x00000000      0x00000000      0x00000000
0xffc927d <main_arena+21>:      0x00000000      0x00000000      0x00000000      0x00000000
0xffc928d <main_arena+37>:      0x00000000      0x00000000      0x00000010      0x3fcd1810
0xffc929d <main_arena+53>:      0x3f2b3810      0x3f2b3810      0x3f2b3810      0x3f85ca0f
0xffc92ad <main_arena+69>:      0xfc92a00f      0xfc92a80f      0xfc92a810      0x3f08b010
0xffc92bd <main_arena+85>:      0x3f2b680f      0xfc92b80f      0xfc92b80f      0xfc92c00f
0xffc92cd <main_arena+101>:     0xfc92c00f      0xfc92c80f      0xfc92c80f      0xfc92d00f
0xffc92dd <main_arena+117>:     0xfc92d010      0x3f0c1810      0x3f0c180f      0xfc92e00f
0xffc92ed <main_arena+133>:     0xfc92e00f      0xfc92e80f      0xfc92e80f      0xfc92f00f
0xffc92fd <main_arena+149>:     0xfc92f00f      0xfc92f80f      0xfc92f80f      0xfc93000f
0xffc930d <main_arena+165>:     0xfc93000f      0xfc93080f      0xfc93080f      0xfc93100f
0xffc931d <main_arena+181>:     0xfc93100f      0xfc93180f      0xfc93180f      0xfc93200f
0xffc932d <main_arena+197>:     0xfc93200f      0xfc93280f      0xfc93280f      0xfc93300f
0xffc933d <main_arena+213>:     0xfc93300f      0xfc93380f      0xfc93380f      0xfc93400f
0xffc934d <main_arena+229>:     0xfc93400f      0xfc93480f      0xfc93480f      0xfc93500f
(gdb) info symbol mem-8
save_arena + 1 in section .bss of /lib/libc.so.6
(gdb) x /4x save_arena
0xffc925c:      0x00000000      0x00000002      0x00000000      0x00000000

I attatch the grep with debugging symbols.

Bye, Jörg.
-- 
Ein Optimist ist in der Regel ein Zeitgenosse, der ungenuegend informiert ist.
                                                           (John B. Priestley)
Attachment: grep
Description: Binary data
Attachment: signature.asc
Description: Digital signature http://en.wikipedia.org/wiki/OpenPGP
Reply to:
References:
- Bug#626001: sigseg in memset (powerpc)
  - From: Jörg Sommer <joerg@alea.gnuu.de>
- Bug#626001: sigseg in memset (powerpc)
  - From: Jonathan Nieder <jrnieder@gmail.com>
- Bug#626001: sigseg in memset (powerpc)
  - From: Jörg Sommer <joerg@alea.gnuu.de>
- Bug#626001: sigseg in memset (powerpc)
  - From: Jonathan Nieder <jrnieder@gmail.com>
Prev by Date: eglibc_2.13-2+armhf.1_armhf.changes ACCEPTED
Next by Date: Re: libc6-i686 upgrade 2.7-18lenny4 -> libc6_2.11.2-10
Previous by thread: Bug#626001: sigseg in memset (powerpc)
Next by thread: Saliec rokas uz vidukļa puskailai jaunkundzei
Index(es):
- Date
- Thread