Bug #9654

Updated by nobu (Nobuyoshi Nakada) over 8 years ago

When SIGSEGV happens, C level backtrace information should be printed out, but the printing-out itself causes another segmentation fault. 

 $ ./ruby -e 'Process.kill :SEGV, $$' 
 -e:1: [BUG] Segmentation fault at 0x00584f 
 ruby 2.2.0dev (2014-03-19) [powerpc64-linux] 

 -- Control frame information ----------------------------------------------- 
 c:0003 p:---- s:0009 e:000008 CFUNC    :kill 
 c:0002 p:0015 s:0004 E:00153c EVAL     -e:1 [FINISH] 
 c:0001 p:0000 s:0002 E:002574 TOP      [FINISH] 

 -- Ruby level backtrace information ---------------------------------------- 
 -e:1:in `<main>' 
 -e:1:in `kill' 

 -- C level backtrace information ------------------------------------------- 
 ./ruby(Segmentation fault 
 This second segmentation fault happens at the following stack context. 

 (gdb) bt 
 #0    0x201ba994 in strlen () from /lib/ 
 #1    0x2070cbe0 in kvprintf (fmt=0x207a097d "+0x%lx) [0x%lx] %s:%d\n") 
     at addr2line.c:1009 
 #2    kprintf (fmt=0x207a097d "+0x%lx) [0x%lx] %s:%d\n") at addr2line.c:771 
 #3    0x2070e4f8 in rb_dump_backtrace_with_lines (num_traces=18,  
     traces=0x2081762c, syms=0x20a7d720) at addr2line.c:677 
 #4    0x206f3ffc in rb_print_backtrace () at vm_dump.c:690 
 #5    rb_vm_bugreport () at vm_dump.c:825 
 #6    0x207621ac in report_bug (file=<value optimized out>,  
     line=<value optimized out>, fmt=0x2079857c "Segmentation fault at %p",  
     args=0x2085f864) at error.c:312 
 #7    0x207624e4 in rb_bug (fmt=0x2079857c "Segmentation fault at %p") 
     at error.c:339 
 #8    0x206664e0 in sigsegv (sig=<value optimized out>, info=0x2085f8f0,  
     ctx=<value optimized out>) at signal.c:704 
 #9    <signal handler called> 
 #10 0x2016674c in kill () from /lib/ 
 #11 0x20702c64 in ruby_kill (pid=<value optimized out>,  
     sig=<value optimized out>) at thread.c:5185 
 <<<<< snip >>>>> 

 This error began to occur after this change: 
 Due to this error, `TestBugReporter#test_bug_reporter_add` TestBugReporter#test_bug_reporter_add fails on ppc64 GNU/Linux. 
    My guess is that the changes in addr2line.c are doing something, but I am not sure. 

 The second segmentation fault is caused because `line->sname` line->sname points to out-of-range memory. 
    Tracing `rb_dump_backtrace_with_lines()` rb_dump_backtrace_with_lines() and `fill_lines()`, fill_lines(), I found the `sname` sname entry was first set correctly by reading the `./ruby` ./ruby file, but it was later overwritten by some incorrect information while reading the `/usr/lib/debug/lib/` /usr/lib/debug/lib/ file. 
    In ``,, there seem to be several symbol table entries whose `st_size` st_size is quite big (~1.5 GB), so those entries happen to cover all the addresses in `traces[]`, traces[], which results in overwritting `sname` sname at the line 584 of addr2line.c. 
    I am not familiar with ELF, so I cannot track down further. 
    Hope this report helps.