This is the mail archive of the libc-alpha@cygnus.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

segv in _dl_close


>Submitter-Id:	net
>Originator:	Alexander V. Lukyanov
>Organization:	Yaroslavl State University (Russia)
>Confidential:	no
>Synopsis:	apache with php3 segfaults inside _dl_close
>Severity:	serious
>Priority:	medium
>Category:	libc
>Class:		sw-bug
>Release:	libc-2.0.109
>Environment:
	
Host type: alpha-redhat-linux-gnu
System: Linux alpha 2.2.0-pre5-ac1 #40 Fri Jan 8 14:59:59 MSK 1999 alpha unknown
Architecture: alpha

Addons: crypt glibc-compat linuxthreads

Build CC: egcs


Symbol versioning: yes
Build static: yes
Build shared: yes
Build pic-default: no
Build profile: yes
Build omitfp: no
Build bounded: no
Build static-nss: no
Stdio: libio

>Description:
	apache-1.3.3-2 with mod_php3-3.0.5-2 (from Red Hat's Raw Hide)
	does not work. It gives SEGV with the following stack trace:
	
Program received signal SIGSEGV, Segmentation fault.
0x2000070100c in _dl_close (map=0x120154e60) at dl-close.c:110
dl-close.c:110: No such file or directory.
(gdb) bt
#0  0x2000070100c in _dl_close (map=0x120154e60) at dl-close.c:110
#1  0x20000700d14 in _dl_open (
    file=0x1201531a0 "/etc/httpd/modules/libphp3.so", mode=0) at dl-open.c:185
#2  0x200004ef8f8 in dlopen_doit (a=0x11fffd690) at dlopen.c:39
#3  0x200000117cc in _dl_catch_error (errstring=0x200005f0f10, 
    operate=0x200004ef8c0 <dlopen_doit>, args=0x11fffd690) at dl-error.c:129
#4  0x200004f0148 in _dlerror_run (operate=0x200004ef8c0 <dlopen_doit>, 
    args=0x11fffd690) at dlerror.c:122
#5  0x200004ef948 in __dlopen_check (file=0x120154e60 "", mode=17563)
    at dlopen.c:50

dl-close.c:110:
          if (imap->l_global)
            {
              /* This object is in the global scope list.  Remove it.  */
              unsigned int cnt = _dl_main_searchlist->r_nlist;

              do
                --cnt;
110:          while (_dl_main_searchlist->r_list[cnt] != imap);
              while (cnt < _dl_main_searchlist->r_nlist)
                {
                  _dl_main_searchlist->r_list[0]
                    = _dl_main_searchlist->r_list[1];
                  ++cnt;
                }

(gdb) p cnt
$1 = -1

(gdb) p *imap
$2 = {l_addr = 2199061667840, 
  l_name = 0x12014ff80 "/etc/httpd/modules/libphp3.so", l_ld = 0x2000263e9c8, 
  l_next = 0x1201552a0, l_prev = 0x120152810, l_libname = 0x12014ffb0, 
  l_info = {0x0, 0x2000263ea38, 0x2000263eaa8, 0x2000263ea98, 0x2000263ea48, 
    0x2000263ea58, 0x2000263ea68, 0x2000263ead8, 0x2000263eae8, 0x2000263eaf8, 
    0x2000263ea78, 0x2000263ea88, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x2000263eab8, 0x0, 0x0, 0x2000263eac8, 0x0 <repeats 74 times>}, 
  l_phdr = 0x200024a2040, l_entry = 2199061809792, l_phnum = 3, 
  l_searchlist = {r_list = 0x1201569a0, r_nlist = 11, r_duplist = 0x120156a00, 
    r_nduplist = 19}, l_symbolic_searchlist = {r_list = 0x0, r_nlist = 0, 
    r_duplist = 0x0, r_nduplist = 0}, l_loader = 0x0, l_nbuckets = 1031, 
  l_buckets = 0x200024a20f8, l_chain = 0x200024a4130, l_opencount = 0, 
  l_type = lt_loaded, l_relocated = 34, l_init_called = 34, 
  l_init_running = 34, l_global = 34, l_reserved = 34, l_nversions = 0, 
  l_versions = 0x0, l_rpath_dirs = 0x0, l_reloc_result = 0x0, l_versyms = 0x0, 
  l_origin = 0x12014fff0 "/etc/httpd/modules", l_map_start = 2199061667840, 
  l_map_end = 2199063435648, l_scope = {0x2000011eed8, 0x1201551b8, 0x0, 0x0}, 
  l_local_scope = {0x1201551b8, 0x0}}

(gdb) p *_dl_main_searchlist
$4 = {r_list = 0x120152ce0, r_nlist = 35, r_duplist = 0x20000024940, 
  r_nduplist = 12}
(gdb) p _dl_main_searchlist->r_list[35][0]
$6 = {l_addr = 2199061667840, 
  l_name = 0x12014ff80 "/etc/httpd/modules/libphp3.so", l_ld = 0x2000263e9c8, 
  l_next = 0x1201552a0, l_prev = 0x120152810, l_libname = 0x12014ffb0, 
  l_info = {0x0, 0x2000263ea38, 0x2000263eaa8, 0x2000263ea98, 0x2000263ea48, 
    0x2000263ea58, 0x2000263ea68, 0x2000263ead8, 0x2000263eae8, 0x2000263eaf8, 
    0x2000263ea78, 0x2000263ea88, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
    0x2000263eab8, 0x0, 0x0, 0x2000263eac8, 0x0 <repeats 74 times>}, 
  l_phdr = 0x200024a2040, l_entry = 2199061809792, l_phnum = 3, 
  l_searchlist = {r_list = 0x1201569a0, r_nlist = 11, r_duplist = 0x120156a00, 
    r_nduplist = 19}, l_symbolic_searchlist = {r_list = 0x0, r_nlist = 0, 
    r_duplist = 0x0, r_nduplist = 0}, l_loader = 0x0, l_nbuckets = 1031, 
  l_buckets = 0x200024a20f8, l_chain = 0x200024a4130, l_opencount = 0, 
  l_type = lt_loaded, l_relocated = 34, l_init_called = 34, 
  l_init_running = 34, l_global = 34, l_reserved = 34, l_nversions = 0, 
  l_versions = 0x0, l_rpath_dirs = 0x0, l_reloc_result = 0x0, l_versyms = 0x0, 
  l_origin = 0x12014fff0 "/etc/httpd/modules", l_map_start = 2199061667840, 
  l_map_end = 2199063435648, l_scope = {0x2000011eed8, 0x1201551b8, 0x0, 0x0}, 
  l_local_scope = {0x1201551b8, 0x0}}

(gdb) p _dl_main_searchlist->r_list[35]   
$7 = (struct link_map *) 0x120154e60
(gdb) p imap
$8 = (struct link_map *) 0x120154e60


/etc/httpd/modules is link to ../../usr/lib/apache

strace shows:
open("/etc/httpd/modules/libphp3.so", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3"..., 8192) = 8192
mmap(0, 4831818136, 0x2000, 0 /* MAP_??? */, 0, 0) = 0x200024a2000
mprotect(0x20002536000, 1161600, PROT_NONE) = 0
mmap(0x20002632000, 1161600, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002632000
mmap(0x20002640000, 1161600, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002640000
close(4)                                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat(4, {st_mode=01, st_size=916421452, ...}) = 0
mmap(0, 4831825952, PROT_READ, 0 /* MAP_??? */, 0, 0) = 0x20000026000
close(4)                                = 0
open("/usr/lib/libgdbm.so.2", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3"..., 8192) = 8192
mmap(0, 4831817864, 0x2000, 0 /* MAP_??? */, 0, 0) = 0x20002652000
mprotect(0x2000265a000, 1044400, PROT_NONE) = 0
mmap(0x20002752000, 1044400, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002752000
close(4)                                = 0
open("/usr/lib/libttf.so.2", O_RDONLY)  = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3"..., 8192) = 8192
mmap(0, 4831817832, 0x2000, 0 /* MAP_??? */, 0, 0) = 0x2000275a000
mprotect(0x20002774000, 1051544, PROT_NONE) = 0
mmap(0x2000286a000, 1051544, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x2000286a000
close(4)                                = 0
open("/usr/lib/libgd.so.1", O_RDONLY)   = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3"..., 8192) = 8192
mmap(0, 4831817800, 0x2000, 0 /* MAP_??? */, 0, 0) = 0x20002876000
mprotect(0x20002880000, 1233364, PROT_NONE) = 0
mmap(0x20002976000, 1233364, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002976000
mmap(0x2000299e000, 1233364, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x2000299e000
close(4)                                = 0
open("/lib/libnsl.so.1.1", O_RDONLY)    = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3"..., 8192) = 8192
mmap(0, 4831817672, 0x2000, 0 /* MAP_??? */, 0, 0) = 0x200029ae000
mprotect(0x200029cc000, 1059080, PROT_NONE) = 0
mmap(0x20002abe000, 1059080, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002abe000
mmap(0x20002ace000, 1059080, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002ace000
close(4)                                = 0
open("/lib/libresolv.so.2.1", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3"..., 8192) = 8192
mmap(0, 4831817640, 0x2000, 0 /* MAP_??? */, 0, 0) = 0x20002ad0000
mprotect(0x20002ae0000, 1063584, PROT_NONE) = 0
mmap(0x20002bd0000, 1063584, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002bd0000
mmap(0x20002be2000, 1063584, PROT_NONE, 0 /* MAP_??? */, 0, 0) = 0x20002be2000
close(4)                                = 0
munmap(0x20000026000, 17563)            = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

ldd /usr/lib/apache/libphp3.so:
        libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x00000200001b6000)
        libttf.so.2 => /usr/lib/libttf.so.2 (0x00000200002be000)
        libgd.so.1 => /usr/lib/libgd.so.1 (0x00000200003da000)
        libm.so.6.1 => /lib/libm.so.6.1 (0x0000020000514000)
        libdl.so.2.1 => /lib/libdl.so.2.1 (0x000002000064e000)
        libcrypt.so.1.1 => /lib/libcrypt.so.1.1 (0x0000020000752000)
        libnsl.so.1.1 => /lib/libnsl.so.1.1 (0x0000020000888000)
        libresolv.so.2.1 => /lib/libresolv.so.2.1 (0x00000200009aa000)
        libc.so.6.1 => /lib/libc.so.6.1 (0x0000020000abe000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x0000020001000000)

ldd /usr/sbin/httpd:
        libm.so.6.1 => /lib/libm.so.6.1 (0x0000020000120000)
        libcrypt.so.1.1 => /lib/libcrypt.so.1.1 (0x000002000025a000)
        libdb.so.3 => /lib/libdb.so.3 (0x0000020000390000)
        libdl.so.2.1 => /lib/libdl.so.2.1 (0x00000200004ee000)
        libc.so.6.1 => /lib/libc.so.6.1 (0x00000200005f2000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x0000020000000000)

Hope this info is enough.

>How-To-Repeat:
	
>Fix:
	It seems that r_nlist is off-by-one. Don't know why.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]