NetBSD Problem Report #39299
From www@NetBSD.org Wed Aug 6 14:30:24 2008
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id CDA4863B8A2
for <gnats-bugs@gnats.netbsd.org>; Wed, 6 Aug 2008 14:30:24 +0000 (UTC)
Message-Id: <20080806143024.6568B63B853@narn.NetBSD.org>
Date: Wed, 6 Aug 2008 14:30:24 +0000 (UTC)
From: M.Drochner@fz-juelich.de
Reply-To: M.Drochner@fz-juelich.de
To: gnats-bugs@NetBSD.org
Subject: FPU use in signal handlers is unsafe
X-Send-Pr-Version: www-1.0
>Number: 39299
>Category: port-i386
>Synopsis: FPU use in signal handlers is unsafe
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-i386-maintainer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 06 14:35:00 +0000 2008
>Closed-Date:
>Last-Modified: Fri Oct 29 04:40:08 +0000 2010
>Originator: Matthias Drochner
>Release: current
>Organization:
KFA
>Environment:
NetBSD zelz27 4.99.72 NetBSD 4.99.72 (MIST+MP) #93: Wed Aug 6 15:54:47 MEST 2008 drochner@zelz27:/home/drochner/netbsd/work.src.usbdev/sys/arch/i386/compile/MIST+MP i386
>Description:
When a signal handler is called, the FPU is in the state as the
main program left it. In particular, there can be data on the
stack which causes that the stack overflows early.
>How-To-Repeat:
Start the appended program and send SIGUSR1 to it.
(The calculation in the signal handler is just a test which is
easy but cannot be optimized away by the compiler. The "fld1"
in the main program fills up the FPU stack.)
#include <stdio.h>
#include <math.h>
#include <signal.h>
#define IV 0.739085
double a = IV;
static void
sh(int s, siginfo_t *i, void *ctx)
{
double a1;
a1 = cos(a);
if (isnan(a1) || fabs(a - a1) > 0.0001) {
fprintf(stderr, "%g/%g (sh)\n", a, a1);
a1 = IV;
asm("finit");
}
a = a1;
}
int
main()
{
struct sigaction sa;
int i;
sa.sa_sigaction = sh;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_SIGINFO;
sigaction(SIGUSR1, &sa, 0);
for (i = 0; i < 8; i++)
asm("fld1");
for (;;);
}
>Fix:
The appended patch fixes the issue for me. It should be possiple
to do it better, so that just the TS bit gets set but no fpu save
is done unless the signal handler tries to use it.
--- sys/arch/i386/i386/machdep.c
+++ sys/arch/i386/i386/machdep.c
@@ -833,6 +833,10 @@ sendsig_siginfo(const ksiginfo_t *ksi, c
buildcontext(l, sel, catcher, fp);
+ /* make sure we get a clean FPU */
+ npxsave_lwp(l, 0);
+ l->l_md.md_flags &= ~MDL_USEDFPU;
+
/* Remember that we're now on the signal stack. */
if (onstack)
l->l_sigstk.ss_flags |= SS_ONSTACK;
>Release-Note:
>Audit-Trail:
From: Hubert Feyrer <hubert@feyrer.de>
To: gnats-bugs@NetBSD.org
Cc: Hubert Feyrer <hubert@feyrer.de>
Subject: Re: port-i386/39299
Date: Fri, 17 Oct 2008 10:51:11 +0200 (CEST)
I've tested your patch against NetBSD-current version 4.99.73 with sources
as of 20081016. It's not clear from the PR what output should/should not
be exptected, or what is right or what is wrong. Please clarity.
Anyways, my results on a Toshiba Portege 3440ct are:
* without the patch, I get the following output:
0.739085/nan (sh)
This does not change when the signal is sent more than once.
* with your patch, I do not get any output, for the first and any
later SIGUSR1's.
With NetBSD 4.99.72 running in Qemu, I do *not* get any output with and
without the patch - this is in contrast to the "real" machine!
Is this expected/good results?
- Hubert
From: Matthias Drochner <M.Drochner@fz-juelich.de>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@NetBSD.org, gnats-admin@NetBSD.org,
netbsd-bugs@NetBSD.org
Subject: Re: port-i386/39299
Date: Fri, 17 Oct 2008 16:29:11 +0200
hubert@feyrer.de said:
> * without the patch, I get the following output:
> 0.739085/nan (sh)
0.739... is a fixpoint of the cos() function, so if
everything works well, the variable doesn't change
much. The "nan" result shows that the calculation
of the cos() failed. In this case it is due to an
overflow of the i387 FP stack.
> * with your patch, I do not get any output
No output is good output - the function iterates
as it should.
> With NetBSD 4.99.72 running in Qemu, I do *not* get any output with and
> without the patch - this is in contrast to the "real" machine!
Hmm - this could mean that qemu's i387 model does not
signal the stack overflow. That's likely a bug.
best regards
Matthias
-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------
From: "Jared D. McNeill" <jmcneill@invisible.ca>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Fri, 31 Oct 2008 08:30:32 -0400
Can we please get this patch in and pulled up to 5.0?
From: Andrew Doran <ad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39299 CVS commit: src/sys/arch
Date: Tue, 11 Nov 2008 15:53:53 +0000 (UTC)
Module Name: src
Committed By: ad
Date: Tue Nov 11 15:53:53 UTC 2008
Modified Files:
src/sys/arch/amd64/amd64: fpu.c machdep.c
src/sys/arch/i386/i386: machdep.c
src/sys/arch/i386/isa: npx.c
Log Message:
PR port-i386/39299 FPU use in signal handlers is unsafe
To generate a diff of this commit:
cvs rdiff -r1.28 -r1.29 src/sys/arch/amd64/amd64/fpu.c
cvs rdiff -r1.104 -r1.105 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -r1.646 -r1.647 src/sys/arch/i386/i386/machdep.c
cvs rdiff -r1.131 -r1.132 src/sys/arch/i386/isa/npx.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39299 CVS commit: [netbsd-5] src/sys/arch
Date: Thu, 20 Nov 2008 03:45:29 +0000 (UTC)
Module Name: src
Committed By: snj
Date: Thu Nov 20 03:45:29 UTC 2008
Modified Files:
src/sys/arch/amd64/amd64 [netbsd-5]: fpu.c machdep.c
src/sys/arch/i386/i386 [netbsd-5]: machdep.c
src/sys/arch/i386/isa [netbsd-5]: npx.c
Log Message:
Pull up following revision(s) (requested by ad in ticket #71):
sys/arch/i386/isa/npx.c: revision 1.132
sys/arch/amd64/amd64/fpu.c: revision 1.29
sys/arch/amd64/amd64/machdep.c: revision 1.105
sys/arch/i386/i386/machdep.c: revision 1.647
PR port-i386/39299 FPU use in signal handlers is unsafe
To generate a diff of this commit:
cvs rdiff -r1.26.6.2 -r1.26.6.3 src/sys/arch/amd64/amd64/fpu.c
cvs rdiff -r1.102.4.3 -r1.102.4.4 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -r1.644.4.1 -r1.644.4.2 src/sys/arch/i386/i386/machdep.c
cvs rdiff -r1.129.10.2 -r1.129.10.3 src/sys/arch/i386/isa/npx.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 24 Mar 2009 22:33:41 +0000
State-Changed-Why:
Fixed, right?
From: Matthias Drochner <M.Drochner@fz-juelich.de>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@NetBSD.org, netbsd-bugs@NetBSD.org,
gnats-admin@NetBSD.org, dholland@NetBSD.org, M.Drochner@fz-juelich.de
Subject: Re: port-i386/39299 (FPU use in signal handlers is unsafe)
Date: Wed, 25 Mar 2009 21:22:56 +0100
dholland@NetBSD.org said:
> Fixed, right?
The original problem as descriped in the PR is fixed.
But if I switch roles: the math in main() and something
"destructive" in the signal handler I'm still getting
errors. I thought I've mentioned this in some mail, but
appearently this didn't make it to gnats.
It might be better to open another PR for that, so I'll
close the original one.
best regards
Matthias
-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------
State-Changed-From-To: feedback->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 31 Jul 2009 05:07:54 +0000
State-Changed-Why:
according to drochner@ (in march), a related problem still exists.
From: Michael van Elst <mlelstv@henery.1st.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Thu, 24 Sep 2009 19:58:55 +0200
The same problem exists in netbsd-4, this breaks the current
modular-xorg-server from pkgsrc as X processes all input in
a SIGIO handler and fails to compute mouse movements (in
floating pointer).
A similar patch solves the problem here and I am preparing
a pullup.
-current/amd64 seems to have the same problem, at least when
running 32bit binaries. The signal handler uses the FPU state
as it was left by the main program.
When analyzing the problem I found that the FPU save frame
as defined in i386/include/npx.h has one field wrong. The
tag word is 16bit with the 8 lower bits (first byte, LSB!)
being valid. If I'm not mistaken it should be like:
struct envxmm {
/*0*/ uint16_t en_cw; /* FPU Control Word */
uint16_t en_sw; /* FPU Status Word */
uint8_t en_tw; /* FPU Tag Word (abridged) */
uint8_t en_rsvd0;
....
Greetings,
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Michael van Elst <mlelstv@henery.1st.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Fri, 25 Sep 2009 15:41:23 +0200
amd64 was safe for 64bit code, the fix for 32bit code was
clearing the MDP_USEDFPU flag appropiately.
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Michael van Elst <mlelstv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39299 CVS commit: src/sys/arch/amd64/amd64
Date: Fri, 25 Sep 2009 13:56:32 +0000
Module Name: src
Committed By: mlelstv
Date: Fri Sep 25 13:56:32 UTC 2009
Modified Files:
src/sys/arch/amd64/amd64: netbsd32_machdep.c
Log Message:
Ensure FP state is reset, if FP is used in a signal handler.
Fixes PR kern/39299 for 32bit code.
To generate a diff of this commit:
cvs rdiff -u -r1.58 -r1.59 src/sys/arch/amd64/amd64/netbsd32_machdep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39299 CVS commit: [netbsd-5] src/sys/arch/amd64/amd64
Date: Sat, 3 Oct 2009 23:34:48 +0000
Module Name: src
Committed By: snj
Date: Sat Oct 3 23:34:48 UTC 2009
Modified Files:
src/sys/arch/amd64/amd64 [netbsd-5]: netbsd32_machdep.c
Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1048):
sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.59
Ensure FP state is reset, if FP is used in a signal handler.
Fixes PR kern/39299 for 32bit code.
To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.4.1 src/sys/arch/amd64/amd64/netbsd32_machdep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39299 CVS commit: [netbsd-4] src/sys/arch
Date: Sun, 18 Oct 2009 15:20:43 +0000
Module Name: src
Committed By: bouyer
Date: Sun Oct 18 15:20:43 UTC 2009
Modified Files:
src/sys/arch/amd64/amd64 [netbsd-4]: machdep.c
src/sys/arch/i386/i386 [netbsd-4]: machdep.c
src/sys/arch/i386/isa [netbsd-4]: npx.c
Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1363):
sys/arch/i386/isa/npx.c: revision 1.132 via patch
sys/arch/amd64/amd64/fpu.c: revision 1.29 via patch
sys/arch/amd64/amd64/machdep.c: revision 1.105 via patch
sys/arch/i386/i386/machdep.c: revision 1.647 via patch
PR port-i386/39299 FPU use in signal handlers is unsafe
Ensure FP state is reset, if FP is used in a signal handler.
Fixes PR kern/39299 for 32bit code.
To generate a diff of this commit:
cvs rdiff -u -r1.44.2.5 -r1.44.2.6 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.586.2.5 -r1.586.2.6 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.115 -r1.115.2.1 src/sys/arch/i386/isa/npx.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39299 CVS commit: [netbsd-4] src/sys/arch/amd64/amd64
Date: Sun, 18 Oct 2009 15:22:38 +0000
Module Name: src
Committed By: bouyer
Date: Sun Oct 18 15:22:38 UTC 2009
Modified Files:
src/sys/arch/amd64/amd64 [netbsd-4]: netbsd32_machdep.c
Log Message:
Pull up following revision(s) (requested by mlelstv in ticket #1363):
sys/arch/i386/isa/npx.c: revision 1.132 via patch
sys/arch/amd64/amd64/fpu.c: revision 1.29 via patch
sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.59 via patch
sys/arch/amd64/amd64/machdep.c: revision 1.105 via patch
sys/arch/i386/i386/machdep.c: revision 1.647 via patch
PR port-i386/39299 FPU use in signal handlers is unsafe
Ensure FP state is reset, if FP is used in a signal handler.
Fixes PR kern/39299 for 32bit code.
To generate a diff of this commit:
cvs rdiff -u -r1.30.2.2 -r1.30.2.3 \
src/sys/arch/amd64/amd64/netbsd32_machdep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Mon, 25 Oct 2010 01:44:02 +0000
On Wed, Aug 06, 2008 at 02:35:01PM +0000, M.Drochner@fz-juelich.de wrote:
> When a signal handler is called, the FPU is in the state as the
> main program left it. In particular, there can be data on the
> stack which causes that the stack overflows early.
I've been seeing the overt symptom of this again recently (teleporting
mouse pointer) - anyone else?
--
David A. Holland
dholland@netbsd.org
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, M.Drochner@fz-juelich.de
Subject: re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Tue, 26 Oct 2010 04:41:33 +1100
> The following reply was made to PR port-i386/39299; it has been noted by GNATS.
>
> From: David Holland <dholland-bugs@netbsd.org>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
> Date: Mon, 25 Oct 2010 01:44:02 +0000
>
> On Wed, Aug 06, 2008 at 02:35:01PM +0000, M.Drochner@fz-juelich.de wrote:
> > When a signal handler is called, the FPU is in the state as the
> > main program left it. In particular, there can be data on the
> > stack which causes that the stack overflows early.
>
> I've been seeing the overt symptom of this again recently (teleporting
> mouse pointer) - anyone else?
the touchpad on my laptop jumps around a bit, but not quite in the
same way it used to. instead of jumping to the left always, it just
sometimes ends up elsewhere on the screen.
.mrg.
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Fri, 29 Oct 2010 04:39:53 +0000
On Mon, Oct 25, 2010 at 05:45:02PM +0000, matthew green wrote:
>> I've been seeing the overt symptom of this again recently (teleporting
>> mouse pointer) - anyone else?
>
> the touchpad on my laptop jumps around a bit, but not quite in the
> same way it used to. instead of jumping to the left always, it just
> sometimes ends up elsewhere on the screen.
Yeah, it's not quite the same (for me, instead of sometimes zooming
around it seems to only teleport specifically to the top left corner)
but I wonder if it's not also a signals problem.
--
David A. Holland
dholland@netbsd.org
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.