[PATCH v1 1/1] box: fix crash in ncurses on fedora 28

Tarantool development patches archive
 help / color / mirror / Atom feed

* [PATCH v1 1/1] box: fix crash in ncurses on fedora 28
@ 2018-08-08 13:52 Kirill Shcherbatov
  2018-08-08 18:27 ` Vladimir Davydov
  2018-08-15 18:15 ` [tarantool-patches] " Kirill Shcherbatov
  0 siblings, 2 replies; 3+ messages in thread
From: Kirill Shcherbatov @ 2018-08-08 13:52 UTC (permalink / raw)
  To: tarantool-patches; +Cc: vdavydov.dev, Kirill Shcherbatov

Tarantool has been crashing when trying to go into an
interactive loop in ncurses-libs/libtinfo library via
lbox_console_readline. This SIGABORT caused by stack
probing code that present in new ncurses distributions.

  lea r11,[rsp-frameSize]
label:
  sub rsp,pageSize
  or QWORD PTR [rsp],0x0
  cmp rsp,r11
  jne label

Where frameSize is 0x8000 and pageSize is 0x1000 for
version we've dedugged.
Code above tests marker value on pages start.
0x8000 frameSize is a precompiled ncurse's binary
internal value.
This third-party library is called by tarantool
fiber that have fiber stack of size 2*0x8000.
To the moment of crash, stack memory distributed:
ncurses   stack usage 0x91A8  bytes
total     stack usage 0x9488  bytes

We have to increase interactive console main loop
fiber stack to work with third-party libraries normally.

Closes #3418.
---
Branch: https://github.com/tarantool/tarantool/tree/kshch/gh-3418-crash-on-fedora
Issue: https://github.com/tarantool/tarantool/issues/3418

 src/lua/init.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lua/init.c b/src/lua/init.c
index a0a7f63..217640f 100644
--- a/src/lua/init.c
+++ b/src/lua/init.c
@@ -610,8 +610,10 @@ tarantool_lua_run_script(char *path, bool interactive,
 	 * To work this problem around we must run init script in
 	 * a separate fiber.
 	 */
-
-	script_fiber = fiber_new(title, run_script_f);
+	struct fiber_attr fiber_attr =
+		{.stack_size = 0x8000 * 4,
+		 .flags = FIBER_DEFAULT_FLAGS | FIBER_CUSTOM_STACK};
+	script_fiber = fiber_new_ex(title, &fiber_attr, run_script_f);
 	if (script_fiber == NULL)
 		panic("%s", diag_last_error(diag_get())->errmsg);
 	fiber_start(script_fiber, tarantool_L, path, interactive,
-- 
2.7.4

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v1 1/1] box: fix crash in ncurses on fedora 28
  2018-08-08 13:52 [PATCH v1 1/1] box: fix crash in ncurses on fedora 28 Kirill Shcherbatov
@ 2018-08-08 18:27 ` Vladimir Davydov
  2018-08-15 18:15 ` [tarantool-patches] " Kirill Shcherbatov
  1 sibling, 0 replies; 3+ messages in thread
From: Vladimir Davydov @ 2018-08-08 18:27 UTC (permalink / raw)
  To: Kirill Shcherbatov; +Cc: tarantool-patches

On Wed, Aug 08, 2018 at 04:52:28PM +0300, Kirill Shcherbatov wrote:
> diff --git a/src/lua/init.c b/src/lua/init.c
> index a0a7f63..217640f 100644
> --- a/src/lua/init.c
> +++ b/src/lua/init.c
> @@ -610,8 +610,10 @@ tarantool_lua_run_script(char *path, bool interactive,
>  	 * To work this problem around we must run init script in
>  	 * a separate fiber.
>  	 */
> -
> -	script_fiber = fiber_new(title, run_script_f);
> +	struct fiber_attr fiber_attr =
> +		{.stack_size = 0x8000 * 4,
> +		 .flags = FIBER_DEFAULT_FLAGS | FIBER_CUSTOM_STACK};
> +	script_fiber = fiber_new_ex(title, &fiber_attr, run_script_f);

AFAIU lbox_console_readline (the function that calls ncurses and crashes
according to the ticket description) can be called from other fibers as
well, e.g.

  require('fiber').create(function() require('console').start() end)

Don't we want to fix that too?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [tarantool-patches] [PATCH v1 1/1] box: fix crash in ncurses on fedora 28
  2018-08-08 13:52 [PATCH v1 1/1] box: fix crash in ncurses on fedora 28 Kirill Shcherbatov
  2018-08-08 18:27 ` Vladimir Davydov
@ 2018-08-15 18:15 ` Kirill Shcherbatov
  1 sibling, 0 replies; 3+ messages in thread
From: Kirill Shcherbatov @ 2018-08-15 18:15 UTC (permalink / raw)
  To: tarantool-patches, kyukhin; +Cc: Kirill Shcherbatov

Tarantool has been crashing when trying to go into an
interactive loop in ncurses-libs/libtinfo library via
lbox_console_readline.
Ncurses on Fedora 28 is compiled with flag
--fstack-clash-protection that use stack protection
mechanism (strictly speaking configure option --enable-widec
is also required, but it is not a part of problem we
investigated): gcc inserting code to step the stack down
one page at a time, running a logical-OR with zero
at each point, which doesn't affect any value on the stack
but forces a memory access:

     lea r11,[rsp-frameSize]
 label:
     sub rsp,pageSize
     or QWORD PTR [rsp],0x0
     cmp rsp,r11
     jne label

where frameSize=32768 b and pageSize=4096 b
(read also https://ldpreload.com/blog/stack-smashes-you)

Tarantool main interactive loop is working in fiber with
default stack size 65536 b

BINARY IMAGE MEMORY MAP:
_____________________________________________________

SECTION      ADDRESSES       COMMENT

DATA         0x0       ^
HEAP                   |
             0x0ec18   |  # < --fstack-clash-
                       |  #   protection check
STACK: @               |  #
       @     0x16c18   | $# < ncurses/readline
       @               | $    internals, access
       @               | $    syscall in wrapper
       @               | $
       @               | $
       @     0x1ffe0   | $  < frame0 -- LUA
             ....      |
             0xffff    |

+------+-----------------------------+-------------+
| SIGN | DESCRIPTION                 | TOTAL SIZE  |
+------+-----------------------------+-------------+
|  @   | stack area region; (fiber)  |   65536 b   |
+------+-----------------------------+-------------+
|  $   | user-space application stack|   37832 b   |
|      | memory usage                |             |
+------+-----------------------------+-------------+
|  #   | a memory that checked stack |   32768 b   |
|      | probing generated with      |             |
|      | --fstack-clash-protection   |             |
+------+-----------------------------+-------------+
_____________________________________________________

In other words, $ + # = 70600    >    65536 = @
and we have segfault:
SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=}
SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL}

We have to increase interactive console main loop
fiber stack.

Closes #3418.
---
Branch: https://github.com/tarantool/tarantool/tree/kshch/gh-3418-crash-on-fedora
Issue: https://github.com/tarantool/tarantool/issues/3418

 src/lua/init.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lua/init.c b/src/lua/init.c
index a0a7f63..217640f 100644
--- a/src/lua/init.c
+++ b/src/lua/init.c
@@ -610,8 +610,10 @@ tarantool_lua_run_script(char *path, bool interactive,
 	 * To work this problem around we must run init script in
 	 * a separate fiber.
 	 */
-
-	script_fiber = fiber_new(title, run_script_f);
+	struct fiber_attr fiber_attr =
+		{.stack_size = 0x8000 * 4,
+		 .flags = FIBER_DEFAULT_FLAGS | FIBER_CUSTOM_STACK};
+	script_fiber = fiber_new_ex(title, &fiber_attr, run_script_f);
 	if (script_fiber == NULL)
 		panic("%s", diag_last_error(diag_get())->errmsg);
 	fiber_start(script_fiber, tarantool_L, path, interactive,
-- 
2.7.4

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-08-15 18:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-08 13:52 [PATCH v1 1/1] box: fix crash in ncurses on fedora 28 Kirill Shcherbatov
2018-08-08 18:27 ` Vladimir Davydov
2018-08-15 18:15 ` [tarantool-patches] " Kirill Shcherbatov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox