NetBSD Problem Report #56514

From martin@duskware.de  Sat Nov 20 19:20:54 2021
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 2AFFF1A923A
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 20 Nov 2021 19:20:54 +0000 (UTC)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: sparc userland on sparc64 has broken jemalloc or sh(1) is freeing bogus memory
X-Send-Pr-Version: 3.95

>Number:         56514
>Category:       bin
>Synopsis:       sparc userland on sparc64 has broken jemalloc or sh(1) is freeing bogus memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 20 19:25:00 +0000 2021
>Originator:     Martin Husemann
>Release:        NetBSD 9.99.92
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD thirdstage.duskware.de 9.99.92 NetBSD 9.99.92 (MODULAR) #508: Sat Nov 20 16:11:11 CET 2021 martin@thirdstage.duskware.de:/usr/src/sys/arch/sparc64/compile/MODULAR sparc64
Architecture: sparc64
Machine: sparc64
>Description:

After seeing that COMPAT_NETBSD32 test runs work pretty well on amd64 and 
aarch64 I thought I'd retry "the original" - by running atf tests of sparc
userland on a sparc64 machine.

It fails badly with (slighly random) core dumps from /bin/sh, like:

Reading symbols from /bin/sh...
Reading symbols from /usr/libdata/debug//bin/sh.debug...
[New process 25774]
Core was generated by `sh'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  extent_sn_get (extent=0x1000000) at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/extent_inlines.h:74
74      /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/extent_inlines.h: No such file or directory.
(gdb) bt
#0  extent_sn_get (extent=0x1000000) at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/extent_inlines.h:74
#1  extent_sn_comp (b=0x3660b600, a=0x1000000) at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/extent_inlines.h:377
#2  extent_snad_comp (b=0x3660b600, a=0x1000000) at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/extent_inlines.h:411
#3  arena_bin_lower_slab (arena=0x366003c0, slab=0x3660b600, bin=0x366081e8, tsdn=<optimized out>) at /work/src/external/bsd/jemalloc/lib/../dist/src/arena.c:1515
#4  0x364dbd04 in arena_dalloc_bin_locked_impl (tsdn=<optimized out>, arena=0x366003c0, slab=0x3660b600, ptr=<optimized out>, junked=<optimized out>)
    at /work/src/external/bsd/jemalloc/lib/../dist/src/arena.c:1550
#5  0x36495d58 in je_tcache_bin_flush_small (tsd=0x363c6040, tcache=<optimized out>, tbin=0x363c63c8, binind=27, rem=16)
    at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/tsd.h:138
#6  0x364e5a50 in tcache_dalloc_small (slow_path=false, binind=27, ptr=0x3686a000, tcache=0x363c6130, tsd=<optimized out>)
    at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/tcache_inlines.h:178
#7  arena_dalloc (slow_path=false, alloc_ctx=<synthetic pointer>, tcache=0x363c6130, ptr=0x3686a000, tsdn=<optimized out>)
    at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/arena_inlines_b.h:224
#8  idalloctm (slow_path=false, is_internal=false, alloc_ctx=<synthetic pointer>, tcache=0x363c6130, ptr=0x3686a000, tsdn=<optimized out>)
    at /work/src/external/bsd/jemalloc/lib/../include/jemalloc/internal/jemalloc_internal_inlines_c.h:118
#9  ifree (slow_path=false, tcache=0x363c6130, ptr=0x3686a000, tsd=<optimized out>) at /work/src/external/bsd/jemalloc/lib/../dist/src/jemalloc.c:2259
#10 free (ptr=0x3686a000) at /work/src/external/bsd/jemalloc/lib/../dist/src/jemalloc.c:2433
#11 0x0001843c in evalcommand (cmd=<optimized out>, flgs=<optimized out>, backcmd=<optimized out>) at /work/src/bin/sh/eval.c:1242
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) p *extent
Cannot access memory at address 0x1000000


>How-To-Repeat:

Extract sparc userland, eg. under /test32 and populate /test32/dev. Then:

	chroot /test32
	sysctl -w kern.defcorename=/tmp/%n.core
	cd /usr/tests/bin/sh
	atf-run t_builtins | atf-report

>Fix:
n/a
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.