From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounce@freelists.org>
Received: from localhost (localhost [127.0.0.1])
	by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 2D66B297D1
	for <tarantool-patches@freelists.org>; Wed, 15 Aug 2018 14:15:44 -0400 (EDT)
Received: from turing.freelists.org ([127.0.0.1])
	by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 5KB9kNJbAr9Z for <tarantool-patches@freelists.org>;
	Wed, 15 Aug 2018 14:15:44 -0400 (EDT)
Received: from smtp47.i.mail.ru (smtp47.i.mail.ru [94.100.177.107])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 42B8A297FB
	for <tarantool-patches@freelists.org>; Wed, 15 Aug 2018 14:15:43 -0400 (EDT)
From: Kirill Shcherbatov <kshcherbatov@tarantool.org>
Subject: [tarantool-patches] [PATCH v1 1/1] box: fix crash in ncurses on fedora 28
Date: Wed, 15 Aug 2018 21:15:38 +0300
Message-Id: <f2677cd964b23aa4ef09dbad660d42f206ce8ab3.1534356838.git.kshcherbatov@tarantool.org>
In-Reply-To: <eb5323504261a57a84fa99e8072a89c8c919e1d7.1533736169.git.kshcherbatov@tarantool.org>
References: <eb5323504261a57a84fa99e8072a89c8c919e1d7.1533736169.git.kshcherbatov@tarantool.org>
Sender: tarantool-patches-bounce@freelists.org
Errors-to: tarantool-patches-bounce@freelists.org
Reply-To: tarantool-patches@freelists.org
List-help: <mailto:ecartis@freelists.org?Subject=help>
List-unsubscribe: <tarantool-patches-request@freelists.org?Subject=unsubscribe>
List-software: Ecartis version 1.0.0
List-Id: tarantool-patches <tarantool-patches.freelists.org>
List-subscribe: <tarantool-patches-request@freelists.org?Subject=subscribe>
List-owner: <mailto:>
List-post: <mailto:tarantool-patches@freelists.org>
List-archive: <http://www.freelists.org/archives/tarantool-patches>
To: tarantool-patches@freelists.org, kyukhin@tarantool.org
Cc: Kirill Shcherbatov <kshcherbatov@tarantool.org>

Tarantool has been crashing when trying to go into an
interactive loop in ncurses-libs/libtinfo library via
lbox_console_readline.
Ncurses on Fedora 28 is compiled with flag
--fstack-clash-protection that use stack protection
mechanism (strictly speaking configure option --enable-widec
is also required, but it is not a part of problem we
investigated): gcc inserting code to step the stack down
one page at a time, running a logical-OR with zero
at each point, which doesn't affect any value on the stack
but forces a memory access:

     lea r11,[rsp-frameSize]
 label:
     sub rsp,pageSize
     or QWORD PTR [rsp],0x0
     cmp rsp,r11
     jne label

where frameSize=32768 b and pageSize=4096 b
(read also https://ldpreload.com/blog/stack-smashes-you)

Tarantool main interactive loop is working in fiber with
default stack size 65536 b

BINARY IMAGE MEMORY MAP:
_____________________________________________________

SECTION      ADDRESSES       COMMENT

DATA         0x0       ^
HEAP                   |
             0x0ec18   |  # < --fstack-clash-
                       |  #   protection check
STACK: @               |  #
       @     0x16c18   | $# < ncurses/readline
       @               | $    internals, access
       @               | $    syscall in wrapper
       @               | $
       @               | $
       @     0x1ffe0   | $  < frame0 -- LUA
             ....      |
             0xffff    |

+------+-----------------------------+-------------+
| SIGN | DESCRIPTION                 | TOTAL SIZE  |
+------+-----------------------------+-------------+
|  @   | stack area region; (fiber)  |   65536 b   |
+------+-----------------------------+-------------+
|  $   | user-space application stack|   37832 b   |
|      | memory usage                |             |
+------+-----------------------------+-------------+
|  #   | a memory that checked stack |   32768 b   |
|      | probing generated with      |             |
|      | --fstack-clash-protection   |             |
+------+-----------------------------+-------------+
_____________________________________________________

In other words, $ + # = 70600    >    65536 = @
and we have segfault:
SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=}
SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL}

We have to increase interactive console main loop
fiber stack.

Closes #3418.
---
Branch: https://github.com/tarantool/tarantool/tree/kshch/gh-3418-crash-on-fedora
Issue: https://github.com/tarantool/tarantool/issues/3418

 src/lua/init.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lua/init.c b/src/lua/init.c
index a0a7f63..217640f 100644
--- a/src/lua/init.c
+++ b/src/lua/init.c
@@ -610,8 +610,10 @@ tarantool_lua_run_script(char *path, bool interactive,
 	 * To work this problem around we must run init script in
 	 * a separate fiber.
 	 */
-
-	script_fiber = fiber_new(title, run_script_f);
+	struct fiber_attr fiber_attr =
+		{.stack_size = 0x8000 * 4,
+		 .flags = FIBER_DEFAULT_FLAGS | FIBER_CUSTOM_STACK};
+	script_fiber = fiber_new_ex(title, &fiber_attr, run_script_f);
 	if (script_fiber == NULL)
 		panic("%s", diag_last_error(diag_get())->errmsg);
 	fiber_start(script_fiber, tarantool_L, path, interactive,
-- 
2.7.4