From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13523 Path: news.gmane.org!.POSTED!not-for-mail From: Arkadiusz Sienkiewicz Newsgroups: gmane.linux.lib.musl.general Subject: aio_cancel segmentation fault for in progress write requests Date: Fri, 7 Dec 2018 13:52:31 +0100 Message-ID: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="0000000000004f9a50057c6e17f3" X-Trace: blaine.gmane.org 1544187061 8731 195.159.176.226 (7 Dec 2018 12:51:01 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 7 Dec 2018 12:51:01 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-13539-gllmg-musl=m.gmane.org@lists.openwall.com Fri Dec 07 13:50:57 2018 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.84_2) (envelope-from ) id 1gVFam-0001tq-17 for gllmg-musl@m.gmane.org; Fri, 07 Dec 2018 13:50:52 +0100 Original-Received: (qmail 5813 invoked by uid 550); 7 Dec 2018 12:52:55 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 5777 invoked from network); 7 Dec 2018 12:52:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=QjkwELcIHajk1wCd0zRlmRvMcg4HKUcsx5zJABuqcEc=; b=QoPZCe+oxpAi82IAucHy3HX7ZmVdRh+MvUYBSXTI33brNdnU5B9WBrj2DMCL2+WTZL 0pUvsAZLtBPcwuAQdwHLybsQ8VqGwPh0ixU5VAECwvAwFGgIRj+6rMrLyZBLb62WGZap dWFnLtPQwvg8n75kPAcpyt+ZvbRYAU0j57cj0YAvXhSHBg308KnWR9WwPtVyditlkTK6 381ow+mTJwriRKqaM8h3pN4TsjYsFQsjH/Qhw65U8TFGcuIQnw7Rv/xiuhndSSfiEsm2 0m4SWptO4OSkX8NkMdaa7cRMM4f3llx/Da7jhbXSgIVy2K+LqJbsq3lIAMc1+cMP+NzS U5eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=QjkwELcIHajk1wCd0zRlmRvMcg4HKUcsx5zJABuqcEc=; b=S6hkb9y7Lba8zj0XjgzPeaYUks9lDV/61VTGVz1co5f0DUxkHajaMaX4YcdOdGa39K XZh2Vr5X4quU02n96mv+Nolt7tqI4YoU+0XFKfMOaVBUKj+us+4L0mJqyjB3l7YdF4i5 xzN0SmURNdOuSHO5MoCAlYbO6rQz92qrRUohTcgpPKyRn3a/CbTId1108ZvWLDXyGp1M ASAcIFZlgo//0ky1fnYyx8uBvsJcy3gEf/HvuHYh0+4s07tmr5dPKeLA+em3pKKfwKww QxGmqspkmNWycNCDcLfT4c6TQX1WmHazgfF6CuAOqPlqNGCL4K4ArZ7qI3qo6XiWKNLi zOdg== X-Gm-Message-State: AA+aEWbu3MRMWKI6Y88y6XziT3lgJRM//m23LJYTMUjRDfUsgDqPo0dy IPfAPCcMOov/0acvy+yfdjOCOnGkjLrXXH7zOkw6xzMK X-Google-Smtp-Source: AFSGD/UwlmyotcqhUiUCML+76mR45mE2ouoxZObuXmaYvHOl3GeUERCuurWFRaBk0+vx+FnV2d0k2v9qKuEFUqo4X+w= X-Received: by 2002:aed:3511:: with SMTP id a17mr1886948qte.153.1544187162885; Fri, 07 Dec 2018 04:52:42 -0800 (PST) Xref: news.gmane.org gmane.linux.lib.musl.general:13523 Archived-At: --0000000000004f9a50057c6e17f3 Content-Type: multipart/alternative; boundary="0000000000004f9a4d057c6e17f1" --0000000000004f9a4d057c6e17f1 Content-Type: text/plain; charset="UTF-8" Hi, I'm experiencing segmentation fault when I invoke aio_cancel on request which is in EINPROGRESS state. This happens only with libc muls (used version - 1.1.12-r8) and only on one (dual Intel Xeon Gold 6128) of few computers I've tried it on - please let me know if you need more information about that machine. Attached is very simple program (aioWrite.cpp) that reproduces this problem. alpine-tmp-0:~$ ./aioWrite Segmentation fault (core dumped) Bt from gdb shows problem is in aio_cancel. (gdb) r Starting program: ~/aioWrite [New LWP 70321] Program received signal ?, Unknown signal. [Switching to LWP 70321] __cp_end () at src/thread/x86_64/syscall_cp.s:29 29 src/thread/x86_64/syscall_cp.s: No such file or directory. (gdb) bt #0 __cp_end () at src/thread/x86_64/syscall_cp.s:29 #1 0x00007ffff7dc6919 in __syscall_cp_c (nr=18, u=, v=, w=, x=, y=, z=0) at src/thread/pthread_cancel.c:37 #2 0x00007ffff7dcc0df in pwrite (fd=fd@entry=3, buf=buf@entry=0x7ffffff81900, size=size@entry=512512, ofs=ofs@entry=0) at src/unistd/pwrite.c:7 #3 0x00007ffff7d8974e in io_thread_func (ctx=) at src/aio/aio.c:240 #4 0x00007ffff7dc7293 in start (p=0x7ffff7ff4ab0) at src/thread/pthread_create.c:145 #5 0x00007ffff7dc6072 in __clone () at src/thread/x86_64/clone.s:21 Backtrace stopped: frame did not save the PC (gdb) info threads Id Target Id Frame * 2 LWP 70321 "aioWrite" __cp_end () at src/thread/x86_64/syscall_cp.s:29 1 LWP 70317 "aioWrite" __wait (addr=addr@entry=0x7ffff7ff49f8, waiters=waiters@entry=0x0, val=val@entry=-1, priv=, priv@entry=1) at src/thread/__wait.c:14 (gdb) thread 1 [Switching to thread 1 (LWP 70317)] #0 __wait (addr=addr@entry=0x7ffff7ff49f8, waiters=waiters@entry=0x0, val=val@entry=-1, priv=, priv@entry=1) at src/thread/__wait.c:14 14 src/thread/__wait.c: No such file or directory. (gdb) bt #0 __wait (addr=addr@entry=0x7ffff7ff49f8, waiters=waiters@entry=0x0, val=val@entry=-1, priv=, priv@entry=1) at src/thread/__wait.c:14 #1 0x00007ffff7d89b30 in aio_cancel (fd=, cb=0x7ffffff04640) at src/aio/aio.c:356 #2 0x0000000000400c54 in main () at aioWrite.cpp:45 (gdb) In other application (which code I cannot share) I was able to get more detailed trace for main thread, narrowing problem to pthread_kill call. Program received signal ?, Unknown signal. [Switching to LWP 70293] __cp_end () at src/thread/x86_64/syscall_cp.s:29 29 src/thread/x86_64/syscall_cp.s: No such file or directory. (gdb) thread 1 [Switching to thread 1 (LWP 60762)] #0 0x00007ffff7dc7ac4 in pthread_kill (t=t@entry=0x7ffff7fdeab0, sig=sig@entry=33) at src/thread/pthread_kill.c:7 7 src/thread/pthread_kill.c: No such file or directory. (gdb) bt #0 0x00007ffff7dc7ac4 in pthread_kill (t=t@entry=0x7ffff7fdeab0, sig=sig@entry=33) at src/thread/pthread_kill.c:7 #1 0x00007ffff7dc69eb in pthread_cancel (t=0x7ffff7fdeab0) at src/thread/pthread_cancel.c:99 #2 0x00007ffff7d89b1d in aio_cancel (fd=, cb=0xf4e180) at src/aio/aio.c:355 Operating system is containerized alpine linux: Linux alpine-tmp-0 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 Linux Best Regards, --0000000000004f9a4d057c6e17f1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I'm experiencing segmentation fault when I invoke aio_cancel on re= quest which is in EINPROGRESS state. This happens only with libc muls (used= version - 1.1.12-r8) and only on one (dual Intel Xeon Gold 6128) of few co= mputers I've tried it on - please let me know if you need more informat= ion about that machine. Attached is very simple program (aioWrite.cpp) that= reproduces this problem.

alpine-tmp-0:~$ ./aioWrite
Segmentatio= n fault (core dumped)

Bt from gdb shows problem is in aio_cancel.
(gdb) r
Starting program: ~/aioWrite
[New LWP 70321]

Pro= gram received signal ?, Unknown signal.
[Switching to LWP 70321]
__cp= _end () at src/thread/x86_64/syscall_cp.s:29
29=C2=A0=C2=A0=C2=A0 src/th= read/x86_64/syscall_cp.s: No such file or directory.
(gdb) bt
#0=C2= =A0 __cp_end () at src/thread/x86_64/syscall_cp.s:29
#1=C2=A0 0x00007fff= f7dc6919 in __syscall_cp_c (nr=3D18, u=3D<optimized out>, v=3D<opt= imized out>, w=3D<optimized out>, x=3D<optimized out>, y=3D&= lt;optimized out>, z=3D0) at src/thread/pthread_cancel.c:37
#2=C2=A0 = 0x00007ffff7dcc0df in pwrite (fd=3Dfd@entry=3D3, buf=3Dbuf@entry=3D0x7fffff= f81900, size=3Dsize@entry=3D512512, ofs=3Dofs@entry=3D0) at src/unistd/pwri= te.c:7
#3=C2=A0 0x00007ffff7d8974e in io_thread_func (ctx=3D<optimize= d out>) at src/aio/aio.c:240
#4=C2=A0 0x00007ffff7dc7293 in start (p= =3D0x7ffff7ff4ab0) at src/thread/pthread_create.c:145
#5=C2=A0 0x00007ff= ff7dc6072 in __clone () at src/thread/x86_64/clone.s:21
Backtrace stoppe= d: frame did not save the PC
(gdb) info threads
=C2=A0 Id=C2=A0=C2=A0= Target Id=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Frame
* 2=C2= =A0=C2=A0=C2=A0 LWP 70321 "aioWrite" __cp_end () at src/thread/x8= 6_64/syscall_cp.s:29
=C2=A0 1=C2=A0=C2=A0=C2=A0 LWP 70317 "aioWrite= " __wait (addr=3Daddr@entry=3D0x7ffff7ff49f8, waiters=3Dwaiters@entry= =3D0x0, val=3Dval@entry=3D-1, priv=3D<optimized out>, priv@entry=3D1)= at src/thread/__wait.c:14
(gdb) thread 1
[Switching to thread 1 (LWP= 70317)]
#0=C2=A0 __wait (addr=3Daddr@entry=3D0x7ffff7ff49f8, waiters=3D= waiters@entry=3D0x0, val=3Dval@entry=3D-1, priv=3D<optimized out>, pr= iv@entry=3D1) at src/thread/__wait.c:14
14=C2=A0=C2=A0=C2=A0 src/thread/= __wait.c: No such file or directory.
(gdb) bt
#0=C2=A0 __wait (addr= =3Daddr@entry=3D0x7ffff7ff49f8, waiters=3Dwaiters@entry=3D0x0, val=3Dval@en= try=3D-1, priv=3D<optimized out>, priv@entry=3D1) at src/thread/__wai= t.c:14
#1=C2=A0 0x00007ffff7d89b30 in aio_cancel (fd=3D<optimized out= >, cb=3D0x7ffffff04640) at src/aio/aio.c:356
#2=C2=A0 0x0000000000400= c54 in main () at aioWrite.cpp:45
(gdb)

In other application (wh= ich code I cannot share) I was able to get more detailed trace for main thr= ead, narrowing problem to pthread_kill call.

Program received signal= ?, Unknown signal.
[Switching to LWP 70293]
__cp_end () at src/threa= d/x86_64/syscall_cp.s:29
29=C2=A0=C2=A0=C2=A0 src/thread/x86_64/syscall_= cp.s: No such file or directory.
(gdb) thread 1
[Switching to thread = 1 (LWP 60762)]
#0=C2=A0 0x00007ffff7dc7ac4 in pthread_kill (t=3Dt@entry= =3D0x7ffff7fdeab0, sig=3Dsig@entry=3D33) at src/thread/pthread_kill.c:7
= 7=C2=A0=C2=A0=C2=A0 src/thread/pthread_kill.c: No such file or directory.(gdb) bt
#0=C2=A0 0x00007ffff7dc7ac4 in pthread_kill (t=3Dt@entry=3D0x= 7ffff7fdeab0, sig=3Dsig@entry=3D33) at src/thread/pthread_kill.c:7
#1=C2= =A0 0x00007ffff7dc69eb in pthread_cancel (t=3D0x7ffff7fdeab0) at src/thread= /pthread_cancel.c:99
#2=C2=A0 0x00007ffff7d89b1d in aio_cancel (fd=3D<= ;optimized out>, cb=3D0xf4e180) at src/aio/aio.c:355

Operating sy= stem is containerized alpine linux:
Linux alpine-tmp-0 4.15.0-20-generic= #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 Linux

Best Regards,
--0000000000004f9a4d057c6e17f1-- --0000000000004f9a50057c6e17f3 Content-Type: text/x-c++src; charset="US-ASCII"; name="aioWrite.cpp" Content-Disposition: attachment; filename="aioWrite.cpp" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_jpe13ea80 I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1ZGUgPHVuaXN0 ZC5oPgojaW5jbHVkZSA8c3lzL3N0YXQuaD4KI2luY2x1ZGUgPGZjbnRsLmg+CiNpbmNsdWRlIDxz dHJpbmcuaD4KI2luY2x1ZGUgPGVycm5vLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUg PGFpby5oPgoKI2RlZmluZSBUTkFNRSAiYWlvX3dyaXRlLzEtMS5jIgoKaW50IG1haW4oKSB7CiAg Y2hhciB0bXBmbmFtZVsyNTZdOwogICNkZWZpbmUgQlVGX1NJWkUgNTEyNTEyCiAgY2hhciBidWZb QlVGX1NJWkVdOwogIGNoYXIgY2hlY2tbQlVGX1NJWkUrMV07CiAgaW50IGZkOwogIHN0cnVjdCBh aW9jYiBhaW9jYjsKICBpbnQgZXJyOwogIGludCByZXQ7CgogIHNucHJpbnRmKHRtcGZuYW1lLCBz aXplb2YodG1wZm5hbWUpLCAicHRzX2Fpb193cml0ZV8xXzFfJWQiLCBnZXRwaWQoKSk7CiAgdW5s aW5rKHRtcGZuYW1lKTsKICBmZCA9IG9wZW4odG1wZm5hbWUsIE9fQ1JFQVQgfCBPX1JEV1IgfCBP X0VYQ0wsIFNfSVJVU1IgfCBTX0lXVVNSKTsKICBpZiAoZmQgPT0gLTEpIHsKICAgIHByaW50ZihU TkFNRSAiIEVycm9yIGF0IG9wZW4oKTogJXNcbiIsIHN0cmVycm9yKGVycm5vKSk7CiAgICBleGl0 KDEpOwogIH0KCiAgdW5saW5rKHRtcGZuYW1lKTsKCiAgbWVtc2V0KGJ1ZiwgMHhhYSwgQlVGX1NJ WkUpOwogIG1lbXNldCgmYWlvY2IsIDAsIHNpemVvZihzdHJ1Y3QgYWlvY2IpKTsKICBhaW9jYi5h aW9fZmlsZGVzID0gZmQ7CiAgYWlvY2IuYWlvX2J1ZiA9IGJ1ZjsKICBhaW9jYi5haW9fbmJ5dGVz ID0gQlVGX1NJWkU7CgogIGlmIChhaW9fd3JpdGUoJmFpb2NiKSA9PSAtMSkgewogICAgcHJpbnRm KFROQU1FICIgRXJyb3IgYXQgYWlvX3dyaXRlKCk6ICVzXG4iLCBzdHJlcnJvcihlcnJubykpOwog ICAgY2xvc2UoZmQpOwogICAgZXhpdCgyKTsKICB9CgogIGludCBjYW5jZWxsYXRpb25TdGF0dXMg PSBhaW9fY2FuY2VsKGZkLCAmYWlvY2IpOwogIHByaW50ZiAoVE5BTUUgIiBjYW5jZWxhdGlvblN0 YXR1cyA6ICVkXG4iLCBjYW5jZWxsYXRpb25TdGF0dXMpOwoKICAvKiBXYWl0IHVudGlsIGNvbXBs ZXRpb24gKi8KICB3aGlsZSAoYWlvX2Vycm9yICgmYWlvY2IpID09IEVJTlBST0dSRVNTKTsKCiAg Y2xvc2UoZmQpOwogIHByaW50ZiAoIlRlc3QgUEFTU0VEXG4iKTsKICByZXR1cm4gMDsKfQo= --0000000000004f9a50057c6e17f3--