Closed Bug 947083 Opened 10 years ago Closed 10 years ago

elf-dynstr-gc can cause startup (and/or shutdown) crashes

Categories

(Firefox Build System :: General, defect)

x86_64
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
mozilla28

People

(Reporter: cjones, Assigned: glandium)

Details

Attachments

(1 file)

The problem is that it can move .init_array/.fini_array sections, but doesn't seem to update the INIT_ARRAY/FINI_ARRAY entries in .dynamic.  Then when the object is loaded and an attempt is made to call the init functions, the array is in the wrong place and random bad things happen.  An audit of all the .so's produced by the build showed the bug in these

 * toolkit/system/gnome/libmozgnome.so
 * toolkit/system/dbus/libdbusservice.so
 * browser/components/build/libbrowsercomps.so

These are all binary xpcom modules, but that might just be a coincidence.

The "smoking gun" is

$ /home/cjones/rr/ff-prof/_virtualenv/bin/python /home/cjones/rr/mozilla-central/config/expandlibs_exec.py --depend .deps/libdbusservice.so.pp --target libdbusservice.so --uselist --  clang++ [...snip]
$ readelf -a libdbusservice.so | egrep '(INIT_ARRAY|FINI_ARRAY)'
  [24] .fini_array       FINI_ARRAY      0001a9a8 0199a8 000004 00  WA  0   0  4
  [25] .init_array       INIT_ARRAY      0001a9ac 0199ac 000004 00  WA  0   0  4
 0x0000001a (FINI_ARRAY)                 0x1a9a8
 0x0000001c (FINI_ARRAYSZ)               4 (bytes)
 0x00000019 (INIT_ARRAY)                 0x1a9ac
 0x0000001b (INIT_ARRAYSZ)               4 (bytes)

[Ed: Section offsets match the .dynamic entries above ^^^]

$ ../../../config/elf-dynstr-gc ../../../dist/bin/components/libdbusservice.so
$ readelf -a libdbusservice.so | egrep '(INIT_ARRAY|FINI_ARRAY)'
  [24] .fini_array       FINI_ARRAY      0001a998 019998 000004 00  WA  0   0  4
  [25] .init_array       INIT_ARRAY      0001a99c 01999c 000004 00  WA  0   0  4
 0x0000001a (FINI_ARRAY)                 0x1a9a8
 0x0000001c (FINI_ARRAYSZ)               4 (bytes)
 0x00000019 (INIT_ARRAY)                 0x1a9ac
 0x0000001b (INIT_ARRAYSZ)               4 (bytes)

[Ed: .fini_array/.init_array sections moved, but the .dynamic entries weren't updated above ^^^]

Then, attempting to dlopen() this library causes a crash calling a NULL .init_array function.
Can you attach one of the pre-elf-dynstr-gc .so ?
(In reply to Mike Hommey [:glandium] from comment #1)
> Can you attach one of the pre-elf-dynstr-gc .so ?

In fact, forget it. I just did a build on try without it enabled nor elfhack, got all the .so from there, uncommented the printfs telling the new and old sizes in elf-dynstr-gc.c, and ran the program on all the .sos. This is what that gives:

New dynstr size: 10245
Old dynstr size: 10169
New dynstr size: 25613
Old dynstr size: 24545
New dynstr size: 908
Old dynstr size: 837
New dynstr size: 4907
Old dynstr size: 4853
New dynstr size: 6790
Old dynstr size: 6091
New dynstr size: 8839
Old dynstr size: 8768
New dynstr size: 1856
Old dynstr size: 1806
New dynstr size: 2408
Old dynstr size: 2351
New dynstr size: 1812
Old dynstr size: 1762
New dynstr size: 1355
Old dynstr size: 1327
New dynstr size: 6463
Old dynstr size: 6452
New dynstr size: 400483
Old dynstr size: 399902
New dynstr size: 2702
Old dynstr size: 2679
New dynstr size: 744
Old dynstr size: 652
New dynstr size: 792
Old dynstr size: 792
New dynstr size: 2390
Old dynstr size: 2385
New dynstr size: 622
Old dynstr size: 622

With those sizes, it just does ... nothing.

It looks like it *did* something for you for some reason, and considering the section offset changes, it saves 16 bytes for you. Worthless.

Moreover, it only works on linux x86 32-bits and ppc. Not 64-bits, not arm. And it doesn't support cross compile.

So, to summarize: elf-dynstr-gc can die.
Attachment #8343587 - Flags: review?(ted)
Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Comment on attachment 8343587 [details] [diff] [review]
Kill elf-dynstr-gc

Review of attachment 8343587 [details] [diff] [review]:
-----------------------------------------------------------------

Exciting!
Attachment #8343587 - Flags: review?(ted) → review+
https://hg.mozilla.org/mozilla-central/rev/9da422e00e1c
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.