balint256/gr-baz

Crash with GNU Radio 3.7.9

BatchDrake opened this issue · 0 comments

BatchDrake commented

I'm using GNU Radio 3.7.9 from Debian Sid repos. Machine kernel is 4.2.0-1-amd64 #1 SMP Debian 4.2.5-1 (2015-10-27) x86_64.

I get a fully reproducible segmentation fault by following these steps:

  1. Create a new graph
  2. Add any gr-baz block to the graph
  3. Add any other block (not necessarily from gr-baz). GNU Radio will always crash at this point.

This crash is not reproducible with any non-gr-baz blocks.

By running GDB on the core file, I get the following backtrace:

(gdb) bt
#0  0x0000000000055a66 in ?? ()
#1  0x00007fad2e9f28a0 in init_baz_swig () from /usr/local/lib/python2.7/dist-packages/baz/_baz_swig.so
#2  0x000000000051a701 in _PyImport_LoadDynamicModule ()

Since this segfault happens somewhere in init_baz_swig, I though this could be SWIG's fault, so I upgraded from version 3.0.7-2 to 30.0.10-1.1 and it was still crashing. Recompiling gr-baz didn't work either: it keeps failing in the sample place trying to jump (again) to 0x55a66:

(gdb) bt
#0  0x0000000000055a66 in ?? ()
#1  0x00007fb627cc68a0 in init_baz_swig () from /usr/local/lib/python2.7/dist-packages/baz/_baz_swig.so
#2  0x000000000051a701 in _PyImport_LoadDynamicModule ()

By inspecting the assembly around 0x00007fb627cc68a0 I get the following:

(gdb) x/20i $rip - 20
   0x7fb627cc688c <init_baz_swig+44>:   test   %r15,%r15
   0x7fb627cc688f <init_baz_swig+47>:   je     0x7fb627cc68f8 <init_baz_swig+152>
   0x7fb627cc6891 <init_baz_swig+49>:   lea    0x7be26(%rip),%rsi        # 0x7fb627d426be
   0x7fb627cc6898 <init_baz_swig+56>:   mov    %r15,%rdi
   0x7fb627cc689b <init_baz_swig+59>:   callq  0x7fb627bbba60 <strstr@plt>
=> 0x7fb627cc68a0 <init_baz_swig+64>:   test   %rax,%rax
   0x7fb627cc68a3 <init_baz_swig+67>:   mov    %rax,%r13
   0x7fb627cc68a6 <init_baz_swig+70>:   je     0x7fb627cc68f8 <init_baz_swig+152>
   0x7fb627cc68a8 <init_baz_swig+72>:   mov    0x3d2fb2(%rip),%edi        # 0x7fb628099860 <swig_const_table>
   0x7fb627cc68ae <init_baz_swig+78>:   lea    0xa(%rax),%r14
   0x7fb627cc68b2 <init_baz_swig+82>:   test   %edi,%edi
   0x7fb627cc68b4 <init_baz_swig+84>:   je     0x7fb627cc68f8 <init_baz_swig+152>
   0x7fb627cc68ca <init_baz_swig+106>:  mov    0x8(%rbx),%r12

Which means that somehow it failed to jump to strstr. Debugging the plt wrapper I get this:

(gdb) x/1i 'strstr@plt'
   0x416f70 <strstr@plt>:       jmpq   *0x4cb5f2(%rip)        # 0x8e2568 <strstr@got.plt>
(gdb) x/2x 0x8e2568 
   0x8e2568 <strstr@got.plt>:      0x76cbf260      0x00007fb6
(gdb) x/5i 0x00007fb676cbf260
   0x7fb676cbf260 <__strstr_sse2_unaligned>:    movzbl (%rsi),%eax
   0x7fb676cbf263 <__strstr_sse2_unaligned+3>:  test   %al,%al
   0x7fb676cbf265 <__strstr_sse2_unaligned+5>:  je     0x7fb676cbf407 <__strstr_sse2_unaligned+423>

Which makes a lot of sense. However, this is surprising, because according to the assembly above, strstr@plt is at 0x7fb627cc68f8:

(gdb) x/20i 0x7fb627bbba60
   0x7fb627bbba60 <strstr@plt>: jmpq   *0x4c26c2(%rip)        # 0x7fb62807e128
(gdb) x/2x 0x7fb62807e128
   0x7fb62807e128: 0x00055a66      0x00000000
(gdb) x/20i  0x00055a66
   0x55a66:     Cannot access memory at address 0x55a66

So my conclusion is that something weird related to dynamic linking is going on. What I know so far is that this doesn't seem a Debian package issue - I compiled swig from source, recompiled gr-baz from scratch and I'm still getting the same segfault.

PS: I'm attaching a full backtrace too (crash with the latest swig version), including register information and loaded shared libraries: bt.zip