From nobody@FreeBSD.org  Mon Jan 17 07:38:19 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A3B9E106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Jan 2011 07:38:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (unknown [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 91F018FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Jan 2011 07:38:19 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p0H7cJQK075866
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Jan 2011 07:38:19 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p0H7cJxn075865;
	Mon, 17 Jan 2011 07:38:19 GMT
	(envelope-from nobody)
Message-Id: <201101170738.p0H7cJxn075865@red.freebsd.org>
Date: Mon, 17 Jan 2011 07:38:19 GMT
From: Alexader Zhegalov <azhegalov@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: libz causes perl to exit on signal 11
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         154073
>Category:       bin
>Synopsis:       [libz] libz causes perl to exit on signal 11
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    delphij
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 17 07:40:07 UTC 2011
>Closed-Date:    
>Last-Modified:  Tue Mar 13 13:10:01 UTC 2012
>Originator:     Alexader Zhegalov
>Release:        8.1-STABLE
>Organization:
STECCOM
>Environment:
FreeBSD msk-be-srv-nflow.steccom.net 8.1-STABLE FreeBSD 8.1-STABLE #0: Thu Oct 28 14:54:55 MSD 2010     root@msk-be-srv-nflow.steccom.net:/usr/obj/usr/src/sys/NFLOW  amd64

>Description:
I use nfsen with perl 5.10 and 5.12 and get periodical perl exit with signal 11
I don't have this problem on i386 server with the same nfsen configuration and data flows.

/var/tmp# gdb -c /var/tmp/perl.63325.core /usr/local/bin/perl
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `perl'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /lib/libutil.so.8...(no debugging symbols found)...done.
Loaded symbols for /lib/libutil.so.8
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Fcntl/Fcntl.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Fcntl/Fcntl.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/POSIX/POSIX.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/POSIX/POSIX.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Socket/Socket.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Socket/Socket.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Sys/Syslog/Syslog.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Sys/Syslog/Syslog.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/IPC/SysV/SysV.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/IPC/SysV/SysV.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Data/Dumper/Dumper.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Data/Dumper/Dumper.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Cwd/Cwd.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Cwd/Cwd.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/List/Util/Util.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/List/Util/Util.so
Reading symbols from /usr/local/lib/perl5/site_perl/5.12.2/mach/auto/RRDs/RRDs.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/site_perl/5.12.2/mach/auto/RRDs/RRDs.so
Reading symbols from /usr/local/lib/librrd.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/librrd.so.5
Reading symbols from /usr/local/lib/libpangocairo-1.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpangocairo-1.0.so.0
Reading symbols from /usr/local/lib/libcairo.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libcairo.so.2
Reading symbols from /usr/local/lib/libpixman-1.so.9...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpixman-1.so.9
Reading symbols from /usr/local/lib/libpng.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpng.so.6
Reading symbols from /usr/local/lib/libxcb-shm.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxcb-shm.so.0
Reading symbols from /usr/local/lib/libxcb-render.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxcb-render.so.0
Reading symbols from /usr/local/lib/libxcb.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxcb.so.2
Reading symbols from /usr/local/lib/libXau.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libXau.so.6
Reading symbols from /usr/local/lib/libXdmcp.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libXdmcp.so.6
Reading symbols from /usr/local/lib/libpthread-stubs.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpthread-stubs.so.0
Reading symbols from /usr/local/lib/libpangoft2-1.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpangoft2-1.0.so.0
Reading symbols from /usr/local/lib/libpango-1.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpango-1.0.so.0
Reading symbols from /usr/local/lib/libfontconfig.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libfontconfig.so.1
Reading symbols from /usr/local/lib/libfreetype.so.9...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libfreetype.so.9
Reading symbols from /usr/local/lib/libexpat.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libexpat.so.6
Reading symbols from /usr/local/lib/libgobject-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libgobject-2.0.so.0
Reading symbols from /usr/local/lib/libgmodule-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libgmodule-2.0.so.0
Reading symbols from /usr/local/lib/libgthread-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libgthread-2.0.so.0
Reading symbols from /usr/local/lib/libglib-2.0.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libglib-2.0.so.0
Reading symbols from /usr/local/lib/libintl.so.9...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libintl.so.9
Reading symbols from /usr/local/lib/libpcre.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpcre.so.0
Reading symbols from /usr/local/lib/libxml2.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxml2.so.5
Reading symbols from /lib/libz.so.5...done.
Loaded symbols for /lib/libz.so.5
Reading symbols from /usr/local/lib/libiconv.so.3...done.
Loaded symbols for /usr/local/lib/libiconv.so.3
Reading symbols from /lib/libthr.so.3...done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/IO/IO.so...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/IO/IO.so
Reading symbols from /usr/local/lib/perl5/5.12.2/mach/auto/Storable/Storable.so...done.
Loaded symbols for /usr/local/lib/perl5/5.12.2/mach/auto/Storable/Storable.so
Reading symbols from /usr/local/lib/pango/1.6.0/modules/pango-basic-fc.so...done.
Loaded symbols for /usr/local/lib/pango/1.6.0/modules/pango-basic-fc.so
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  longest_match () at /usr/src/lib/libz/contrib/gcc_gvmat64/gvmat64.S:453
453             xor rax, [rdi + rdx + 8+8]
[New Thread 8011568c0 (LWP 100607)]
[New LWP 100559]


(gdb) bt full
#0  longest_match () at /usr/src/lib/libz/contrib/gcc_gvmat64/gvmat64.S:453
No locals.
#1  0x00000008039b8241 in deflate_slow (s=0xde00, flush=3) at /usr/src/lib/libz/deflate.c:1595
        hash_head = 50886
        bflush = Variable "bflush" is not available.
Current language:  auto; currently asm


(gdb) bt
#0  longest_match () at /usr/src/lib/libz/contrib/gcc_gvmat64/gvmat64.S:453
#1  0x00000008039b8241 in deflate_slow (s=0xde00, flush=3) at /usr/src/lib/libz/deflate.c:1595
#2  0x00000008039b729a in deflate (strm=0x8010c0bc0, flush=0) at /usr/src/lib/libz/deflate.c:790
#3  0x000000080227c367 in png_write_filtered_row () from /usr/local/lib/libpng.so.6
#4  0x000000080227c768 in png_write_find_filter () from /usr/local/lib/libpng.so.6
#5  0x00000008022785f5 in png_write_row () from /usr/local/lib/libpng.so.6
#6  0x00000008022787bd in png_write_image () from /usr/local/lib/libpng.so.6
#7  0x0000000801fca6a8 in write_png () from /usr/local/lib/libcairo.so.2
#8  0x0000000801fca815 in cairo_surface_write_to_png () from /usr/local/lib/libcairo.so.2
#9  0x0000000801d33107 in rrd_create () from /usr/local/lib/librrd.so.5
#10 0x0000000801d3465e in rrd_graph_v () from /usr/local/lib/librrd.so.5
#11 0x0000000801d347fa in rrd_graph () from /usr/local/lib/librrd.so.5
#12 0x0000000801c1b2bf in XS_RRDs_graph () from /usr/local/lib/perl5/site_perl/5.12.2/mach/auto/RRDs/RRDs.so
#13 0x00000008006df803 in Perl_pp_entersub () from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
#14 0x00000008006dde4e in Perl_runops_standard () from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
#15 0x000000080068bbc2 in perl_run () from /usr/local/lib/perl5/5.12.2/mach/CORE/libperl.so
#16 0x0000000000400da5 in main ()


I tried to compile libz with CPUTYPE nocona and without CPUTYPE and it didn't help.

cat /etc/make.conf
CPUTYPE?=               nocona
CFLAGS=                 -O2 -fno-strict-aliasing -pipe

TRACEROUTE_NO_IPSEC=    true    # do not build traceroute(8) with IPSEC support

BOOTWAIT=               3000

SUP_UPDATE=             true

SUP=                    /usr/bin/csup
SUPFLAGS=               -g -z -L 2
SUPHOST=                cvsup2.ru.FreeBSD.org
SUPFILE=                /usr/local/etc/cvsup/standard-supfile
PORTSSUPFILE=           /usr/local/etc/cvsup/ports-supfile
NO_DOCUPDATE=           true

TOP_TABLE_SIZE=         101

SENDMAIL_MC=            /etc/mail/workstation.mc
SENDMAIL_SUBMIT_MC=     /etc/mail/workstation.submit.mc

KERNCONF=               NFLOW

# For all ports:
WITHOUT_IPV6=           yes
WITHOUT_X11=            yes
WITHOUT_GUI=            yes
WITHOUT_NLS=            yes

# added by use.perl 2010-12-03 09:38:54
PERL_VERSION=5.12.2


>How-To-Repeat:
The problem happens at different times and I have not caught dependency.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jan 23 21:39:59 UTC 2011 
Responsible-Changed-Why:  
Reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154073 

From: Andrey Zonov <andrey@zonov.org>
To: bug-followup@FreeBSD.org, azhegalov@gmail.com
Cc:  
Subject: Re: kern/154073: [libz] libz causes perl to exit on signal 11
Date: Thu, 31 Mar 2011 10:06:29 +0400

 This is a multi-part message in MIME format.
 --------------080001000901060005090003
 Content-Type: text/plain; charset=UTF-8; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Hi,
 
 I have similar problem with python.
 Can you try attached patch?
 
 Apply like that:
 # cd /usr/src
 # patch < libz.patch
 # cd lib/libz && make && make install && make clean
 
 -- 
 Andrey Zonov
 
 
 --------------080001000901060005090003
 Content-Type: text/plain;
  name="libz.patch.txt"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
  filename="libz.patch.txt"
 
 SW5kZXg6IGxpYi9saWJ6L01ha2VmaWxlCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGxpYi9saWJ6L01h
 a2VmaWxlCShyZXZpc2lvbiAyMTg4MTUpCisrKyBsaWIvbGliei9NYWtlZmlsZQkod29ya2lu
 ZyBjb3B5KQpAQCAtMjUsMTEgKzI1LDExIEBACiBDRkxBR1MrPQktREFTTVYgLUROT19VTkRF
 UkxJTkUKIC5lbmRpZgogCi0uaWYgJHtNQUNISU5FX0FSQ0h9ID09ICJhbWQ2NCIKLS5QQVRI
 OgkJJHsuQ1VSRElSfS9jb250cmliL2djY19ndm1hdDY0Ci1TUkNTKz0JCWd2bWF0NjQuUwot
 Q0ZMQUdTKz0JLURBU01WIC1ETk9fVU5ERVJMSU5FCi0uZW5kaWYKKyMuaWYgJHtNQUNISU5F
 X0FSQ0h9ID09ICJhbWQ2NCIKKyMuUEFUSDoJCSR7LkNVUkRJUn0vY29udHJpYi9nY2NfZ3Zt
 YXQ2NAorI1NSQ1MrPQkJZ3ZtYXQ2NC5TCisjQ0ZMQUdTKz0JLURBU01WIC1ETk9fVU5ERVJM
 SU5FCisjLmVuZGlmCiAKIG1pbmlnemlwOglhbGwgbWluaWd6aXAubwogCSQoQ0MpIC1vIG1p
 bmlnemlwIG1pbmlnemlwLm8gLUwuIC1sego=
 --------------080001000901060005090003--

From: =?UTF-8?B?0JLRgdC10LLQvtC70L7QtCDQndC+0LLQuNC60L7Qsg==?=
 <novikov@doroga.tv>
To: bug-followup@FreeBSD.org, azhegalov@gmail.com
Cc:  
Subject: Re: kern/154073: [libz] libz causes perl to exit on signal 11
Date: Fri, 01 Jul 2011 19:29:46 +0400

 Hi,
 
 We have got the similar problem, seeing stack top identical, on the 
 FreeBSD 8.2-RELEASE (amd64 arch on the 2x Intel Core Quad Xeon platform, 
 chipset Intel 5000p).
 
 The patch provided by Andrey Zonov helps, segfaults disappear.
 
 Looks like the asm version of the longest_match() function has some bug 
 or architecture incompatibility. The error happens not regularly, 
 probably in very special case. We got it using PyQt to paint jam tiles 
 basing on our data, only sometimes - after 5-30 minutes of intensive 
 continuous painting, independently on using multi-thread features. The 
 (pseudo)stack was always looking like:
 
 longest_match()
 deflate_slow()
 deflate()
 --- libpng functions ---
 --- Qt functions ---
 --- PyQt functions ---
 --- Python interpreter ---
 
 Regards,
 Vsevolod Novikov
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/154073: commit references a PR
Date: Mon, 18 Jul 2011 19:24:00 +0000 (UTC)

 Author: delphij
 Date: Mon Jul 18 19:23:50 2011
 New Revision: 224196
 URL: http://svn.freebsd.org/changeset/base/224196
 
 Log:
   Disable gvmat64.S, the assembler version of longest_match for now.
   
   PR:		kern/154073
   MFC after:	3 days
   Approved by:	re (kib)
 
 Modified:
   head/lib/libz/Makefile
 
 Modified: head/lib/libz/Makefile
 ==============================================================================
 --- head/lib/libz/Makefile	Mon Jul 18 18:56:50 2011	(r224195)
 +++ head/lib/libz/Makefile	Mon Jul 18 19:23:50 2011	(r224196)
 @@ -42,16 +42,16 @@ CFLAGS+=	-DASMV -DNO_UNDERLINE
  ACFLAGS+=	-Wa,--noexecstack
  .endif
  
 -.if ${MACHINE_ARCH} == "amd64"
 -.PATH:		${.CURDIR}/contrib/gcc_gvmat64
 -SRCS+=		gvmat64.S
 -CFLAGS+=	-DASMV -DNO_UNDERLINE
 -ACFLAGS+=	-Wa,--noexecstack
 -.if ${CC:T:Mclang} == "clang"
 -# XXX: clang integrated-as doesn't grok .intel_syntax directives yet
 -ACFLAGS+=	${.IMPSRC:T:Mgvmat64.S:C/^.+$/-no-integrated-as/}
 -.endif
 -.endif
 +#.if ${MACHINE_ARCH} == "amd64"
 +#.PATH:		${.CURDIR}/contrib/gcc_gvmat64
 +#SRCS+=		gvmat64.S
 +#CFLAGS+=	-DASMV -DNO_UNDERLINE
 +#ACFLAGS+=	-Wa,--noexecstack
 +#.if ${CC:T:Mclang} == "clang"
 +## XXX: clang integrated-as doesn't grok .intel_syntax directives yet
 +#ACFLAGS+=	${.IMPSRC:T:Mgvmat64.S:C/^.+$/-no-integrated-as/}
 +#.endif
 +#.endif
  
  VERSION_DEF=	${.CURDIR}/Versions.def
  SYMBOL_MAPS=	${.CURDIR}/Symbol.map
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
Responsible-Changed-From-To: freebsd-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Mon Jul 18 19:35:51 UTC 2011 
Responsible-Changed-Why:  
Assume responsibility. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154073 
State-Changed-From-To: open->patched 
State-Changed-By: delphij 
State-Changed-When: Mon Jul 18 19:36:13 UTC 2011 
State-Changed-Why:  
Some reports suggests that this problem goes away when disabling 
assembler version of longest_match, which was disabled as of r224196. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=154073 

From: Dimitry Andric <dim@FreeBSD.org>
To: bug-followup@FreeBSD.org, Alexader Zhegalov <azhegalov@gmail.com>, 
 Andrey Zonov <andrey@zonov.org>,
 =?UTF-8?B?0JLRgdC10LLQvtC70L7QtCDQndC+0LLQuNC60L7Qsg==?=
 <novikov@doroga.tv>
Cc:  
Subject: Re: bin/154073: [libz] libz causes perl to exit on signal 11
Date: Tue, 19 Jul 2011 08:39:42 +0200

 On 2011-07-18 21:23, Xin LI wrote:
 > Author: delphij
 > Date: Mon Jul 18 19:23:50 2011
 > New Revision: 224196
 > URL: http://svn.freebsd.org/changeset/base/224196
 >
 > Log:
 >    Disable gvmat64.S, the assembler version of longest_match for now.
 >
 >    PR:		kern/154073
 
 Hi,
 
 This problem looks a lot like this one:
 
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270070
 
 and we do not have the one-liner fix that is mentioned in the bug
 report:
 
 http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=33;att=0;bug=270070
 
 However, is there a good way to reproduce the segfault?  My Perl never
 crashes here, so I cannot verify that it fixes the problem.
 
 To the original PR submitter, and the other PR contributors, maybe you
 can try the diff that was proposed in that bug report, and see if it
 solves the crash for you?  E.g.:
 
 diff -urN zlib-1.2.1.1.orig/deflate.c zlib-data_type/deflate.c
 --- zlib-1.2.1.1.orig/deflate.c	2003-11-12 16:48:21.000000000 +0000
 +++ zlib-data_type/deflate.c	2004-09-05 14:04:20.076723997 +0100
 @@ -372,6 +372,7 @@
       s = (deflate_state *)strm->state;
       s->pending = 0;
       s->pending_out = s->pending_buf;
 +    s->data_type = Z_UNKNOWN;
   
       if (s->wrap < 0) {
           s->wrap = -s->wrap; /* was made negative by deflate(..., Z_FINISH); */

From: Andrey Zonov <andrey@zonov.org>
To: Dimitry Andric <dim@FreeBSD.org>
Cc: bug-followup@FreeBSD.org, Alexader Zhegalov <azhegalov@gmail.com>, 
 =?UTF-8?B?0JLRgdC10LLQvtC70L7QtCDQndC+0LLQuNC60L7Qsg==?=
 <novikov@doroga.tv>
Subject: Re: bin/154073: [libz] libz causes perl to exit on signal 11
Date: Tue, 19 Jul 2011 20:23:18 +0400

 Hi Dimitry,
 
 I've tried the following patch:
 Index: deflate.c
 ===================================================================
 --- deflate.c   (revision 215508)
 +++ deflate.c   (working copy)
 @@ -371,6 +371,7 @@
       s = (deflate_state *)strm->state;
       s->pending = 0;
       s->pending_out = s->pending_buf;
 +    s->data_type = Z_UNKNOWN;
 
       if (s->wrap < 0) {
           s->wrap = -s->wrap; /* was made negative by deflate(..., 
 Z_FINISH); */
 
 But libz didn't build:
 
 [root@xxx /usr/src/lib/libz]# make
 Warning: Object directory not changed from original /usr/src/lib/libz
 cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
 -std=gnu99 -fstack-protector  -c adler32.c
 cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
 -std=gnu99 -fstack-protector  -c compress.c
 cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
 -std=gnu99 -fstack-protector  -c crc32.c
 cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
 -std=gnu99 -fstack-protector  -c gzio.c
 cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
 -std=gnu99 -fstack-protector  -c uncompr.c
 cc -O2 -pipe  -DHAS_snprintf -DHAS_vsnprintf -DASMV -DNO_UNDERLINE 
 -std=gnu99 -fstack-protector  -c deflate.c
 deflate.c: In function 'deflateReset':
 deflate.c:374: error: 'deflate_state' has no member named 'data_type'
 *** Error code 1
 
 Stop in /usr/src/lib/libz.
 
 -- 
 Andrey Zonov
 
 
 19.07.2011 10:39, Dimitry Andric пишет:
 > On 2011-07-18 21:23, Xin LI wrote:
 >> Author: delphij
 >> Date: Mon Jul 18 19:23:50 2011
 >> New Revision: 224196
 >> URL: http://svn.freebsd.org/changeset/base/224196
 >>
 >> Log:
 >>    Disable gvmat64.S, the assembler version of longest_match for now.
 >>
 >>    PR:        kern/154073
 >
 > Hi,
 >
 > This problem looks a lot like this one:
 >
 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270070
 >
 > and we do not have the one-liner fix that is mentioned in the bug
 > report:
 >
 > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=33;att=0;bug=270070
 >
 > However, is there a good way to reproduce the segfault?  My Perl never
 > crashes here, so I cannot verify that it fixes the problem.
 >
 > To the original PR submitter, and the other PR contributors, maybe you
 > can try the diff that was proposed in that bug report, and see if it
 > solves the crash for you?  E.g.:
 >
 > diff -urN zlib-1.2.1.1.orig/deflate.c zlib-data_type/deflate.c
 > --- zlib-1.2.1.1.orig/deflate.c    2003-11-12 16:48:21.000000000 +0000
 > +++ zlib-data_type/deflate.c    2004-09-05 14:04:20.076723997 +0100
 > @@ -372,6 +372,7 @@
 >      s = (deflate_state *)strm->state;
 >      s->pending = 0;
 >      s->pending_out = s->pending_buf;
 > +    s->data_type = Z_UNKNOWN;
 >
 >      if (s->wrap < 0) {
 >          s->wrap = -s->wrap; /* was made negative by deflate(..., 
 > Z_FINISH); */

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/154073: commit references a PR
Date: Thu, 21 Jul 2011 00:37:46 +0000 (UTC)

 Author: delphij
 Date: Thu Jul 21 00:37:32 2011
 New Revision: 224238
 URL: http://svn.freebsd.org/changeset/base/224238
 
 Log:
   MFC r224196:
   
   Disable gvmat64.S, the assembler version of longest_match for now.
   
   PR:		kern/154073
 
 Modified:
   stable/8/lib/libz/Makefile
 Directory Properties:
   stable/8/lib/libz/   (props changed)
   stable/8/lib/libz/contrib/   (props changed)
 
 Modified: stable/8/lib/libz/Makefile
 ==============================================================================
 --- stable/8/lib/libz/Makefile	Wed Jul 20 22:48:48 2011	(r224237)
 +++ stable/8/lib/libz/Makefile	Thu Jul 21 00:37:32 2011	(r224238)
 @@ -25,11 +25,12 @@ SRCS+=		match.S
  CFLAGS+=	-DASMV -DNO_UNDERLINE
  .endif
  
 -.if ${MACHINE_ARCH} == "amd64"
 -.PATH:		${.CURDIR}/contrib/gcc_gvmat64
 -SRCS+=		gvmat64.S
 -CFLAGS+=	-DASMV -DNO_UNDERLINE
 -.endif
 +#.if ${MACHINE_ARCH} == "amd64"
 +#.PATH:		${.CURDIR}/contrib/gcc_gvmat64
 +#SRCS+=		gvmat64.S
 +#CFLAGS+=	-DASMV -DNO_UNDERLINE
 +#ACFLAGS+=	-Wa,--noexecstack
 +#.endif
  
  minigzip:	all minigzip.o
  	$(CC) -o minigzip minigzip.o -L. -lz
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Christopher Key <christopher.key@cantab.net>
To: bug-followup@FreeBSD.org, azhegalov@gmail.com
Cc:  
Subject: Re: bin/154073: [libz] libz causes perl to exit on signal 11
Date: Tue, 13 Mar 2012 12:32:06 +0000

 This is indeed a buffer overrun problem.  See below for my analysis sent
 to the zlib maintainers:
 
 Hello,
 
 I've been looking into a repeatable gnuplot crash, which I think is the
 result of a bug in zlib.
 
 It's segfaulting at <longest_match+422>, which corresponds to
 contrib/gcc_gvmat/gvmat64.S line 453.  A copy of the relevent section is
 included below.
 
 This piece of code is comparing two buffers of size MAX_MATCH_8 == 264,
 and is doing so 24 bytes at a time.  However, I believe that the buffer
 is passed is only expected to be 258 bytes long, and thus the last
 compare is overrunning the end of the buffer.  Normally this isn't be a
 problem, as the match length is capped at 258 later on, but in my case
 it looks like the buffer ends very near the end of my processes address
 space, and the code is therefore segfaulting.  I've included a copy of
 the register dump below too.  The value of rdi is the address at which
 we stop reading from the second buffer (see line 421), and it's value of
 0x809800004 looks suspiciously like it could have passed a mapping
 boundary.
 
 A quick hack to reduce the value of MAX_MATCH_8 to 240 avoids the crash.
 
 I assume that the only solution is to ensure that we don't pass the 258
 byte boundary.  Doing this is complicated by the fact that the match
 loop above can start 0-3 bytes after the start of the buffer (in order
 to 4 byte align the fetches).  I'll have a go at proving a patch, but my
 asm skills are very much in their infancy, and it may take a while
 produce something functional.  I therefore thought it best to notify you
 of the potential problem now.
 
 Kind regards,
 
 Christopher Key
 
 
 
 
 412: /*
 413: ;;; Point edi to the string under scrutiny, and esi to the string we
 414: ;;; are hoping to match it up with. In actuality, esi and edi are
 415: ;;; both pointed (MAX_MATCH_8 - scanalign) bytes ahead, and edx is
 416: ;;; initialized to -(MAX_MATCH_8 - scanalign).
 417: */
 418:         lea rsi,[r8+r10]
 419:         mov rdx, 0xfffffffffffffef8 //; -(MAX_MATCH_8)
 420:         lea rsi, [rsi + r13 + 0x0108] //;MAX_MATCH_8]
 421:         lea rdi, [r9 + r13 + 0x0108] //;MAX_MATCH_8]
 422:
 423:         prefetcht1 [rsi+rdx]
 424:         prefetcht1 [rdi+rdx]
 425:
 426: /*
 427: ;;; Test the strings for equality, 8 bytes at a time. At the end,
 428: ;;; adjust rdx so that it is offset to the exact byte that mismatched.
 429: ;;;
 430: ;;; We already know at this point that the first three bytes of the
 431: ;;; strings match each other, and they can be safely passed over
 before
 432: ;;; starting the compare loop. So what this code does is skip over 0-3
 433: ;;; bytes, as much as necessary in order to dword-align the edi
 434: ;;; pointer. (rsi will still be misaligned three times out of four.)
 435: ;;;
 436: ;;; It should be confessed that this loop usually does not represent
 437: ;;; much of the total running time. Replacing it with a more
 438: ;;; straightforward "rep cmpsb" would not drastically degrade
 439: ;;; performance.
 440: */
 441:
 442: LoopCmps:
 443:         mov rax, [rsi + rdx]
 444:         xor rax, [rdi + rdx]
 445:         jnz LeaveLoopCmps
 446:
 447:         mov rax, [rsi + rdx + 8]
 448:         xor rax, [rdi + rdx + 8]
 449:         jnz LeaveLoopCmps8
 450:
 451:
 452:         mov rax, [rsi + rdx + 8+8]
 453:         xor rax, [rdi + rdx + 8+8]
 454:         jnz LeaveLoopCmps16
 455:
 456:         add rdx,8+8+8
 457:
 458:            BEFORE_JMP
 459:         jnz  LoopCmps
 460:         jmp  LenMaximum
 461:            AFTER_JMP
 462:
 463: LeaveLoopCmps16: add rdx,8
 464: LeaveLoopCmps8: add rdx,8
 465: LeaveLoopCmps:
 466:
 
 
 
 rax            0x2000000000000  562949953421312
 rbx            0x200    512
 rcx            0x801bfe000      34389090304
 rdx            0xffffffffffffffe8       -24
 rsi            0x8097ffefd      34519121661
 rdi            0x809800004      34519121924
 rbp            0x8000   0x8000
 rsp            0x7fffffffd128   0x7fffffffd128
 r8             0xfdf3   65011
 r9             0x8097ffefa      34519121658
 r10            0x8097f0000      34519056384
 r11            0x58     88
 r12            0x200    512
 r13            0x2      2
 r14            0x0      0
 r15            0x1      1
 rip            0x8009d42a6      0x8009d42a6 <longest_match+422>
 eflags         0x10246  66118
 cs             0x43     67
 ss             0x3b     59
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 
 
>Unformatted:
