Bug 367942

Summary: Segfault vgPlain_do_sys_sigaction (m_signals.c:1138)
Product: [Developer tools] valgrind Reporter: geeknik <brian.carpenter>
Component: generalAssignee: Julian Seward <jseward>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version First Reported In: 3.10.0   
Target Milestone: ---   
Platform: Debian stable   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description geeknik 2016-08-29 00:57:47 UTC 
Valgrind 3.10.0-4 on Debian 8.5 x64. This Perl script crashed the Perl interpreter which crashed Valgrind. The Perl script is 100% expected to crash Perl, but I wouldn't expect that to crash Valgrind and after talking to a Perl developer, syscalls from Perl shouldn't crash Valgrind unless the syscall is something like kill(valgrind_pid, SIGSEGV). In this case it's performing a read (syscall 0) with garbage arguments. 

valgrind perl -e '{0!~0}map{$_=syscall$0++}Y..$:'

It'll hang here:

==20465== Syscall param read(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==

Tap Enter on your keyboard:

==20465== Syscall param write(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param open(filename) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param stat(file_name) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param stat(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param fstat(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param lstat(file_name) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param lstat(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param poll(ufds.fd) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param poll(ufds.events) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param poll(ufds.revents) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x6 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param rt_sigaction(act->sa_handler) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param rt_sigaction(act->sa_mask) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4018 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param rt_sigaction(act->sa_flags) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4008 is not stack'd, malloc'd or (recently) free'd
==20465==
--20465-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--20465-- si_code=1;  Faulting address: 0x400B;  sp: 0x802f2ccb0

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==20465==    at 0x38114E5C: vgSysWrap_linux_sys_rt_sigaction_before (syswrap-linux.c:3242)
==20465==    by 0x380F82D5: vgPlain_client_syscall (syswrap-main.c:1586)
==20465==    by 0x380F4B5A: handle_syscall (scheduler.c:1103)
==20465==    by 0x380F6226: vgPlain_scheduler (scheduler.c:1416)
==20465==    by 0x38105B60: thread_wrapper (syswrap-linux.c:103)
==20465==    by 0x38105B60: run_a_thread_NORETURN (syswrap-linux.c:156)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
Comment 1 Julian Seward 2016-10-19 11:51:41 UTC 
There have been commits to the trunk which make V more robust to
bad parameters to rt_sigaction and friends.  Can you re-try with the
trunk, or with the upcoming 3.12.0 release?
Comment 2 geeknik 2016-11-14 00:10:43 UTC 
valgrind-3.13.0.SVN does not appear to crash in this instance.