282527 – valgrind crash on ARM loading misaligned DWARF2 symbol information

Bug 282527 - valgrind crash on ARM loading misaligned DWARF2 symbol information

Summary: valgrind crash on ARM loading misaligned DWARF2 symbol information

Status:	RESOLVED FIXED

Alias:	None

Product:	valgrind
Classification:	Developer tools
Component:	general (show other bugs)
Version:	unspecified
Platform:	Compiled Sources Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Julian Seward

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-09-22 03:58 UTC by Mark Wickham
Modified:	2011-10-05 13:42 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
*patch (UInt )foo ==> read_UInt(foo) etc.* (13.78 KB, patch) 2011-09-30 03:11 UTC, John Reiser	Details
more un-aligned processing for m_debuginfo/* (14.11 KB, patch) 2011-10-05 03:17 UTC, John Reiser	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Wickham 2011-09-22 03:58:30 UTC

Version:           unspecified (using KDE 4.7.0) 
OS:                Linux

I'm compiling valgrind-3.6.1 to run on ARM.  I got it to build but when loading DWARF2 symbol information, it crashes loading symbol data, even though dwarfdump and readelf both show no problems.

Reproducible: Always

Steps to Reproduce:
Compile hello.c for ARM with DWARF2 debugging symbols:
hello.c:
#include <stdlib.h>
#include <stdio.h>

int main()
{
        char *m = malloc(8192);
        (void)m;
        printf("Hello!\n");
        exit(0);
}

$ gdb valgrind
(gdb) run -d -d -v hello
gdb shows that the DWARF version number is being read incorrectly, and that the ui.name in coregrind/m_debuginfo/readdwarf.c is a bad address and it crashes.
--1118-- Reading syms from /hello (0x8000)
DWARF: 2
Reading UnitInfo at 0x0.....
   => LINES=0x8400    NAME=501e2b2     DIR=401e237

       /* Fill ui with offset in .debug_line and compdir */
      if (1)
         VG_(printf)( "Reading UnitInfo at 0x%lx.....\n",
                      block_img - debug_info_img + 0UL );
      read_unitinfo_dwarf2( &ui, block_img,
                                 debug_abbv_img, debug_str_img );
         VG_(printf)( "   => LINES=0x%llx    NAME=%x     DIR=%x\n",
                      ui.stmt_list, ui.name, ui.compdir );
      if (1)
         VG_(printf)( "   => LINES=0x%llx    NAME=%s     DIR=%s\n",
                      ui.stmt_list, ui.name, ui.compdir );


Actual Results:  
$ gdb valgrind
GNU gdb 6.8
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-unknown-linux-gnueabi"...
(gdb) run -d -d -v /hello
Starting program: /usr/bin/valgrind -d -d -v /hello
--1118:1:debuglog DebugLog system started by Stage 1, level 2 logging requested
--1118:1:launcher no tool requested, defaulting to 'memcheck'
--1118:2:launcher   selecting platform for '/hello'
--1118:2:launcher   selecting platform for '/hello'
--1118:2:launcher   opened '/hello'
--1118:2:launcher   read 4096 bytes from '/hello'
--1118:2:launcher   selected platform 'arm-linux'
--1118:1:launcher selected platform 'arm-linux'
--1118:1:launcher launching /usr/lib/valgrind/memcheck-arm-linux
Executing new program: /usr/lib/valgrind/memcheck-arm-linux
--1118:1:debuglog DebugLog system started by Stage 2 (main), level 2 logging requested
--1118:1:main     Welcome to Valgrind version 3.6.1 debug logging
--1118:1:main     Checking current stack is plausible
--1118:1:main     Checking initial stack was noted
--1118:1:main     Starting the address space manager
--1118:2:aspacem            sp_at_startup = 0x00bea9ee00 (supplied)
--1118:2:aspacem                  minAddr = 0x0004000000 (computed)
--1118:2:aspacem                  maxAddr = 0x00bea9dfff (computed)
--1118:2:aspacem                   cStart = 0x0004000000 (computed)
--1118:2:aspacem                   vStart = 0x006154f000 (computed)
--1118:2:aspacem    suggested_clstack_top = 0x00bda9efff (computed)
--1118:2:aspacem    <<< SHOW_SEGMENTS: Initial layout (5 segments, 0 segnames)
--1118:2:aspacem      0: RSVN 0000000000-0003ffffff     64m ----- SmFixed
--1118:2:aspacem      1:      0004000000-006154efff   1493m
--1118:2:aspacem      2: RSVN 006154f000-006154ffff    4096 ----- SmFixed
--1118:2:aspacem      3:      0061550000-00bea9dfff   1493m
--1118:2:aspacem      4: RSVN 00bea9e000-00ffffffff   1045m ----- SmFixed
--1118:2:aspacem    >>>
--1118:2:aspacem    Reading /proc/self/maps
--1118:2:aspacem    <<< SHOW_SEGMENTS: With contents of /proc/self/maps (13 segments, 1 segnames)
--1118:2:aspacem    ( 0) /usr/lib/valgrind/memcheck-arm-linux
--1118:2:aspacem      0: RSVN 0000000000-0003ffffff     64m ----- SmFixed
--1118:2:aspacem      1:      0004000000-0037ffffff    832m
--1118:2:aspacem      2: FILE 0038000000-003821dfff 2220032 r-x-- d=0x00d i=1330147 o=32768   (0)
--1118:2:aspacem      3:      003821e000-0038224fff   28672
--1118:2:aspacem      4: FILE 0038225000-0038226fff    8192 rwx-- d=0x00d i=1330147 o=2248704 (0)
--1118:2:aspacem      5: ANON 0038227000-0038d1afff     10m rwx--
--1118:2:aspacem      6:      0038d1b000-006154efff    648m
--1118:2:aspacem      7: RSVN 006154f000-006154ffff    4096 ----- SmFixed
--1118:2:aspacem      8:      0061550000-00bea7dfff   1493m
--1118:2:aspacem      9: ANON 00bea7e000-00bea9efff  135168 rw---
--1118:2:aspacem     10: RSVN 00bea9f000-00fffeffff   1045m ----- SmFixed
--1118:2:aspacem     11: anon 00ffff0000-00ffff0fff    4096 r-x--
--1118:2:aspacem     12: RSVN 00ffff1000-00ffffffff   61440 ----- SmFixed
--1118:2:aspacem    >>>
--1118:1:main     Address space manager is running
--1118:1:main     Starting the dynamic memory manager
--1118:1:mallocfr newSuperblock at 0x61550000 (pszB 4194288) owner VALGRIND/tool
--1118:1:main     Dynamic memory manager is running
--1118:1:main     Initialise m_debuginfo
--1118:1:main     VG_(libdir) = /usr/lib/valgrind
--1118:1:main     Getting launcher's name ...
--1118:1:main     ... /usr/bin/valgrind
--1118:1:main     Get hardware capabilities ...

Program received signal SIGILL, Illegal instruction.
0x3802dda0 in vgPlain_machine_get_hwcaps () at m_machine.c:887
887     m_machine.c: No such file or directory.
        in m_machine.c
(gdb) c
Continuing.

Program received signal SIGILL, Illegal instruction.
0x3802df04 in vgPlain_machine_get_hwcaps () at m_machine.c:899
899     in m_machine.c
(gdb) c
Continuing.
--1118:1:machine  ARMv5 VFP 0 VFP2 0 VFP3 0 NEON 0
--1118:1:main     ... arch = ARM, hwcaps = ARMv5
--1118:1:main     Getting the working directory at startup
--1118:1:main     ... /
--1118:1:main     Split up command line
--1118:1:main     (early_) Process Valgrind's command line options
--1118:1:main     Create initial image
--1118:1:initimg  Loading client
--1118:1:initimg  Setup client env
--1118:2:initimg    preload_string:
--1118:2:initimg      "/usr/lib/valgrind/vgpreload_core-arm-linux.so:/usr/lib/valgrind/vgpreload_memcheck-arm-linux.so"
--1118:1:initimg  Setup client stack: size will be 8388608
--1118:2:initimg    ARM has-neon from-auxv: NO
--1118:2:initimg    Client info: initial_IP=0x40007B0 initial_TOC=0x0 brk_base=0x12000
--1118:2:initimg    Client info: initial_SP=0xBDA9EE00 max_stack_size=8388608
--1118:1:initimg  Setup client data (brk) segment
--1118:1:main     Setup file descriptors
--1118:1:main     Create fake /proc/<pid>/cmdline
--1118:1:main     Initialise the tool part 1 (pre_clo_init)
--1118:1:mallocfr newSuperblock at 0x61950000 (pszB 1048560) owner VALGRIND/exectxt
--1118:1:main     Print help and quit, if requested
--1118:1:main     (main_) Process Valgrind's command line options, setup logging
--1118:1:mallocfr newSuperblock at 0x61A50000 (pszB 1048560) owner VALGRIND/core
--1118:1:main     Print the preamble...
==1118== Memcheck, a memory error detector
==1118== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==1118== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==1118== Command: /hello
==1118==
--1118-- Valgrind options:
--1118--    -d
--1118--    -d
--1118--    -v
--1118-- Contents of /proc/version:
--1118--   Linux version 2.6.35-01661-g850ec9c (markw@markw4) (gcc version 4.4.6 (crosstool-NG 1.12.1) ) #1 PREEMPT Fri Sep 16 17:46:21 CDT 2011
--1118-- Arch and hwcaps: ARM, ARMv5
--1118-- Page sizes: currently 4096, max supported 4096
--1118-- Valgrind library directory: /usr/lib/valgrind
--1118:1:main     ...finished the preamble
--1118:1:main     Initialise the tool part 2 (post_clo_init)
--1118:1:main     Initialise TT/TC
--1118:2:transtab   cache: 8 sectors of 24189984 bytes each = 193519872 total
--1118:2:transtab   table: 524168 total entries, max occupancy 340704 (65%)
--1118:1:main     Initialise redirects
--1118:1:mallocfr newSuperblock at 0x61BCB000 (pszB 1048560) owner VALGRIND/dinfo
--1118:1:main     Load initial debug info
--1118-- Reading syms from /hello (0x8000)
DWARF: 2
Reading UnitInfo at 0x0.....
   => LINES=0x8400    NAME=501e2b2     DIR=401e237

Program received signal SIGSEGV, Segmentation fault.
myvprintf_str (send=0x3802bb70 <add_to__printf_buf>, send_arg2=0x389e88d0,
    flags=0, width=0, str=0x501e2b2 <Address 0x501e2b2 out of bounds>,
    capitalise=0 '\0') at m_debuglog.c:530
530     m_debuglog.c: No such file or directory.
        in m_debuglog.c
(gdb) bt
#0  myvprintf_str (send=0x3802bb70 <add_to__printf_buf>,
    send_arg2=0x389e88d0, flags=0, width=0,
    str=0x501e2b2 <Address 0x501e2b2 out of bounds>, capitalise=0 '\0')
    at m_debuglog.c:530
#1  0x3809bd6c in vgPlain_debugLog_vprintf (
    send=0x3802bb70 <add_to__printf_buf>, send_arg2=0x389e88d0,
    format=0x381fe4d0 "   => LINES=0x%llx    NAME=%s     DIR=%s\n",
    vargs=<value optimized out>) at m_debuglog.c:877
#2  0x3802ba8c in vprintf_WRK (sink=0x382253c8,
    format=0x381fe4d0 "   => LINES=0x%llx    NAME=%s     DIR=%s\n", vargs=
      {__ap = 0x389e8b04}) at m_libcprint.c:111
#3  0x3802bb60 in vgPlain_printf (
    format=0x501e2b2 <Address 0x501e2b2 out of bounds>) at m_libcprint.c:143
#4  0x380a247c in vgModuleLocal_read_debuginfo_dwarf3 (di=0x61bcb1c8,
    debug_info_img=<value optimized out>,
    debug_info_sz=<value optimized out>,
    debug_abbv_img=<value optimized out>, debug_abbv_sz=96,
    debug_line_img=0x401e1bb "4", debug_line_sz=56,
    debug_str_img=0x401e224 "long long int", debug_str_sz=150)
    at m_debuginfo/readdwarf.c:1220
#5  0x38058a1c in vgModuleLocal_read_elf_debug_info (di=0x61bcb1c8)
    at m_debuginfo/readelf.c:2206
#6  0x38054060 in vgPlain_di_notify_mmap (a=<value optimized out>,
    allow_SkFileV=<value optimized out>) at m_debuginfo/debuginfo.c:822
#7  0x3803083c in valgrind_main (argc=<value optimized out>,
    argv=<value optimized out>, envp=<value optimized out>) at m_main.c:1993
#8  0x38032ce0 in _start_in_C_linux (pArgc=0xbea9ee00) at m_main.c:2839
#9  0x00000000 in ?? ()
(gdb)



Expected Results:  
I think valgrind/coregrind/m_debuginfo/readdwarf.c should be modified to use read_UShort/UInt/ULong instead of *(UShort *) casts when referencing DWARF data in the executables.  Currently they are being read incorrectly by the ARM core, causing pointer miscalculations leading to exceptions.  I was able to show that the DWARF version number was read correctly when read with read_UShort().

Comment 1 John Reiser 2011-09-30 03:11:33 UTC

Created attachment 64082 [details]
patch *(UInt *)foo ==> read_UInt(foo) etc.

Anybody else working on readdwarf for ARM?  Here's what I have so far.  It compiles and runs much better, but I'd like to hear and see what others are doing.

Comment 2 Tom Hughes 2011-10-02 10:54:28 UTC

Committed as r12083.

Comment 3 John Reiser 2011-10-05 03:17:29 UTC

Created attachment 64223 [details]
more un-aligned processing for m_debuginfo/*

Memcheck option --read-var-info=yes needs these additional fixes to handle un-aligned accesses on ARM.

Comment 4 Julian Seward 2011-10-05 07:58:25 UTC

I'd reopen this as per mail list request if I could figure out how.
Not sure what to set the status fields to.

Comment 5 Tom Hughes 2011-10-05 08:53:25 UTC

I've committed those additional fixes as r12102. Do you still want the bug reopening given that I've done that?

Comment 6 John Reiser 2011-10-05 13:02:33 UTC

(In reply to comment #5)
Thank you, Tom, for committing the additional fixes; re-open is necessary no longer.  I was just trying to avoid the "Gotcha!" of RESOLVED:FIXED status implying "No action necessary."  Like Julian, I could not figure out how to Re-open.

Comment 7 Tom Hughes 2011-10-05 13:15:01 UTC

Well underneath the comment box should be "Change the status of bug 282527 to" with a drop down to you change it back to "UNCONFIRMED" or "VERIFIED" which will reopen it.

Comment 8 John Reiser 2011-10-05 13:42:35 UTC

(In reply to comment #7)
When I visit, then underneath the box for "Additional Comments" there is "RESOLVED as FIXED", then a button "Commit", and no other button (in particular, no "Change status ..." or similar).  After that is the Attachments section.  Perhaps the web page checks for Submitter or Administrator before displaying the "Change status" button?