Bug 276927

Comment 1 Marijn Schouten (RETIRED) 2009-07-07 15:00:05 UTC

the issue is present with in-tree bigloo-3.2b_p2 and sandbox-2.0.

Portage 2.1.6.13 (default/linux/amd64/2008.0/desktop, gcc-4.3.3, glibc-2.10.1-r0, 2.6.26-gentoo-r1 x86_64)
=================================================================
System uname: Linux-2.6.26-gentoo-r1-x86_64-Intel-R-_Core-TM-2_CPU_6600_@_2.40GHz-with-gentoo-2.0.1
Timestamp of tree: Mon, 06 Jul 2009 07:30:01 +0000
app-shells/bash:     3.2_p48-r1
dev-lang/python:     2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.4.3-r3
sys-apps/sandbox:    2.0
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11
sys-devel/binutils:  2.19.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.30
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=core2 -O2 -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect cvs distlocks fixpackages parallel-fetch protect-owned sandbox sfperms splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en nl"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/home/marijn/git/gentoo-lisp-overlay /home/marijn/overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X Xaw3d a52 aac acl acpi alsa amd64 bash-completion berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dts dvd dvdr dvdread eds emacs emboss encode esd evo fam firefox flac fortran gdbm gif gmp gpm gstreamer gtk hal history iconv ipv6 isdnlog jpeg kde kpathsea latex ldap libnotify lm_sensors mad metric midi mikmod mmx mng mp3 mpeg mudflap multilib mysql ncurses nls nptl nptlonly nvidia offensive ogg openexr opengl openmp pam pcre pdf perl png ppds pppd qt3 qt3support qt4 quicktime readline reflection sasl sdl session smp speex spell spl sse sse2 ssl startup-notification svg sysfs tcpd theora threads tiff truetype unicode usb vorbis webkit xinerama xml xorg xpm xulrunner xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl" USERLAND="GNU" VIDEO_CARDS="fbdev nouveau nv nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 2 SpanKY 2009-08-25 12:39:00 UTC

passes fine on my system

# FEATURES=test emerge bigloo
....
All tests executed...
all succeeded
make[1]: Leaving directory `/var/tmp/portage/dev-scheme/bigloo-3.2b_p2/work/bigloo3.2b'
....

Portage 2.2_rc40 (default/linux/amd64/2008.0/developer, gcc-4.4.1, glibc-2.10.1-r0, 2.6.30.4 x86_64)
=================================================================
System uname: Linux-2.6.30.4-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_4200+-with-gentoo-2.0.1
Timestamp of tree: Tue, 25 Aug 2009 02:05:01 +0000
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.0_p28
dev-java/java-config: 1.3.7-r1, 2.1.8-r1
dev-lang/python:     2.6.2-r1, 3.1.1
dev-python/pycrypto: 2.0.1-r8
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.6.4-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.4.3-r3
sys-apps/sandbox:    2.0
sys-devel/autoconf:  2.13, 2.64
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11
sys-devel/binutils:  2.15.92.0.2-r10, 2.16-r1, 2.16.1, 2.16.1-r3, 2.16.90.0.3, 2.16.91.0.1, 2.16.91.0.2, 2.16.91.0.3, 2.16.91.0.4, 2.16.91.0.5, 2.16.91.0.6, 2.16.91.0.7, 2.16.92, 2.16.93, 2.16.94, 2.17-r1, 2.17.50.0.2, 2.17.50.0.3, 2.17.50.0.4, 2.17.50.0.5, 2.17.50.0.6, 2.17.50.0.7, 2.17.50.0.8, 2.17.50.0.9, 2.17.50.0.10, 2.17.50.0.11, 2.17.50.0.12, 2.17.50.0.13, 2.17.50.0.14, 2.17.50.0.15, 2.17.50.0.16, 2.17.50.0.17, 2.17.50.0.18, 2.18-r2, 2.18.50.0.1, 2.18.50.0.2, 2.18.50.0.3, 2.18.50.0.4, 2.18.50.0.5, 2.18.50.0.6, 2.18.50.0.7, 2.18.50.0.8, 2.18.50.0.9, 2.19, 2.19.1-r1, 2.19.50.0.1, 2.19.51.0.1, 2.19.51.0.2, 2.19.51.0.3, 2.19.51.0.4, 2.19.51.0.5, 2.19.51.0.6, 2.19.51.0.10, 2.19.51.0.11, 2.19.51.0.12, 2.19.51.0.14
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=k8 -pipe -g -Wimplicit-function-declaration"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CPPFLAGS="-DCPPFLAGS_TEST"
CXXFLAGS="-O2 -march=k8 -pipe -g"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="assume-digests buildsyspkg ccache collision-protect cvs distlocks fixpackages multilib-strict noinfo parallel-fetch preserve-libs protect-owned sandbox sfperms sign splitdebug unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_US.UTF8"
LDFLAGS="-Wl,-O1 -Wl,-z,relro"
LINGUAS="en en_US de"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_COMPRESS="lzma"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/src/gentoo/overlays/vapier/enlightenment"
SYNC="rsync://gentoo/gentoo-portage"
USE="3dnow X a52 aac aalib accessibility acl acpi adns agg aio alsa amd64 apache2 asf audiofile berkdb bitmap-fonts bzip2 cairo caps cdaudio cddb cdparanoia cdr cli console cracklib crypt ctype cups curl cvs dba dbus divx4linux dri dts dvb dvd dvdr dvdread emboss encode evo exif fbcon ffmpeg firefox flac flash fortran ftp gcj gd gif glib glitz glut gmp gphoto2 gpm gtk gtk2 hal htmlhandbook iconv imap imlib ipv6 isdnlog jbig joystick jpeg jpeg2k kde kpathsea libcaca libedit libnotify lzo lzw mad maildir matroska mikmod mime mjpeg mmx mng modplug mp3 mp4 mpeg mplayer mtp mudflap multilib multislot musepack mysql ncurses nls nptl nptlonly nsplugin nvidia objc objc-gc offensive ogg oggvorbis openal opengl openmp pcre pdf perl pic png ppds pppd pulseaudio python qt3support qt4 quicktime readline redland reflection samba sdl session sndfile snmp speex spell spl sql sqlite sse sse2 ssl startup-notification subtitles subversion svg sysfs syslog tcl tcltk tcpd tga theora threads thunar tiff tk truetype truetype-fonts type1-fonts unicode upnp usb vcd video vnc vorbis webkit wma wmf x264 xanim xattr xcb xcomposite xine xinerama xml xml2 xorg xpm xrandr xulrunner xv xvid xvmc zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon" ELIBC="glibc" INPUT_DEVICES="mouse keyboard joystick void" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US de" USERLAND="GNU" VIDEO_CARDS="nvidia nv ati r128 radeon vga sisusb"
Unset:  CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 3 Marijn Schouten (RETIRED) 2009-08-25 16:19:01 UTC

The tests do not fail but the segfault is there for me. Can you attach your test output?

Comment 4 Marijn Schouten (RETIRED) 2009-08-25 17:18:57 UTC

I apologize for not being clearer before and wasting your time.

You can easily run only the segfaulting test by doing:

#in gentoo-x86/dev-scheme/bigloo
FEATURES=test ebuild bigloo-3.2b_p2.ebuild clean unpack compile test
#in /var/tmp/portage/dev-scheme/bigloo-3.2b_p2/work/bigloo3.2b/api/gstreamer/recette
./recette

The last will succeed in a normal shell but produce the segfault in a sandboxshell.

Comment 5 SpanKY 2009-08-25 19:29:35 UTC

sounds a broken src_test if crashes arent detected

looking in my log shows:
/bin/sh: line 12: 15662 Aborted                 (core dumped) ./recette

Comment 6 SpanKY 2009-10-25 10:13:56 UTC

looks like issues with nested dlopen() inits or something ...

reduced code is:
$ cat bigloo.i
bigloo_main() { BGl_modulezd2initializa7ationz75zz__gstreamer_gstreamerz00(); }
main() {
    char *argv[] = { "a.out", 0 };
    bglpth_setup(1, argv, 0);
    _bigloo_main(1, argv, 0, &bigloo_main);
}

$ gcc bigloo.i -L/usr/lib64/bigloo/3.2b -lbigloopth_s-3.2b -lbigloogstreamer_s-3.2b -lbigloomultimedia_s-3.2b  -lbigloo_s-3.2b -lgc

$ ./a.out ; echo $?
0

$ sandbox ./a.out
*** glibc detected *** ./a.out: free(): invalid pointer: 0x0000000000bf6ea0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f5db1afeac6]
/lib/libc.so.6(cfree+0x6c)[0x7f5db1b0346c]
/lib/libdl.so.2[0x7f5db385b345]
/lib/libdl.so.2(dlopen+0x31)[0x7f5db385aef1]
/usr/lib/libsandbox.so[0x7f5db48b3315]
/usr/lib/libsandbox.so[0x7f5db48b42db]
/usr/lib/libglib-2.0.so.0(g_get_language_names+0x2b4)[0x7f5db2071f64]
/usr/lib/libgstreamer-0.10.so.0(gst_init_check+0x157)[0x7f5db2eb2be7]
/usr/lib/libgstreamer-0.10.so.0(gst_init+0x17)[0x7f5db2eb2c37]
/usr/lib/libbigloogstreamer_s-3.2b.so(bgl_gst_init+0xcf)[0x7f5db446a2ef]
/usr/lib/libbigloogstreamer_s-3.2b.so(BGl_modulezd2initializa7ationz75zz__gstreamer_gstreamerz00+0x1fb)[0x7f5db447d9cb]
./a.out[0x4008b2]
/usr/lib/libbigloo_s-3.2b.so(_bigloo_main+0x1ce)[0x7f5db3d6ec1e]
./a.out[0x400907]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f5db1aaaa3d]
./a.out[0x4007e9]

Comment 7 SpanKY 2009-10-25 11:06:23 UTC

even simpler is to use:
bigloo_main() { FILE *fp = fopen("/dev/null", "r"); }

then all the multimedia crap isnt needed

Comment 8 SpanKY 2009-10-25 19:59:20 UTC

Created attachment 208248 [details]
interpose-open-fopen.tar.bz2

doesnt need libsandbox.  simply overriding both open and fopen and calling dlvsym from both results in a crash.

LD_PRELOAD=libfoo.so ./a.out

Comment 9 SpanKY 2009-10-25 20:22:43 UTC

even simpler -- use dlvsym() before bglpth_setup() and then in bigloo_main() and the crash will be observed

it looks like libdl uses the pthread funcs to create a unique key for storing internal libdl storage.  bglpth also uses this functionality to create a location for its environment (api/pthread/src/Posix/bglpthread.c:bgldenv_key).  if libdl is called first, it gets key 0 and bglpth gets key 1.  but then if libdl is called later, the key 0 storage is corrupted and so we get this crash.

so simple test case is now:
#define _GNU_SOURCE
#include <stdio.h>
#include <dlfcn.h>
bigloo_main() { dlvsym(RTLD_NEXT, "fopen", "GLIBC_2.2.5"); }
main() {
        void *sym = dlvsym(RTLD_NEXT, "open", "GLIBC_2.2.5");
        char *argv[] = { "a.out", 0 };
        bglpth_setup(1, argv, 0);
        _bigloo_main(1, argv, 0, &bigloo_main);
}

Comment 10 SpanKY 2009-10-25 20:30:11 UTC

actually, now that i said that out loud, the gdb session is obvious.  we can see libdl getting key 0, setting it to its internal memory, and then bigloo setting key 0 *before* calling pthread_key_create.  looking at the aforementioned code shows the obvious answer (bigloo sucks):
bglpth_setup_thread() {
...
    bglpth_dynamic_env_set( single_thread_denv );
...
    pthread_key_create( &bgldenv_key, 0L );
...
}

the init of bgldenv_key must come before the setting of the environment

(gdb) b pthread_getspecific
Breakpoint 1 at 0x7ffff681ac80: file pthread_getspecific.c, line 32.
(gdb) b pthread_setspecific
Breakpoint 2 at 0x7ffff681ad00: file pthread_setspecific.c, line 29.
(gdb) b pthread_key_create
Breakpoint 3 at 0x7ffff681abe0: file pthread_key_create.c, line 29.
(gdb) r

Breakpoint 3, __pthread_key_create (key=0x7ffff710c0e8, destr=0x7ffff6f0a220 <free_key_mem>) at pthread_key_create.c:29
29      {
(gdb) bt 2
#0  __pthread_key_create (key=0x7ffff710c0e8, destr=0x7ffff6f0a220 <free_key_mem>) at pthread_key_create.c:29
#1  0x00007ffff6f0a271 in init () at dlerror.c:178
(More stack frames follow...)
(gdb) c
Continuing.

Breakpoint 1, __pthread_getspecific (key=0x0) at pthread_getspecific.c:32
32        if (__builtin_expect (key < PTHREAD_KEY_2NDLEVEL_SIZE, 1))
(gdb) bt 2
#0  __pthread_getspecific (key=0x0) at pthread_getspecific.c:32
#1  0x00007ffff6f0a365 in _dlerror_run (operate=0x7ffff6f0a170 <dlvsym_doit>, args=0x7fffffffcdf0) at dlerror.c:139
(More stack frames follow...)
(gdb) c
Continuing.

Breakpoint 2, __pthread_setspecific (key=0x0, value=0x602010) at pthread_setspecific.c:29
29      {
(gdb) bt 2
#0  __pthread_setspecific (key=0x0, value=0x602010) at pthread_setspecific.c:29
#1  0x00007ffff6f0a3a4 in _dlerror_run (operate=0x7ffff6f0a170 <dlvsym_doit>, args=0x7fffffffcdf0) at dlerror.c:151
(More stack frames follow...)
(gdb) c
Continuing.

Breakpoint 2, __pthread_setspecific (key=0x0, value=0x653dc0) at pthread_setspecific.c:29
29      {
(gdb) bt 2
#0  __pthread_setspecific (key=0x0, value=0x653dc0) at pthread_setspecific.c:29
#1  0x00007ffff7bd7ec3 in bglpth_setup_thread () from /usr/lib/libbigloopth_s-3.2b.so
(More stack frames follow...)
(gdb) c
Continuing.

Breakpoint 3, __pthread_key_create (key=0x7ffff7de0010, destr=0) at pthread_key_create.c:29
29      {
(gdb) bt 2
#0  __pthread_key_create (key=0x7ffff7de0010, destr=0) at pthread_key_create.c:29
#1  0x00007ffff7bd7ed1 in bglpth_setup_thread () from /usr/lib/libbigloopth_s-3.2b.so
(More stack frames follow...)

Comment 11 Marijn Schouten (RETIRED) 2009-10-28 10:27:41 UTC

Thanks, Mike. I've notified upstream of your findings.

Comment 12 SpanKY 2009-10-28 17:43:20 UTC

you might want to note that the issue isnt specific to any arch.  so access to a 64bit machine isnt required.

This has been fixed upstream on Nov 4 2009. 3.3a and higher have the fix.

bigloo-3.3a_p5 is safe and in tree since +/- 4-5 months

Comment 14 Tomás Touceda (RETIRED) 2010-10-06 19:40:03 UTC

Since 3.4a just got into the tree, this is solved.
Thanks Mike and Cyprien.