[Bug 4550] Segfault in Busybox while installing Ubuntu 11.10

bugzilla at busybox.net bugzilla at busybox.net
Sun Mar 18 23:21:15 UTC 2012


https://bugs.busybox.net/show_bug.cgi?id=4550

--- Comment #31 from Franz A. <james at wolke7.net> 2012-03-18 23:21:14 UTC ---
Hi Denys,
Even though I tried to enter exactly the same answers to all the questions
during the 12 minutes of installation,
I got different results each time. As you said: strange.

After lots of tries I finally made it output a (short) backtrace:
signal in ash.c or friends: 11 address: 0x0 ip: 0x8164005
[0x816ad35]
[0x39e40c]
[0x8164005]

(gdb) disas 0x8164005
Dump of assembler code for function evalfor:
   0x08163ede <+0>:    sub    $0x2c,%esp
   0x08163ee1 <+3>:    lea    0xc(%esp),%eax
   0x08163ee5 <+7>:    mov    %eax,(%esp)
   0x08163ee8 <+10>:    call   0x815a517 <setstackmark>
   0x08163eed <+15>:    movl   $0x0,0x1c(%esp)
   0x08163ef5 <+23>:    lea    0x1c(%esp),%eax
   0x08163ef9 <+27>:    mov    %eax,0x20(%esp)
   0x08163efd <+31>:    mov    0x30(%esp),%eax
   0x08163f01 <+35>:    mov    0x4(%eax),%eax
   0x08163f04 <+38>:    mov    %eax,0x24(%esp)
   0x08163f08 <+42>:    jmp    0x8163f3e <evalfor+96>
   0x08163f0a <+44>:    movl   $0x23,0x8(%esp)
   0x08163f12 <+52>:    lea    0x1c(%esp),%eax
   0x08163f16 <+56>:    mov    %eax,0x4(%esp)
   0x08163f1a <+60>:    mov    0x24(%esp),%eax
   0x08163f1e <+64>:    mov    %eax,(%esp)
   0x08163f21 <+67>:    call   0x81622cd <expandarg>
   0x08163f26 <+72>:    mov    0x8276f42,%al
   0x08163f2b <+77>:    test   %al,%al
   0x08163f2d <+79>:    jne    0x8164026 <evalfor+328>
   0x08163f33 <+85>:    mov    0x24(%esp),%eax
   0x08163f37 <+89>:    mov    0x4(%eax),%eax
   0x08163f3a <+92>:    mov    %eax,0x24(%esp)
   0x08163f3e <+96>:    cmpl   $0x0,0x24(%esp)
   0x08163f43 <+101>:    jne    0x8163f0a <evalfor+44>
   0x08163f45 <+103>:    mov    0x20(%esp),%eax
   0x08163f49 <+107>:    movl   $0x0,(%eax)
   0x08163f4f <+113>:    movb   $0x0,0x8276f3d
   0x08163f56 <+120>:    mov    0x8276aa0,%eax
   0x08163f5b <+125>:    inc    %eax
   0x08163f5c <+126>:    mov    %eax,0x8276aa0
   0x08163f61 <+131>:    andl   $0x2,0x34(%esp)
   0x08163f66 <+136>:    mov    0x1c(%esp),%eax
   0x08163f6a <+140>:    mov    %eax,0x28(%esp)
   0x08163f6e <+144>:    jmp    0x816400b <evalfor+301>
   0x08163f73 <+149>:    mov    0x28(%esp),%eax
   0x08163f77 <+153>:    mov    0x4(%eax),%edx
   0x08163f7a <+156>:    mov    0x30(%esp),%eax
   0x08163f7e <+160>:    mov    0xc(%eax),%eax
   0x08163f81 <+163>:    movl   $0x0,0x8(%esp)
   0x08163f89 <+171>:    mov    %edx,0x4(%esp)
   0x08163f8d <+175>:    mov    %eax,(%esp)
   0x08163f90 <+178>:    call   0x815b1a4 <setvar>
   0x08163f95 <+183>:    mov    0x30(%esp),%eax                 n->  
   0x08163f99 <+187>:    mov    0x8(%eax),%eax                  n->nfor.body  
   0x08163f9c <+190>:    mov    0x34(%esp),%edx                 flags 
   0x08163fa0 <+194>:    mov    %edx,0x4(%esp)
   0x08163fa4 <+198>:    mov    %eax,(%esp)
   0x08163fa7 <+201>:    call   0x81639e5 <evaltree>           
evaltree(n->nfor.body, flags);
   0x08163fac <+206>:    mov    0x8276f42,%al                   if  (evalskip) 
   0x08163fb1 <+211>:    test   %al,%al
   0x08163fb3 <+213>:    je     0x8164001 <evalfor+291>
   0x08163fb5 <+215>:    mov    0x8276f42,%al                   {
   0x08163fba <+220>:    cmp    $0x2,%al                            evalskip ==
SKIPCONT 
   0x08163fbc <+222>:    jne    0x8163fdb <evalfor+253>
   0x08163fbe <+224>:    mov    0x8276a98,%eax
   0x08163fc3 <+229>:    dec    %eax
   0x08163fc4 <+230>:    mov    %eax,0x8276a98
   0x08163fc9 <+235>:    mov    0x8276a98,%eax
   0x08163fce <+240>:    test   %eax,%eax
   0x08163fd0 <+242>:    jg     0x8163fdb <evalfor+253>
   0x08163fd2 <+244>:    movb   $0x0,0x8276f42                 evalskip = 0;
   0x08163fd9 <+251>:    jmp    0x8164001 <evalfor+291>        continue;
   0x08163fdb <+253>:    mov    0x8276f42,%al                  evalskip ==
SKIPBREAK
   0x08163fe0 <+258>:    cmp    $0x1,%al                          ...
   0x08163fe2 <+260>:    jne    0x8164018 <evalfor+314>
   0x08163fe4 <+262>:    mov    0x8276a98,%eax
   0x08163fe9 <+267>:    dec    %eax
   0x08163fea <+268>:    mov    %eax,0x8276a98
   0x08163fef <+273>:    mov    0x8276a98,%eax
   0x08163ff4 <+278>:    test   %eax,%eax
   0x08163ff6 <+280>:    jg     0x8164018 <evalfor+314>
   0x08163ff8 <+282>:    movb   $0x0,0x8276f42                  evalskip = 0; 
   0x08163fff <+289>:    jmp    0x8164018 <evalfor+314>          break; }
   0x08164001 <+291>:    mov    0x28(%esp),%eax
   0x08164005 <+295>:    mov    (%eax),%eax           <----SEGV----  sp =
sp->next
   0x08164007 <+297>:    mov    %eax,0x28(%esp)
   0x0816400b <+301>:    cmpl   $0x0,0x28(%esp)                  ; sp ;
   0x08164010 <+306>:    jne    0x8163f73 <evalfor+149>
   0x08164016 <+312>:    jmp    0x8164019 <evalfor+315>
   0x08164018 <+314>:    nop
   0x08164019 <+315>:    mov    0x8276aa0,%eax
   0x0816401e <+320>:    dec    %eax
   0x0816401f <+321>:    mov    %eax,0x8276aa0
   0x08164024 <+326>:    jmp    0x8164027 <evalfor+329>
   0x08164026 <+328>:    nop
   0x08164027 <+329>:    lea    0xc(%esp),%eax
   0x0816402b <+333>:    mov    %eax,(%esp)
   0x0816402e <+336>:    call   0x815a55e <popstackmark>
   0x08164033 <+341>:    add    $0x2c,%esp
   0x08164036 <+344>:    ret    
End of assembler dump.
static void
evalfor(union node *n, int flags)
{
    struct arglist arglist;
    union node *argp;
    struct strlist *sp;
    struct stackmark smark;

    setstackmark(&smark);
    arglist.list = NULL;
    arglist.lastp = &arglist.list;
    for (argp = n->nfor.args; argp; argp = argp->narg.next) {
        expandarg(argp, &arglist, EXP_FULL | EXP_TILDE | EXP_RECORD);
        /* XXX */
        if (evalskip)
            goto out;
    }
    *arglist.lastp = NULL;

    exitstatus = 0;
    loopnest++;
    flags &= EV_TESTED;
    for (sp = arglist.list; sp; sp = sp->next) {
        setvar(n->nfor.var, sp->text, 0);
        evaltree(n->nfor.body, flags);
        if (evalskip) {
            if (evalskip == SKIPCONT && --skipcount <= 0) {
                evalskip = 0;
                continue;
            }
            if (evalskip == SKIPBREAK && --skipcount <= 0)
                evalskip = 0;
            break;
        }
    }
    loopnest--;
 out:
    popstackmark(&smark);
}
---------------------
(gdb) disas 0x816ad35
Dump of assembler code for function handle_sigsegv:
   0x0816acc4 <+0>:    sub    $0xe8,%esp
   0x0816acca <+6>:    mov    0xf4(%esp),%eax
   0x0816acd1 <+13>:    mov    %eax,0xdc(%esp)
   0x0816acd8 <+20>:    mov    0xdc(%esp),%eax
   0x0816acdf <+27>:    mov    0x4c(%eax),%eax
   0x0816ace2 <+30>:    mov    %eax,0xe0(%esp)
   0x0816ace9 <+37>:    mov    0xf0(%esp),%eax
   0x0816acf0 <+44>:    mov    0xc(%eax),%eax
   0x0816acf3 <+47>:    mov    0xe0(%esp),%edx
   0x0816acfa <+54>:    mov    %edx,0x10(%esp)
   0x0816acfe <+58>:    mov    %eax,0xc(%esp)
   0x0816ad02 <+62>:    mov    0xec(%esp),%eax
   0x0816ad09 <+69>:    mov    %eax,0x8(%esp)
   0x0816ad0d <+73>:    movl   $0x8220460,0x4(%esp)
   0x0816ad15 <+81>:    movl   $0x2,(%esp)
   0x0816ad1c <+88>:    call   0x8062370 <dprintf>
   0x0816ad21 <+93>:    movl   $0x32,0x4(%esp)
   0x0816ad29 <+101>:    lea    0x14(%esp),%eax
   0x0816ad2d <+105>:    mov    %eax,(%esp)
   0x0816ad30 <+108>:    call   0x80a8e60 <backtrace>
   0x0816ad35 <+113>:    mov    %eax,0xe4(%esp)
   0x0816ad3c <+120>:    movl   $0x2,0x8(%esp)
   0x0816ad44 <+128>:    mov    0xe4(%esp),%eax
   0x0816ad4b <+135>:    mov    %eax,0x4(%esp)
   0x0816ad4f <+139>:    lea    0x14(%esp),%eax
   0x0816ad53 <+143>:    mov    %eax,(%esp)
   0x0816ad56 <+146>:    call   0x80a8f20 <backtrace_symbols_fd>
   0x0816ad5b <+151>:    movl   $0x270f,(%esp)
   0x0816ad62 <+158>:    call   0x8085b60 <sleep>
   0x0816ad67 <+163>:    jmp    0x816ad5b <handle_sigsegv+151>
End of assembler dump.
---------------------
(gdb) disas 0x39e40c
No function contains specified address.

I don't know, if the above backtrace is really helpful, because I am not sure,
that I can re-produce it.
Maybe I should learn how to do a scripted installation and then run it a
thousand times :-)

You can download today's test busybox here:
   http://members.aon.at/afp/tmp/busybox_3.bz2

Finally there was a little surprise and possible success right at the end of my
tests.
When I tried to shut down via 'kill -USR1 1' after the above SEGV in ash.c, I
got some additional information:

*** glibc detected *** /bin/busybox: malloc(): memory corruption: 0x095bb1d8
***
======= Backtrace: =========
[0x806d3bf]  ... malloc_printerr
[0x806ea4e]  ... _int_malloc
[0x80705d6]  ... malloc ... etc., just like below ...
[0x80d4a8d]
[0x80a2fb6]
[0x80a34d7]
[0x81e5aa2]
[0x81e65d7]
[0x81e665e]
[0x7a9400]
[0x7a9414]
======= Memory map: ========
007a9000-007aa000 r-xp 00000000 00:00 0          [vdso]
08048000-08273000 r-xp 00000000 00:01 5432       /bin/busybox
08273000-08275000 rw-p 0022a000 00:01 5432       /bin/busybox
08275000-0827a000 rw-p 00000000 00:00 0
095b9000-095db000 rw-p 00000000 00:00 0          [heap]
b7700000-b7721000 rw-p 00000000 00:00 0
b7721000-b7800000 ---p 00000000 00:00 0
bf958000-bf979000 rw-p 00000000 00:00 0          [stack]



signal in init.c or friends: 11 address: 0x0 ip: 0x8052f17

[0x81e69ae]  ... handle_sigsegv
[0x7a940c]   ... No function contains specified address.
[0x8052f17]  ... abort
[0x8065975]  ... __libc_message
[0x806d3bf]  ... malloc_printerr
[0x806ea4e]  ... _int_malloc
[0x80705d6]  ... malloc
[0x80d4a8d]  ... open_memstream
[0x80a2fb6]  ... __vsyslog_chk
[0x80a34d7]  ... syslog
[0x81e5aa2]  ... message
[0x81e65d7]  ... run_shutdown_and_kill_processes
[0x81e665e]  ... halt_reboot_pwoff
[0x7a9400]   ... No function contains specified address.
[0x7a9414]   ... No function contains specified address.


Best regards
Franz

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list