NetBSD Problem Report #39299

From www@NetBSD.org  Wed Aug  6 14:30:24 2008
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id CDA4863B8A2
	for <gnats-bugs@gnats.netbsd.org>; Wed,  6 Aug 2008 14:30:24 +0000 (UTC)
Message-Id: <20080806143024.6568B63B853@narn.NetBSD.org>
Date: Wed,  6 Aug 2008 14:30:24 +0000 (UTC)
From: M.Drochner@fz-juelich.de
Reply-To: M.Drochner@fz-juelich.de
To: gnats-bugs@NetBSD.org
Subject: FPU use in signal handlers is unsafe
X-Send-Pr-Version: www-1.0

>Number:         39299
>Category:       port-i386
>Synopsis:       FPU use in signal handlers is unsafe
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 06 14:35:00 +0000 2008
>Closed-Date:    
>Last-Modified:  Fri Oct 29 04:40:08 +0000 2010
>Originator:     Matthias Drochner
>Release:        current
>Organization:
KFA
>Environment:
NetBSD zelz27 4.99.72 NetBSD 4.99.72 (MIST+MP) #93: Wed Aug  6 15:54:47 MEST 2008  drochner@zelz27:/home/drochner/netbsd/work.src.usbdev/sys/arch/i386/compile/MIST+MP i386

>Description:
When a signal handler is called, the FPU is in the state as the
main program left it. In particular, there can be data on the
stack which causes that the stack overflows early.

>How-To-Repeat:
Start the appended program and send SIGUSR1 to it.
(The calculation in the signal handler is just a test which is
easy but cannot be optimized away by the compiler. The "fld1"
in the main program fills up the FPU stack.)


#include <stdio.h>
#include <math.h>
#include <signal.h>

#define IV 0.739085
double a = IV;

static void
sh(int s, siginfo_t *i, void *ctx)
{
        double a1;

        a1 = cos(a);
        if (isnan(a1) || fabs(a - a1) > 0.0001) {
                fprintf(stderr, "%g/%g (sh)\n", a, a1);
                a1 = IV;
                asm("finit");
        }
        a = a1;
}

int
main()
{
        struct sigaction sa;
        int i;

        sa.sa_sigaction = sh;
        sigemptyset(&sa.sa_mask);
        sa.sa_flags = SA_SIGINFO;
        sigaction(SIGUSR1, &sa, 0);

        for (i = 0; i < 8; i++)
                asm("fld1");

        for (;;);
}

>Fix:
The appended patch fixes the issue for me. It should be possiple
to do it better, so that just the TS bit gets set but no fpu save
is done unless the signal handler tries to use it.


--- sys/arch/i386/i386/machdep.c
+++ sys/arch/i386/i386/machdep.c
@@ -833,6 +833,10 @@ sendsig_siginfo(const ksiginfo_t *ksi, c

        buildcontext(l, sel, catcher, fp);

+       /* make sure we get a clean FPU */
+       npxsave_lwp(l, 0);
+       l->l_md.md_flags &= ~MDL_USEDFPU;
+
        /* Remember that we're now on the signal stack. */
        if (onstack)
                l->l_sigstk.ss_flags |= SS_ONSTACK;

>Release-Note:

>Audit-Trail:
From: Hubert Feyrer <hubert@feyrer.de>
To: gnats-bugs@NetBSD.org
Cc: Hubert Feyrer <hubert@feyrer.de>
Subject: Re: port-i386/39299
Date: Fri, 17 Oct 2008 10:51:11 +0200 (CEST)

 I've tested your patch against NetBSD-current version 4.99.73 with sources 
 as of 20081016. It's not clear from the PR what output should/should not 
 be exptected, or what is right or what is wrong. Please clarity.

 Anyways, my results on a Toshiba Portege 3440ct are:
   * without the patch, I get the following output:

  	0.739085/nan (sh)

     This does not change when the signal is sent more than once.

   * with your patch, I do not get any output, for the first and any
     later SIGUSR1's.

 With NetBSD 4.99.72 running in Qemu, I do *not* get any output with and 
 without the patch - this is in contrast to the "real" machine!

 Is this expected/good results?


   - Hubert

From: Matthias Drochner <M.Drochner@fz-juelich.de>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@NetBSD.org, gnats-admin@NetBSD.org,
	netbsd-bugs@NetBSD.org
Subject: Re: port-i386/39299 
Date: Fri, 17 Oct 2008 16:29:11 +0200

 hubert@feyrer.de said:
 >    * without the patch, I get the following output:
 >     	0.739085/nan (sh) 

 0.739... is a fixpoint of the cos() function, so if
 everything works well, the variable doesn't change
 much. The "nan" result shows that the calculation
 of the cos() failed. In this case it is due to an
 overflow of the i387 FP stack.

 > * with your patch, I do not get any output

 No output is good output - the function iterates
 as it should.

 > With NetBSD 4.99.72 running in Qemu, I do *not* get any output with and 
 > without the patch - this is in contrast to the "real" machine!

 Hmm - this could mean that qemu's i387 model does not
 signal the stack overflow. That's likely a bug.

 best regards
 Matthias




 -------------------------------------------------------------------
 -------------------------------------------------------------------
 Forschungszentrum Juelich GmbH
 52425 Juelich

 Sitz der Gesellschaft: Juelich
 Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
 Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
 Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
 Dr. Sebastian M. Schmidt
 -------------------------------------------------------------------
 -------------------------------------------------------------------

From: "Jared D. McNeill" <jmcneill@invisible.ca>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@netbsd.org, gnats-admin@netbsd.org, 
 netbsd-bugs@netbsd.org
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Fri, 31 Oct 2008 08:30:32 -0400

 Can we please get this patch in and pulled up to 5.0?

From: Andrew Doran <ad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39299 CVS commit: src/sys/arch
Date: Tue, 11 Nov 2008 15:53:53 +0000 (UTC)

 Module Name:	src
 Committed By:	ad
 Date:		Tue Nov 11 15:53:53 UTC 2008

 Modified Files:
 	src/sys/arch/amd64/amd64: fpu.c machdep.c
 	src/sys/arch/i386/i386: machdep.c
 	src/sys/arch/i386/isa: npx.c

 Log Message:
 PR port-i386/39299 FPU use in signal handlers is unsafe


 To generate a diff of this commit:
 cvs rdiff -r1.28 -r1.29 src/sys/arch/amd64/amd64/fpu.c
 cvs rdiff -r1.104 -r1.105 src/sys/arch/amd64/amd64/machdep.c
 cvs rdiff -r1.646 -r1.647 src/sys/arch/i386/i386/machdep.c
 cvs rdiff -r1.131 -r1.132 src/sys/arch/i386/isa/npx.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39299 CVS commit: [netbsd-5] src/sys/arch
Date: Thu, 20 Nov 2008 03:45:29 +0000 (UTC)

 Module Name:	src
 Committed By:	snj
 Date:		Thu Nov 20 03:45:29 UTC 2008

 Modified Files:
 	src/sys/arch/amd64/amd64 [netbsd-5]: fpu.c machdep.c
 	src/sys/arch/i386/i386 [netbsd-5]: machdep.c
 	src/sys/arch/i386/isa [netbsd-5]: npx.c

 Log Message:
 Pull up following revision(s) (requested by ad in ticket #71):
 	sys/arch/i386/isa/npx.c: revision 1.132
 	sys/arch/amd64/amd64/fpu.c: revision 1.29
 	sys/arch/amd64/amd64/machdep.c: revision 1.105
 	sys/arch/i386/i386/machdep.c: revision 1.647
 PR port-i386/39299 FPU use in signal handlers is unsafe


 To generate a diff of this commit:
 cvs rdiff -r1.26.6.2 -r1.26.6.3 src/sys/arch/amd64/amd64/fpu.c
 cvs rdiff -r1.102.4.3 -r1.102.4.4 src/sys/arch/amd64/amd64/machdep.c
 cvs rdiff -r1.644.4.1 -r1.644.4.2 src/sys/arch/i386/i386/machdep.c
 cvs rdiff -r1.129.10.2 -r1.129.10.3 src/sys/arch/i386/isa/npx.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 24 Mar 2009 22:33:41 +0000
State-Changed-Why:
Fixed, right?


From: Matthias Drochner <M.Drochner@fz-juelich.de>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@NetBSD.org, netbsd-bugs@NetBSD.org,
	gnats-admin@NetBSD.org, dholland@NetBSD.org, M.Drochner@fz-juelich.de
Subject: Re: port-i386/39299 (FPU use in signal handlers is unsafe) 
Date: Wed, 25 Mar 2009 21:22:56 +0100

 dholland@NetBSD.org said:
 > Fixed, right? 

 The original problem as descriped in the PR is fixed.
 But if I switch roles: the math in main() and something
 "destructive" in the signal handler I'm still getting
 errors. I thought I've mentioned this in some mail, but
 appearently this didn't make it to gnats.
 It might be better to open another PR for that, so I'll
 close the original one.

 best regards
 Matthias




 -------------------------------------------------------------------
 -------------------------------------------------------------------
 Forschungszentrum Juelich GmbH
 52425 Juelich

 Sitz der Gesellschaft: Juelich
 Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
 Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
 Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
 Dr. Sebastian M. Schmidt
 -------------------------------------------------------------------
 -------------------------------------------------------------------

State-Changed-From-To: feedback->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 31 Jul 2009 05:07:54 +0000
State-Changed-Why:
according to drochner@ (in march), a related problem still exists.


From: Michael van Elst <mlelstv@henery.1st.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Thu, 24 Sep 2009 19:58:55 +0200

 The same problem exists in netbsd-4, this breaks the current
 modular-xorg-server from pkgsrc as X processes all input in
 a SIGIO handler and fails to compute mouse movements (in
 floating pointer).

 A similar patch solves the problem here and I am preparing
 a pullup.

 -current/amd64 seems to have the same problem, at least when
 running 32bit binaries. The signal handler uses the FPU state
 as it was left by the main program.


 When analyzing the problem I found that the FPU save frame
 as defined in i386/include/npx.h has one field wrong. The
 tag word is 16bit with the 8 lower bits (first byte, LSB!)
 being valid. If I'm not mistaken it should be like:

 struct envxmm {
 /*0*/   uint16_t en_cw;         /* FPU Control Word */
         uint16_t en_sw;         /* FPU Status Word */
         uint8_t  en_tw;         /* FPU Tag Word (abridged) */
         uint8_t  en_rsvd0;
 ....


 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv@serpens.de
                                 "A potential Snark may lurk in every tree."

From: Michael van Elst <mlelstv@henery.1st.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Fri, 25 Sep 2009 15:41:23 +0200

 amd64 was safe for 64bit code, the fix for 32bit code was
 clearing the MDP_USEDFPU flag appropiately.

 -- 
                                 Michael van Elst
 Internet: mlelstv@serpens.de
                                 "A potential Snark may lurk in every tree."

From: Michael van Elst <mlelstv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39299 CVS commit: src/sys/arch/amd64/amd64
Date: Fri, 25 Sep 2009 13:56:32 +0000

 Module Name:	src
 Committed By:	mlelstv
 Date:		Fri Sep 25 13:56:32 UTC 2009

 Modified Files:
 	src/sys/arch/amd64/amd64: netbsd32_machdep.c

 Log Message:
 Ensure FP state is reset, if FP is used in a signal handler.
 Fixes PR kern/39299 for 32bit code.


 To generate a diff of this commit:
 cvs rdiff -u -r1.58 -r1.59 src/sys/arch/amd64/amd64/netbsd32_machdep.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39299 CVS commit: [netbsd-5] src/sys/arch/amd64/amd64
Date: Sat, 3 Oct 2009 23:34:48 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Sat Oct  3 23:34:48 UTC 2009

 Modified Files:
 	src/sys/arch/amd64/amd64 [netbsd-5]: netbsd32_machdep.c

 Log Message:
 Pull up following revision(s) (requested by mlelstv in ticket #1048):
 	sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.59
 Ensure FP state is reset, if FP is used in a signal handler.
 Fixes PR kern/39299 for 32bit code.


 To generate a diff of this commit:
 cvs rdiff -u -r1.55 -r1.55.4.1 src/sys/arch/amd64/amd64/netbsd32_machdep.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39299 CVS commit: [netbsd-4] src/sys/arch
Date: Sun, 18 Oct 2009 15:20:43 +0000

 Module Name:	src
 Committed By:	bouyer
 Date:		Sun Oct 18 15:20:43 UTC 2009

 Modified Files:
 	src/sys/arch/amd64/amd64 [netbsd-4]: machdep.c
 	src/sys/arch/i386/i386 [netbsd-4]: machdep.c
 	src/sys/arch/i386/isa [netbsd-4]: npx.c

 Log Message:
 Pull up following revision(s) (requested by mlelstv in ticket #1363):
 	sys/arch/i386/isa/npx.c: revision 1.132 via patch
 	sys/arch/amd64/amd64/fpu.c: revision 1.29 via patch
 	sys/arch/amd64/amd64/machdep.c: revision 1.105 via patch
 	sys/arch/i386/i386/machdep.c: revision 1.647 via patch
 PR port-i386/39299 FPU use in signal handlers is unsafe
 Ensure FP state is reset, if FP is used in a signal handler.
 Fixes PR kern/39299 for 32bit code.


 To generate a diff of this commit:
 cvs rdiff -u -r1.44.2.5 -r1.44.2.6 src/sys/arch/amd64/amd64/machdep.c
 cvs rdiff -u -r1.586.2.5 -r1.586.2.6 src/sys/arch/i386/i386/machdep.c
 cvs rdiff -u -r1.115 -r1.115.2.1 src/sys/arch/i386/isa/npx.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39299 CVS commit: [netbsd-4] src/sys/arch/amd64/amd64
Date: Sun, 18 Oct 2009 15:22:38 +0000

 Module Name:	src
 Committed By:	bouyer
 Date:		Sun Oct 18 15:22:38 UTC 2009

 Modified Files:
 	src/sys/arch/amd64/amd64 [netbsd-4]: netbsd32_machdep.c

 Log Message:
 Pull up following revision(s) (requested by mlelstv in ticket #1363):
 	sys/arch/i386/isa/npx.c: revision 1.132 via patch
 	sys/arch/amd64/amd64/fpu.c: revision 1.29 via patch
 	sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.59 via patch
 	sys/arch/amd64/amd64/machdep.c: revision 1.105 via patch
 	sys/arch/i386/i386/machdep.c: revision 1.647 via patch
 PR port-i386/39299 FPU use in signal handlers is unsafe
 Ensure FP state is reset, if FP is used in a signal handler.
 Fixes PR kern/39299 for 32bit code.


 To generate a diff of this commit:
 cvs rdiff -u -r1.30.2.2 -r1.30.2.3 \
     src/sys/arch/amd64/amd64/netbsd32_machdep.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Mon, 25 Oct 2010 01:44:02 +0000

 On Wed, Aug 06, 2008 at 02:35:01PM +0000, M.Drochner@fz-juelich.de wrote:
  > When a signal handler is called, the FPU is in the state as the
  > main program left it. In particular, there can be data on the
  > stack which causes that the stack overflows early.

 I've been seeing the overt symptom of this again recently (teleporting
 mouse pointer) - anyone else?

 -- 
 David A. Holland
 dholland@netbsd.org

From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@netbsd.org, gnats-admin@netbsd.org,
    netbsd-bugs@netbsd.org, M.Drochner@fz-juelich.de
Subject: re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Tue, 26 Oct 2010 04:41:33 +1100

 > The following reply was made to PR port-i386/39299; it has been noted by GNATS.
 > 
 > From: David Holland <dholland-bugs@netbsd.org>
 > To: gnats-bugs@NetBSD.org
 > Cc: 
 > Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
 > Date: Mon, 25 Oct 2010 01:44:02 +0000
 > 
 >  On Wed, Aug 06, 2008 at 02:35:01PM +0000, M.Drochner@fz-juelich.de wrote:
 >   > When a signal handler is called, the FPU is in the state as the
 >   > main program left it. In particular, there can be data on the
 >   > stack which causes that the stack overflows early.
 >  
 >  I've been seeing the overt symptom of this again recently (teleporting
 >  mouse pointer) - anyone else?

 the touchpad on my laptop jumps around a bit, but not quite in the
 same way it used to.  instead of jumping to the left always, it just
 sometimes ends up elsewhere on the screen.


 .mrg.

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: port-i386/39299: FPU use in signal handlers is unsafe
Date: Fri, 29 Oct 2010 04:39:53 +0000

 On Mon, Oct 25, 2010 at 05:45:02PM +0000, matthew green wrote:
  >>  I've been seeing the overt symptom of this again recently (teleporting
  >>  mouse pointer) - anyone else?
  >  
  >  the touchpad on my laptop jumps around a bit, but not quite in the
  >  same way it used to.  instead of jumping to the left always, it just
  >  sometimes ends up elsewhere on the screen.

 Yeah, it's not quite the same (for me, instead of sometimes zooming
 around it seems to only teleport specifically to the top left corner)
 but I wonder if it's not also a signals problem.

 -- 
 David A. Holland
 dholland@netbsd.org

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.