elf-dynstr-gc can cause startup (and/or shutdown) crashes

RESOLVED FIXED in mozilla28

Status

defect
RESOLVED FIXED
6 years ago
Last year

People

(Reporter: cjones, Assigned: glandium)

Tracking

unspecified
mozilla28
x86_64
Linux

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

The problem is that it can move .init_array/.fini_array sections, but doesn't seem to update the INIT_ARRAY/FINI_ARRAY entries in .dynamic.  Then when the object is loaded and an attempt is made to call the init functions, the array is in the wrong place and random bad things happen.  An audit of all the .so's produced by the build showed the bug in these

 * toolkit/system/gnome/libmozgnome.so
 * toolkit/system/dbus/libdbusservice.so
 * browser/components/build/libbrowsercomps.so

These are all binary xpcom modules, but that might just be a coincidence.

The "smoking gun" is

$ /home/cjones/rr/ff-prof/_virtualenv/bin/python /home/cjones/rr/mozilla-central/config/expandlibs_exec.py --depend .deps/libdbusservice.so.pp --target libdbusservice.so --uselist --  clang++ [...snip]
$ readelf -a libdbusservice.so | egrep '(INIT_ARRAY|FINI_ARRAY)'
  [24] .fini_array       FINI_ARRAY      0001a9a8 0199a8 000004 00  WA  0   0  4
  [25] .init_array       INIT_ARRAY      0001a9ac 0199ac 000004 00  WA  0   0  4
 0x0000001a (FINI_ARRAY)                 0x1a9a8
 0x0000001c (FINI_ARRAYSZ)               4 (bytes)
 0x00000019 (INIT_ARRAY)                 0x1a9ac
 0x0000001b (INIT_ARRAYSZ)               4 (bytes)

[Ed: Section offsets match the .dynamic entries above ^^^]

$ ../../../config/elf-dynstr-gc ../../../dist/bin/components/libdbusservice.so
$ readelf -a libdbusservice.so | egrep '(INIT_ARRAY|FINI_ARRAY)'
  [24] .fini_array       FINI_ARRAY      0001a998 019998 000004 00  WA  0   0  4
  [25] .init_array       INIT_ARRAY      0001a99c 01999c 000004 00  WA  0   0  4
 0x0000001a (FINI_ARRAY)                 0x1a9a8
 0x0000001c (FINI_ARRAYSZ)               4 (bytes)
 0x00000019 (INIT_ARRAY)                 0x1a9ac
 0x0000001b (INIT_ARRAYSZ)               4 (bytes)

[Ed: .fini_array/.init_array sections moved, but the .dynamic entries weren't updated above ^^^]

Then, attempting to dlopen() this library causes a crash calling a NULL .init_array function.
Assignee

Comment 1

6 years ago
Can you attach one of the pre-elf-dynstr-gc .so ?
Assignee

Comment 2

6 years ago
(In reply to Mike Hommey [:glandium] from comment #1)
> Can you attach one of the pre-elf-dynstr-gc .so ?

In fact, forget it. I just did a build on try without it enabled nor elfhack, got all the .so from there, uncommented the printfs telling the new and old sizes in elf-dynstr-gc.c, and ran the program on all the .sos. This is what that gives:

New dynstr size: 10245
Old dynstr size: 10169
New dynstr size: 25613
Old dynstr size: 24545
New dynstr size: 908
Old dynstr size: 837
New dynstr size: 4907
Old dynstr size: 4853
New dynstr size: 6790
Old dynstr size: 6091
New dynstr size: 8839
Old dynstr size: 8768
New dynstr size: 1856
Old dynstr size: 1806
New dynstr size: 2408
Old dynstr size: 2351
New dynstr size: 1812
Old dynstr size: 1762
New dynstr size: 1355
Old dynstr size: 1327
New dynstr size: 6463
Old dynstr size: 6452
New dynstr size: 400483
Old dynstr size: 399902
New dynstr size: 2702
Old dynstr size: 2679
New dynstr size: 744
Old dynstr size: 652
New dynstr size: 792
Old dynstr size: 792
New dynstr size: 2390
Old dynstr size: 2385
New dynstr size: 622
Old dynstr size: 622

With those sizes, it just does ... nothing.

It looks like it *did* something for you for some reason, and considering the section offset changes, it saves 16 bytes for you. Worthless.

Moreover, it only works on linux x86 32-bits and ppc. Not 64-bits, not arm. And it doesn't support cross compile.

So, to summarize: elf-dynstr-gc can die.
Assignee

Comment 3

6 years ago
Attachment #8343587 - Flags: review?(ted)
Assignee

Updated

6 years ago
Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Comment on attachment 8343587 [details] [diff] [review]
Kill elf-dynstr-gc

Review of attachment 8343587 [details] [diff] [review]:
-----------------------------------------------------------------

Exciting!
Attachment #8343587 - Flags: review?(ted) → review+
https://hg.mozilla.org/mozilla-central/rev/9da422e00e1c
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28

Updated

Last year
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.