Bug 154073 - [libz] libz causes perl to exit on signal 11
Summary: [libz] libz causes perl to exit on signal 11
Status: Closed Overcome By Events
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 8.1-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-17 07:40 UTC by azhegalov
Modified: 2019-12-01 04:35 UTC (History)
1 user (show)

See Also:
bugmeister: mfc-stable10?
bugmeister: mfc-stable9?
bugmeister: mfc-stable8?


Attachments
libz.patch.txt (566 bytes, text/plain)
2011-03-31 07:06 UTC, Andrey Zonov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description azhegalov 2011-01-17 07:40:07 UTC
I use nfsen with perl 5.10 and 5.12 and get periodical perl exit with signal 11
I don't have this problem on i386 server with the same nfsen configuration and data flows.

/var/tmp# gdb -c /var/tmp/perl.63325.core /usr/local/bin/perl
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `perl'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /lib/libutil.so.8...(no debugging symbols found)...done.
Loaded symbols for /lib/libutil.so.8
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Fcntl/Fcntl.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Fcntl/Fcntl.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/POSIX/POSIX.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/POSIX/POSIX.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Socket/Socket.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Socket/Socket.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Sys/Syslog/Syslog.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Sys/Syslog/Syslog.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/IPC/SysV/SysV.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/IPC/SysV/SysV.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Data/Dumper/Dumper.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Data/Dumper/Dumper.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Cwd/Cwd.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Cwd/Cwd.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/List/Util/Util.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/List/Util/Util.so
Reading symbols from /usr/local/lib/perl5/site_perl/5.12.2/mach/auto/RRDs/RRDs.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/site_perl/5.12.2/mach/auto/RRDs/RRDs.so
Reading symbols from /usr/local/lib/librrd.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/librrd.so.5
Reading symbols from /usr/local/lib/libpangocairo-1.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpangocairo-1.0.so.0
Reading symbols from /usr/local/lib/libcairo.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libcairo.so.2
Reading symbols from /usr/local/lib/libpixman-1.so.9...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpixman-1.so.9
Reading symbols from /usr/local/lib/libpng.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpng.so.6
Reading symbols from /usr/local/lib/libxcb-shm.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxcb-shm.so.0
Reading symbols from /usr/local/lib/libxcb-render.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxcb-render.so.0
Reading symbols from /usr/local/lib/libxcb.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxcb.so.2
Reading symbols from /usr/local/lib/libXau.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libXau.so.6
Reading symbols from /usr/local/lib/libXdmcp.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libXdmcp.so.6
Reading symbols from /usr/local/lib/libpthread-stubs.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpthread-stubs.so.0
Reading symbols from /usr/local/lib/libpangoft2-1.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpangoft2-1.0.so.0
Reading symbols from /usr/local/lib/libpango-1.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpango-1.0.so.0
Reading symbols from /usr/local/lib/libfontconfig.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libfontconfig.so.1
Reading symbols from /usr/local/lib/libfreetype.so.9...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libfreetype.so.9
Reading symbols from /usr/local/lib/libexpat.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libexpat.so.6
Reading symbols from /usr/local/lib/libgobject-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libgobject-2.0.so.0
Reading symbols from /usr/local/lib/libgmodule-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libgmodule-2.0.so.0
Reading symbols from /usr/local/lib/libgthread-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libgthread-2.0.so.0
Reading symbols from /usr/local/lib/libglib-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libglib-2.0.so.0
Reading symbols from /usr/local/lib/libintl.so.9...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libintl.so.9
Reading symbols from /usr/local/lib/libpcre.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpcre.so.0
Reading symbols from /usr/local/lib/libxml2.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxml2.so.5
Reading symbols from /lib/libz.so.5...done.
Loaded symbols for /lib/libz.so.5
Reading symbols from /usr/local/lib/libiconv.so.3...done.
Loaded symbols for /usr/local/lib/libiconv.so.3
Reading symbols from /lib/libthr.so.3...done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/IO/IO.so...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/IO/IO.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Storable/Storable.so...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Storable/Storable.so
Reading symbols from /usr/local/lib/pango/1.6.0/modules/pango-basic-fc.so...done.
Loaded symbols for /usr/local/lib/pango/1.6.0/modules/pango-basic-fc.so
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  longest_match () at /usr/src/lib/libz/contrib/gcc_gvmat64/gvmat64.S:453
453             xor rax, [rdi + rdx + 8+8]
[New Thread 8011568c0 (LWP 100607)]
[New LWP 100559]


(gdb) bt full
#0  longest_match () at /usr/src/lib/libz/contrib/gcc_gvmat64/gvmat64.S:453
No locals.
#1  0x00000008039b8241 in deflate_slow (s=0xde00, flush=3) at /usr/src/lib/libz/deflate.c:1595
        hash_head = 50886
        bflush = Variable "bflush" is not available.
Current language:  auto; currently asm


(gdb) bt
#0  longest_match () at /usr/src/lib/libz/contrib/gcc_gvmat64/gvmat64.S:453
#1  0x00000008039b8241 in deflate_slow (s=0xde00, flush=3) at /usr/src/lib/libz/deflate.c:1595
#2  0x00000008039b729a in deflate (strm=0x8010c0bc0, flush=0) at /usr/src/lib/libz/deflate.c:790
#3  0x000000080227c367 in png_write_filtered_row () from /usr/local/lib/libpng.so.6
#4  0x000000080227c768 in png_write_find_filter () from /usr/local/lib/libpng.so.6
#5  0x00000008022785f5 in png_write_row () from /usr/local/lib/libpng.so.6
#6  0x00000008022787bd in png_write_image () from /usr/local/lib/libpng.so.6
#7  0x0000000801fca6a8 in write_png () from /usr/local/lib/libcairo.so.2
#8  0x0000000801fca815 in cairo_surface_write_to_png () from /usr/local/lib/libcairo.so.2
#9  0x0000000801d33107 in rrd_create () from /usr/local/lib/librrd.so.5
#10 0x0000000801d3465e in rrd_graph_v () from /usr/local/lib/librrd.so.5
#11 0x0000000801d347fa in rrd_graph () from /usr/local/lib/librrd.so.5
#12 0x0000000801c1b2bf in XS_RRDs_graph () from /usr/local/lib/perl5/site_perl/5.12.2/mach/auto/RRDs/RRDs.so
#13 0x00000008006df803 in Perl_pp_entersub () from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
#14 0x00000008006dde4e in Perl_runops_standard () from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
#15 0x000000080068bbc2 in perl_run () from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
#16 0x0000000000400da5 in main ()


I tried to compile libz with CPUTYPE nocona and without CPUTYPE and it didn't help.

cat /etc/make.conf
CPUTYPE?=               nocona
CFLAGS=                 -O2 -fno-strict-aliasing -pipe

TRACEROUTE_NO_IPSEC=    true    # do not build traceroute(8) with IPSEC support

BOOTWAIT=               3000

SUP_UPDATE=             true

SUP=                    /usr/bin/csup
SUPFLAGS=               -g -z -L 2
SUPHOST=                cvsup2.ru.FreeBSD.org
SUPFILE=                /usr/local/etc/cvsup/standard-supfile
PORTSSUPFILE=           /usr/local/etc/cvsup/ports-supfile
NO_DOCUPDATE=           true

TOP_TABLE_SIZE=         101

SENDMAIL_MC=            /etc/mail/workstation.mc
SENDMAIL_SUBMIT_MC=     /etc/mail/workstation.submit.mc

KERNCONF=               NFLOW

# For all ports:
WITHOUT_IPV6=           yes
WITHOUT_X11=            yes
WITHOUT_GUI=            yes
WITHOUT_NLS=            yes

# added by use.perl 2010-12-03 09:38:54
PERL_VERSION=5.12.2

How-To-Repeat: The problem happens at different times and I have not caught dependency.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2011-01-23 21:39:59 UTC
Responsible Changed
From-To: freebsd-amd64->freebsd-bugs

Reclassify.
Comment 2 Andrey Zonov 2011-03-31 07:06:29 UTC
Hi,

I have similar problem with python.
Can you try attached patch?

Apply like that:
# cd /usr/src
# patch < libz.patch
# cd lib/libz && make && make install && make clean

-- 
Andrey Zonov
Comment 3 novikov 2011-07-01 16:29:46 UTC
Hi,

We have got the similar problem, seeing stack top identical, on the 
FreeBSD 8.2-RELEASE (amd64 arch on the 2x Intel Core Quad Xeon platform, 
chipset Intel 5000p).

The patch provided by Andrey Zonov helps, segfaults disappear.

Looks like the asm version of the longest_match() function has some bug 
or architecture incompatibility. The error happens not regularly, 
probably in very special case. We got it using PyQt to paint jam tiles 
basing on our data, only sometimes - after 5-30 minutes of intensive 
continuous painting, independently on using multi-thread features. The 
(pseudo)stack was always looking like:

longest_match()
deflate_slow()
deflate()
--- libpng functions ---
--- Qt functions ---
--- PyQt functions ---
--- Python interpreter ---

Regards,
Vsevolod Novikov
Comment 4 dfilter service freebsd_committer 2011-07-18 20:24:00 UTC
Author: delphij
Date: Mon Jul 18 19:23:50 2011
New Revision: 224196
URL: http://svn.freebsd.org/changeset/base/224196

Log:
  Disable gvmat64.S, the assembler version of longest_match for now.
  
  PR:		kern/154073
  MFC after:	3 days
  Approved by:	re (kib)

Modified:
  head/lib/libz/Makefile

Modified: head/lib/libz/Makefile
==============================================================================
--- head/lib/libz/Makefile	Mon Jul 18 18:56:50 2011	(r224195)
+++ head/lib/libz/Makefile	Mon Jul 18 19:23:50 2011	(r224196)
@@ -42,16 +42,16 @@ CFLAGS+=	-DASMV -DNO_UNDERLINE
 ACFLAGS+=	-Wa,--noexecstack
 .endif
 
-.if ${MACHINE_ARCH} == "amd64"
-.PATH:		${.CURDIR}/contrib/gcc_gvmat64
-SRCS+=		gvmat64.S
-CFLAGS+=	-DASMV -DNO_UNDERLINE
-ACFLAGS+=	-Wa,--noexecstack
-.if ${CC:T:Mclang} == "clang"
-# XXX: clang integrated-as doesn't grok .intel_syntax directives yet
-ACFLAGS+=	${.IMPSRC:T:Mgvmat64.S:C/^.+$/-no-integrated-as/}
-.endif
-.endif
+#.if ${MACHINE_ARCH} == "amd64"
+#.PATH:		${.CURDIR}/contrib/gcc_gvmat64
+#SRCS+=		gvmat64.S
+#CFLAGS+=	-DASMV -DNO_UNDERLINE
+#ACFLAGS+=	-Wa,--noexecstack
+#.if ${CC:T:Mclang} == "clang"
+## XXX: clang integrated-as doesn't grok .intel_syntax directives yet
+#ACFLAGS+=	${.IMPSRC:T:Mgvmat64.S:C/^.+$/-no-integrated-as/}
+#.endif
+#.endif
 
 VERSION_DEF=	${.CURDIR}/Versions.def
 SYMBOL_MAPS=	${.CURDIR}/Symbol.map
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 5 Xin LI freebsd_committer 2011-07-18 20:35:51 UTC
Responsible Changed
From-To: freebsd-bugs->delphij

Assume responsibility.
Comment 6 Xin LI freebsd_committer 2011-07-18 20:36:13 UTC
State Changed
From-To: open->patched

Some reports suggests that this problem goes away when disabling 
assembler version of longest_match, which was disabled as of r224196.
Comment 7 Dimitry Andric freebsd_committer 2011-07-19 07:39:42 UTC
On 2011-07-18 21:23, Xin LI wrote:
> Author: delphij
> Date: Mon Jul 18 19:23:50 2011
> New Revision: 224196
> URL: http://svn.freebsd.org/changeset/base/224196
>
> Log:
>    Disable gvmat64.S, the assembler version of longest_match for now.
>
>    PR:		kern/154073

Hi,

This problem looks a lot like this one:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270070

and we do not have the one-liner fix that is mentioned in the bug
report:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=33;att=0;bug=270070

However, is there a good way to reproduce the segfault?  My Perl never
crashes here, so I cannot verify that it fixes the problem.

To the original PR submitter, and the other PR contributors, maybe you
can try the diff that was proposed in that bug report, and see if it
solves the crash for you?  E.g.:

diff -urN zlib-1.2.1.1.orig/deflate.c zlib-data_type/deflate.c
--- zlib-1.2.1.1.orig/deflate.c	2003-11-12 16:48:21.000000000 +0000
+++ zlib-data_type/deflate.c	2004-09-05 14:04:20.076723997 +0100
@@ -372,6 +372,7 @@
      s = (deflate_state *)strm->state;
      s->pending = 0;
      s->pending_out = s->pending_buf;
+    s->data_type = Z_UNKNOWN;
  
      if (s->wrap < 0) {
          s->wrap = -s->wrap; /* was made negative by deflate(..., Z_FINISH); */
Comment 8 Andrey Zonov 2011-07-19 17:23:18 UTC
Hi Dimitry,

I've tried the following patch:
Index: deflate.c
===================================================================
--- deflate.c   (revision 215508)
+++ deflate.c   (working copy)
@@ -371,6 +371,7 @@
      s = (deflate_state *)strm->state;
      s->pending = 0;
      s->pending_out = s->pending_buf;
+    s->data_type = Z_UNKNOWN;

      if (s->wrap < 0) {
          s->wrap = -s->wrap; /* was made negative by deflate(..., 
Z_FINISH); */

But libz didn't build:

[root@xxx /usr/src/lib/libz]# make
Warning: Object directory not changed from original /usr/src/lib/libz
cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
-std=gnu99 -fstack-protector  -c adler32.c
cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
-std=gnu99 -fstack-protector  -c compress.c
cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
-std=gnu99 -fstack-protector  -c crc32.c
cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
-std=gnu99 -fstack-protector  -c gzio.c
cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
-std=gnu99 -fstack-protector  -c uncompr.c
cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
-std=gnu99 -fstack-protector  -c deflate.c
deflate.c: In function 'deflateReset':
deflate.c:374: error: 'deflate_state' has no member named 'data_type'
*** Error code 1

Stop in /usr/src/lib/libz.

-- 
Andrey Zonov


19.07.2011 10:39, Dimitry Andric пиÑеÑ:
> On 2011-07-18 21:23, Xin LI wrote:
>> Author: delphij
>> Date: Mon Jul 18 19:23:50 2011
>> New Revision: 224196
>> URL: http://svn.freebsd.org/changeset/base/224196
>>
>> Log:
>>    Disable gvmat64.S, the assembler version of longest_match for now.
>>
>>    PR:        kern/154073
>
> Hi,
>
> This problem looks a lot like this one:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270070
>
> and we do not have the one-liner fix that is mentioned in the bug
> report:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=33;att=0;bug=270070
>
> However, is there a good way to reproduce the segfault?  My Perl never
> crashes here, so I cannot verify that it fixes the problem.
>
> To the original PR submitter, and the other PR contributors, maybe you
> can try the diff that was proposed in that bug report, and see if it
> solves the crash for you?  E.g.:
>
> diff -urN zlib-1.2.1.1.orig/deflate.c zlib-data_type/deflate.c
> --- zlib-1.2.1.1.orig/deflate.c    2003-11-12 16:48:21.000000000 +0000
> +++ zlib-data_type/deflate.c    2004-09-05 14:04:20.076723997 +0100
> @@ -372,6 +372,7 @@
>      s = (deflate_state *)strm->state;
>      s->pending = 0;
>      s->pending_out = s->pending_buf;
> +    s->data_type = Z_UNKNOWN;
>
>      if (s->wrap < 0) {
>          s->wrap = -s->wrap; /* was made negative by deflate(..., 
> Z_FINISH); */
Comment 9 dfilter service freebsd_committer 2011-07-21 01:37:46 UTC
Author: delphij
Date: Thu Jul 21 00:37:32 2011
New Revision: 224238
URL: http://svn.freebsd.org/changeset/base/224238

Log:
  MFC r224196:
  
  Disable gvmat64.S, the assembler version of longest_match for now.
  
  PR:		kern/154073

Modified:
  stable/8/lib/libz/Makefile
Directory Properties:
  stable/8/lib/libz/   (props changed)
  stable/8/lib/libz/contrib/   (props changed)

Modified: stable/8/lib/libz/Makefile
==============================================================================
--- stable/8/lib/libz/Makefile	Wed Jul 20 22:48:48 2011	(r224237)
+++ stable/8/lib/libz/Makefile	Thu Jul 21 00:37:32 2011	(r224238)
@@ -25,11 +25,12 @@ SRCS+=		match.S
 CFLAGS+=	-DASMV -DNO_UNDERLINE
 .endif
 
-.if ${MACHINE_ARCH} == "amd64"
-.PATH:		${.CURDIR}/contrib/gcc_gvmat64
-SRCS+=		gvmat64.S
-CFLAGS+=	-DASMV -DNO_UNDERLINE
-.endif
+#.if ${MACHINE_ARCH} == "amd64"
+#.PATH:		${.CURDIR}/contrib/gcc_gvmat64
+#SRCS+=		gvmat64.S
+#CFLAGS+=	-DASMV -DNO_UNDERLINE
+#ACFLAGS+=	-Wa,--noexecstack
+#.endif
 
 minigzip:	all minigzip.o
 	$(CC) -o minigzip minigzip.o -L. -lz
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 10 christopher.key 2012-03-13 12:32:06 UTC
This is indeed a buffer overrun problem.  See below for my analysis sent
to the zlib maintainers:

Hello,

I've been looking into a repeatable gnuplot crash, which I think is the
result of a bug in zlib.

It's segfaulting at <longest_match+422>, which corresponds to
contrib/gcc_gvmat/gvmat64.S line 453.  A copy of the relevent section is
included below.

This piece of code is comparing two buffers of size MAX_MATCH_8 == 264,
and is doing so 24 bytes at a time.  However, I believe that the buffer
is passed is only expected to be 258 bytes long, and thus the last
compare is overrunning the end of the buffer.  Normally this isn't be a
problem, as the match length is capped at 258 later on, but in my case
it looks like the buffer ends very near the end of my processes address
space, and the code is therefore segfaulting.  I've included a copy of
the register dump below too.  The value of rdi is the address at which
we stop reading from the second buffer (see line 421), and it's value of
0x809800004 looks suspiciously like it could have passed a mapping
boundary.

A quick hack to reduce the value of MAX_MATCH_8 to 240 avoids the crash.

I assume that the only solution is to ensure that we don't pass the 258
byte boundary.  Doing this is complicated by the fact that the match
loop above can start 0-3 bytes after the start of the buffer (in order
to 4 byte align the fetches).  I'll have a go at proving a patch, but my
asm skills are very much in their infancy, and it may take a while
produce something functional.  I therefore thought it best to notify you
of the potential problem now.

Kind regards,

Christopher Key




412: /*
413: ;;; Point edi to the string under scrutiny, and esi to the string we
414: ;;; are hoping to match it up with. In actuality, esi and edi are
415: ;;; both pointed (MAX_MATCH_8 - scanalign) bytes ahead, and edx is
416: ;;; initialized to -(MAX_MATCH_8 - scanalign).
417: */
418:         lea rsi,[r8+r10]
419:         mov rdx, 0xfffffffffffffef8 //; -(MAX_MATCH_8)
420:         lea rsi, [rsi + r13 + 0x0108] //;MAX_MATCH_8]
421:         lea rdi, [r9 + r13 + 0x0108] //;MAX_MATCH_8]
422:
423:         prefetcht1 [rsi+rdx]
424:         prefetcht1 [rdi+rdx]
425:
426: /*
427: ;;; Test the strings for equality, 8 bytes at a time. At the end,
428: ;;; adjust rdx so that it is offset to the exact byte that mismatched.
429: ;;;
430: ;;; We already know at this point that the first three bytes of the
431: ;;; strings match each other, and they can be safely passed over
before
432: ;;; starting the compare loop. So what this code does is skip over 0-3
433: ;;; bytes, as much as necessary in order to dword-align the edi
434: ;;; pointer. (rsi will still be misaligned three times out of four.)
435: ;;;
436: ;;; It should be confessed that this loop usually does not represent
437: ;;; much of the total running time. Replacing it with a more
438: ;;; straightforward "rep cmpsb" would not drastically degrade
439: ;;; performance.
440: */
441:
442: LoopCmps:
443:         mov rax, [rsi + rdx]
444:         xor rax, [rdi + rdx]
445:         jnz LeaveLoopCmps
446:
447:         mov rax, [rsi + rdx + 8]
448:         xor rax, [rdi + rdx + 8]
449:         jnz LeaveLoopCmps8
450:
451:
452:         mov rax, [rsi + rdx + 8+8]
453:         xor rax, [rdi + rdx + 8+8]
454:         jnz LeaveLoopCmps16
455:
456:         add rdx,8+8+8
457:
458:            BEFORE_JMP
459:         jnz  LoopCmps
460:         jmp  LenMaximum
461:            AFTER_JMP
462:
463: LeaveLoopCmps16: add rdx,8
464: LeaveLoopCmps8: add rdx,8
465: LeaveLoopCmps:
466:



rax            0x2000000000000  562949953421312
rbx            0x200    512
rcx            0x801bfe000      34389090304
rdx            0xffffffffffffffe8       -24
rsi            0x8097ffefd      34519121661
rdi            0x809800004      34519121924
rbp            0x8000   0x8000
rsp            0x7fffffffd128   0x7fffffffd128
r8             0xfdf3   65011
r9             0x8097ffefa      34519121658
r10            0x8097f0000      34519056384
r11            0x58     88
r12            0x200    512
r13            0x2      2
r14            0x0      0
r15            0x1      1
rip            0x8009d42a6      0x8009d42a6 <longest_match+422>
eflags         0x10246  66118
cs             0x43     67
ss             0x3b     59
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0