Issue 575288 in chromium: binutils/gold: bug in handling of R_386_TLS_GOTIE reloc on x86
2 views
Skip to first unread message
chro...@googlecode.com
Jan 7, 2016, 3:31:39 PM1/7/16
to chromi...@chromium.org
Status: Untriaged
Owner: ----
Labels: Type-Bug Pri-2 Build-Toolchain OS-Chrome
New issue 575288 by rahulcha...@chromium.org: binutils/gold: bug in
handling of R_386_TLS_GOTIE reloc on x86
https://code.google.com/p/chromium/issues/detail?id=575288
ld.gold generated binary crashes with "Segmentation fault" when invoked.
ld.bfd generated binary runs fine.
The difference seems to be in handling of R_386_TLS_GOTIE relocation for
x86.
See attached file go.o:
$ objdump -d -r go.o
<snip>
00046bb0 <runtime.rt0_go>:
<snip>
46cc6: e8 f5 35 00 00 call 4a2c0
<__x86.get_pc_thunk.cx>
46ccb: 8b 99 02 00 00 00 mov 0x2(%ecx),%ebx
46ccd: R_386_GOTPC *ABS*
46ccd: R_386_TLS_GOTIE runtime.tlsg
46cd1: e8 ea 35 00 00 call 4a2c0
<__x86.get_pc_thunk.cx>
46cd6: 8d 91 02 00 00 00 lea 0x2(%ecx),%edx
46cd8: R_386_PC32 runtime.g0
46cdc: 65 89 13 mov %edx,%gs:(%ebx)
<snip>
This sequence is used to write the "runtime.g0" address into the thread
local
storage slot for "runtime.tlsg" during Go runtime initialization.
Linking witn ld.bfd, and examining the binary, the generated code is:
$ objdump -d bfd.out
<snip>
00063430 <runtime.rt0_go>:
<snip>
63546: e8 f5 35 00 00 call 66b40
<__x86.get_pc_thunk.cx>
6354b: c7 c3 fc ff ff ff mov $0xfffffffc,%ebx
63551: e8 ea 35 00 00 call 66b40
<__x86.get_pc_thunk.cx>
63556: 8d 91 ca 06 05 00 lea 0x506ca(%ecx),%edx
6355c: 65 89 13 mov %edx,%gs:(%ebx)
<snip>
$ ./bfd.out
$
Linking with ld.gold, and examining the binary, the generated code is:
$ objdump -d gold.out
<snip>
00063330 <runtime.rt0_go>:
<snip>
63446: e8 f5 35 00 00 call 66a40
<__x86.get_pc_thunk.cx>
6344b: c7 c3 2d 0b 05 00 mov $0x50b2d,%ebx
63451: e8 ea 35 00 00 call 66a40
<__x86.get_pc_thunk.cx>
63456: 8d 91 ca 17 05 00 lea 0x517ca(%ecx),%edx
6345c: 65 89 13 mov %edx,%gs:(%ebx)
<snip>
$ ./gold.out
Segmentation fault (core dumped)
The seg-fault happens at the last instruction in the snippet above (6345c),
trying to store %edx to %gs:(%ebx) with %ebx == 0x50b2d. Note that when
linked with ld.bfd, we had %ebx == 0xfffffffc.
How to reproduce:
1) Make sure the i686 toolchain is installed in the chroot. If you need to
install it, setup an x86 board, e.g.
$ ~/trunk/src/scripts/setup_board --board=x86-zgb
$ i686-pc-linux-gnu-ld -v
GNU gold
(binutils-2.25.51-r54-ec97727e655f49b010f4cf8c410631910d22199f_cos_gg
2.25.51.20141117) 1.11
2) Copy the three attached files to a directory:
- go.o
- 000000.o
- x
3) Run the attached script:
$ ./x
Attachments:
go.o 1.1 MB
000000.o 28.3 KB
x 806 bytes
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Type-Bug Pri-2 Build-Toolchain OS-Chrome
New issue 575288 by rahulcha...@chromium.org: binutils/gold: bug in
handling of R_386_TLS_GOTIE reloc on x86
https://code.google.com/p/chromium/issues/detail?id=575288
ld.gold generated binary crashes with "Segmentation fault" when invoked.
ld.bfd generated binary runs fine.
The difference seems to be in handling of R_386_TLS_GOTIE relocation for
x86.
See attached file go.o:
$ objdump -d -r go.o
<snip>
00046bb0 <runtime.rt0_go>:
<snip>
46cc6: e8 f5 35 00 00 call 4a2c0
<__x86.get_pc_thunk.cx>
46ccb: 8b 99 02 00 00 00 mov 0x2(%ecx),%ebx
46ccd: R_386_GOTPC *ABS*
46ccd: R_386_TLS_GOTIE runtime.tlsg
46cd1: e8 ea 35 00 00 call 4a2c0
<__x86.get_pc_thunk.cx>
46cd6: 8d 91 02 00 00 00 lea 0x2(%ecx),%edx
46cd8: R_386_PC32 runtime.g0
46cdc: 65 89 13 mov %edx,%gs:(%ebx)
<snip>
This sequence is used to write the "runtime.g0" address into the thread
local
storage slot for "runtime.tlsg" during Go runtime initialization.
Linking witn ld.bfd, and examining the binary, the generated code is:
$ objdump -d bfd.out
<snip>
00063430 <runtime.rt0_go>:
<snip>
63546: e8 f5 35 00 00 call 66b40
<__x86.get_pc_thunk.cx>
6354b: c7 c3 fc ff ff ff mov $0xfffffffc,%ebx
63551: e8 ea 35 00 00 call 66b40
<__x86.get_pc_thunk.cx>
63556: 8d 91 ca 06 05 00 lea 0x506ca(%ecx),%edx
6355c: 65 89 13 mov %edx,%gs:(%ebx)
<snip>
$ ./bfd.out
$
Linking with ld.gold, and examining the binary, the generated code is:
$ objdump -d gold.out
<snip>
00063330 <runtime.rt0_go>:
<snip>
63446: e8 f5 35 00 00 call 66a40
<__x86.get_pc_thunk.cx>
6344b: c7 c3 2d 0b 05 00 mov $0x50b2d,%ebx
63451: e8 ea 35 00 00 call 66a40
<__x86.get_pc_thunk.cx>
63456: 8d 91 ca 17 05 00 lea 0x517ca(%ecx),%edx
6345c: 65 89 13 mov %edx,%gs:(%ebx)
<snip>
$ ./gold.out
Segmentation fault (core dumped)
The seg-fault happens at the last instruction in the snippet above (6345c),
trying to store %edx to %gs:(%ebx) with %ebx == 0x50b2d. Note that when
linked with ld.bfd, we had %ebx == 0xfffffffc.
How to reproduce:
1) Make sure the i686 toolchain is installed in the chroot. If you need to
install it, setup an x86 board, e.g.
$ ~/trunk/src/scripts/setup_board --board=x86-zgb
$ i686-pc-linux-gnu-ld -v
GNU gold
(binutils-2.25.51-r54-ec97727e655f49b010f4cf8c410631910d22199f_cos_gg
2.25.51.20141117) 1.11
2) Copy the three attached files to a directory:
- go.o
- 000000.o
- x
3) Run the attached script:
$ ./x
Attachments:
go.o 1.1 MB
000000.o 28.3 KB
x 806 bytes
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Reply all
Reply to author
Forward
0 new messages