Backtrace() called inside a signal handler traps while tracking an invalid function call.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Backtrace() called inside a signal handler traps while tracking an invalid function call.

supriya kannery
Hello,
   Backtrace API is trapping when it is called inside a signal handler
to trace back an invalid function call.

Backtrace API is called from a signal handler. When the SEGFAULT signal
that is captured by the signal handler is due to the invokation of an
invalid function call, then backtrace is generating SEGFAULT. In i586  
this segfault again gets captured by the signal handler, reaches
backtrace, backtrace again generates segfault and infinite loop results.
In x86_64 architecture, when backtrace generates segfault, the program
stops.

Following code is an excerpt from gcc-3.3.3/gcc/unwind-dw2.c:
In x86_64 arch, fde is returned null for the invalid singal handler
stack frame...
--------------------------------------------------------------------------------------------------------------------------

  fde = _Unwind_Find_FDE (context->ra - 1, &context->bases);
  if (fde == NULL)
    {
      /* Couldn't find frame unwind info for this function.  Try a
         target-specific fallback mechanism.  This will necessarily
         not provide a personality routine or LSDA.  */
#ifdef MD_FALLBACK_FRAME_STATE_FOR
    MD_FALLBACK_FRAME_STATE_FOR (context, fs, success);
      return _URC_END_OF_STACK;
--------------------------------------------------------------------------------------------------------------------------


MD_FALLBACK_FRAME_STATE_FOR macro is called which inturn checks the pc
to see whether the backtrace is called from a signal hander
--------------------------------------------------------------------------------------------------------------------------
#ifdef __x86_64__
#define MD_FALLBACK_FRAME_STATE_FOR(CONTEXT, FS, SUCCESS)               \
  do {                                                                  \
    unsigned char *pc_ = (CONTEXT)->ra;                                 \
    struct sigcontext *sc_;                                             \
    long new_cfa_;                                                      \
                                                                        \
    /* movq __NR_rt_sigreturn, %rax ; syscall  */                       \
    if (*(unsigned char *)(pc_+0) == 0x48                               \
        && *(unsigned long *)(pc_+1) == 0x050f0000000fc0c7)             \
      {                                                                 \
        struct ucontext *uc_ = (CONTEXT)->cfa;                          \
 --------------------------------------------------------------------------------------------------------------------------
SEGFAULT is generated while accessing the content of pc, as pc value is
invalid (oxfffffe) for the invalid function call.

Is this scenario, of calling backtrace() on a stack containing invalid
function pointer, a supported one? If yes, is there a way we can avoid
accessing pc in this case and get onto unwind further stack frames ?
Btw, gdb is able to successfully unwind the full stack for this same
scenario.

Attaching source files for recreating the problem: main.c and foo.c

Thanks, Supriya
IBM Linux Technology Centre


#include <unistd.h>
#include <signal.h>
#include <stdio.h>

void foo( void ) ;

void catch_segv(int signum)
{
   int i, cnt ;
   void *syms[100] ;
   char buf[80] ;

   cnt = backtrace( syms, 100 ) ;

   for ( i = 0 ; i < cnt ; i++ )
   {
      snprintf( buf, sizeof(buf), "%d\t%lx\n", i, (unsigned long)syms[i] ) ;
      puts( buf ) ;
   }
}

int main( void )
{
   int rc ;
   struct sigaction newact;     /* Action */
   struct sigaction oldact;     /* Old action */

   newact.sa_handler = catch_segv;
   sigemptyset (&newact.sa_mask);
   newact.sa_flags = 0;

   rc = sigaction (SIGSEGV, &newact, &oldact);
   rc = sigaction (SIGBUS, &newact, &oldact);

   printf( "rc = %d, calling foo\n", rc ) ;

   foo() ;

  return 0 ;
}


#include <stdio.h>

void (*fp)(void) = (void *)0xffffff ;

void foo( void )
{
  char buf[16] ;
  int cnt;
 
  buf[0] = '\n' ;
  buf[1] = '\0' ;

  printf( "Calling invalid function pointer.%s", buf ) ;

  fp() ;
}

Reply | Threaded
Open this post in threaded view
|

Re: Backtrace() called inside a signal handler traps while tracking an invalid function call.

Daniel Jacobowitz-2
On Thu, Jun 14, 2007 at 02:24:19AM +0530, supriya kannery wrote:
> Is this scenario, of calling backtrace() on a stack containing invalid function
> pointer, a supported one?

In my opinion, no.  Attach a debugger instead.

--
Daniel Jacobowitz
CodeSourcery