[tarantool-patches] [PATCH v1 1/1] box: fix crash in ncurses on fedora 28

Kirill Shcherbatov kshcherbatov at tarantool.org
Wed Aug 15 21:15:38 MSK 2018 

Tarantool has been crashing when trying to go into an
interactive loop in ncurses-libs/libtinfo library via
lbox_console_readline.
Ncurses on Fedora 28 is compiled with flag
--fstack-clash-protection that use stack protection
mechanism (strictly speaking configure option --enable-widec
is also required, but it is not a part of problem we
investigated): gcc inserting code to step the stack down
one page at a time, running a logical-OR with zero
at each point, which doesn't affect any value on the stack
but forces a memory access:

     lea r11,[rsp-frameSize]
 label:
     sub rsp,pageSize
     or QWORD PTR [rsp],0x0
     cmp rsp,r11
     jne label

where frameSize=32768 b and pageSize=4096 b
(read also https://ldpreload.com/blog/stack-smashes-you)

Tarantool main interactive loop is working in fiber with
default stack size 65536 b

BINARY IMAGE MEMORY MAP:
_____________________________________________________

SECTION      ADDRESSES       COMMENT

DATA         0x0       ^
HEAP                   |
             0x0ec18   |  # < --fstack-clash-
                       |  #   protection check
STACK: @               |  #
       @     0x16c18   | $# < ncurses/readline
       @               | $    internals, access
       @               | $    syscall in wrapper
       @               | $
       @               | $
       @     0x1ffe0   | $  < frame0 -- LUA
             ....      |
             0xffff    |

+------+-----------------------------+-------------+
| SIGN | DESCRIPTION                 | TOTAL SIZE  |
+------+-----------------------------+-------------+
|  @   | stack area region; (fiber)  |   65536 b   |
+------+-----------------------------+-------------+
|  $   | user-space application stack|   37832 b   |
|      | memory usage                |             |
+------+-----------------------------+-------------+
|  #   | a memory that checked stack |   32768 b   |
|      | probing generated with      |             |
|      | --fstack-clash-protection   |             |
+------+-----------------------------+-------------+
_____________________________________________________

In other words, $ + # = 70600    >    65536 = @
and we have segfault:
SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=}
SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL}

We have to increase interactive console main loop
fiber stack.

Closes #3418.
---
Branch: https://github.com/tarantool/tarantool/tree/kshch/gh-3418-crash-on-fedora
Issue: https://github.com/tarantool/tarantool/issues/3418

 src/lua/init.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lua/init.c b/src/lua/init.c
index a0a7f63..217640f 100644
--- a/src/lua/init.c
+++ b/src/lua/init.c
@@ -610,8 +610,10 @@ tarantool_lua_run_script(char *path, bool interactive,
 	 * To work this problem around we must run init script in
 	 * a separate fiber.
 	 */
-
-	script_fiber = fiber_new(title, run_script_f);
+	struct fiber_attr fiber_attr =
+		{.stack_size = 0x8000 * 4,
+		 .flags = FIBER_DEFAULT_FLAGS | FIBER_CUSTOM_STACK};
+	script_fiber = fiber_new_ex(title, &fiber_attr, run_script_f);
 	if (script_fiber == NULL)
 		panic("%s", diag_last_error(diag_get())->errmsg);
 	fiber_start(script_fiber, tarantool_L, path, interactive,
-- 
2.7.4

More information about the Tarantool-patches mailing list