NetBSD Problem Report #56395

From www@netbsd.org  Fri Sep 10 01:25:21 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 677C41A9239
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 10 Sep 2021 01:25:21 +0000 (UTC)
Message-Id: <20210910012519.D20A11A923A@mollari.NetBSD.org>
Date: Fri, 10 Sep 2021 01:25:19 +0000 (UTC)
From: rokuyama@meiji.ac.jp
Reply-To: rokuyama@meiji.ac.jp
To: gnats-bugs@NetBSD.org
Subject: random profiled binary crash on strictly-aligned CPU
X-Send-Pr-Version: www-1.0

>Number:         56395
>Category:       lib
>Synopsis:       random profiled binary crash on strictly-aligned CPU
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 10 01:30:00 +0000 2021
>Closed-Date:    Fri May 06 04:51:19 +0000 2022
>Last-Modified:  Fri May 06 04:51:19 +0000 2022
>Originator:     Rin Okuyama
>Release:        9.99.88
>Organization:
Department of Physics, Meiji University
>Environment:
NetBSD hdlu 9.99.88 NetBSD 9.99.88 (GENERIC) #18: Wed Sep  8 16:29:48 JST 2021  rin@latipes:/sys/arch/landisk/compile/GENERIC landisk
>Description:
Profiled binaries, e.g., *_profile tests in ATF, ``randomly'' crash in
_mcount() due to alignment faults on strictly-aligned CPUs, namely,
SH-4 (sh3) and IBM403 (powerpc/ibm4xx).
>How-To-Repeat:
Run *_profile tests in ATF. Some work and others does not. Seems almost
randomly depending on which versions of source codes they are built from.
>Fix:
Allocate objects in struct gmonparam with proper alignments:

https://gist.github.com/rokuyama/98b3d33222781337dc80e4e9a75da121

This is especially important for monstartup(), where objects are
allocated on heap; break is not guaranteed to be aligned at all,
unlike stack pointer.

Even for _m_gmon_alloc(), where objects are allocated on anonymous
memory, p->tos is not aligned properly in general.

This fixes ``random'' crashes for profile tests on SH-4 and IBM403 (*).
Also, no regression is observed for others, e.g., aarch64 and IBM405
(powerpc/ibm4xx).

(*) Timeout should be increased for some tests. ``pic'' variants still
fail as expected. Dynamically-linked binaries also crash in rtld for
SH-4, but this seems different problem...

Note that this should not cause any ABI breakage, as long as
applications use proper pointers; use p->tos instead of evil pointer
arithmetic like (struct tostruct *)((char *)p->froms + p->fromssize).

(This example did not work before, since the order of froms[] and
tos[] in struct gmonparam is reversed depending which of monstartup()
or _m_gmon_alloc() is used to allocate it...)

OK to commit? Or am I missing something?

>Release-Note:

>Audit-Trail:
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/56395 CVS commit: src/lib/libc/gmon
Date: Fri, 6 May 2022 04:49:13 +0000

 Module Name:	src
 Committed By:	rin
 Date:		Fri May  6 04:49:13 UTC 2022

 Modified Files:
 	src/lib/libc/gmon: gmon.c

 Log Message:
 PR lib/56395
 PR toolchain/56771

 Fix profiling on CPUs that do not support unaligned memory access;
 Allocate objects (referenced from struct gmonparam) with proper
 alignments.

 For monstartup(), objects are allocated on heap. Break is not
 guaranteed to be aligned at all, unlike stack pointer.

 For _m_gmon_alloc(), objects are allocated on anonymous memory.
 p->tos is not aligned properly in general.

 This fixes quasi-random crashes for *_profile tests, at least on
 SH-4 and PowerPC 403 [1]. Also, no regression is observed for
 others as far as I can see.

 This change does not cause any ABI breakage, as long as application
 uses proper pointers; use p->tos instead of evil pointer arithmetic
 like (struct tostruct *)((char *)p->froms + p->fromssize) [2].

 [1] Timeout should be increased for some tests. "pic" variants
 still fail as expected. Dynamically-linked binaries also crash in
 rtld for SH-4, but this seems different problem...

 [2] This example did not work even before, since the order of
 froms[] and tos[] is reversed depending on which of monstartup() or
 _m_gmon_alloc() is used for allocation.


 To generate a diff of this commit:
 cvs rdiff -u -r1.36 -r1.37 src/lib/libc/gmon/gmon.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: rin@NetBSD.org
State-Changed-When: Fri, 06 May 2022 04:51:19 +0000
State-Changed-Why:
Fix committed.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.