Fix ia64 clone2 (pthread_create) tracing with -f

Mon Jun 30 16:40:49 UTC 2008

Hi,

this testcase crashes the child on ia64:

$ cat >thread.c <<EOH; gcc -o thread thread.c -pthread; strace -f ./thread
#include <pthread.h>
void *start (void *arg) { return arg; }
pthread_t thread1;
int main () { pthread_create (&thread1, NULL, start, NULL); sleep (1); return 0; }
EOH
execve("./thread", ["./thread"], [/* 41 vars */]) = 1
...
clone2(Process 8979 attached
child_stack=0x200000000031c000, stack_size=0x9feb80, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x2000000000d1b2d0, tls=0x2000000000d1b910, child_tidptr=0x2000000000d1b2d0) = 8979
...
[pid  8978] nanosleep({1, 0},  <unfinished ...>
[pid  8979] --- SIGSEGV (Segmentation fault) @ 2000000000236d20 (3d0f00) ---
Process 8979 detached
+++ killed by SIGSEGV +++

In the case of `child_stack=0' (such as is in the case of FORK glibc call) or
for the parent of the `child_stack!=0' sample above the call RESTORE_ARG0 still
rewrites a memory not containing the modifying syscall argument, just in such
case nothing crashes.  In the case of a new stack (a child of PTHREAD_CREATE)
RESTORE_ARG0 corrupts the IN0 stacked register and glibc crashes at
glibc/sysdeps/unix/sysv/linux/ia64/clone2.S:
1:      ld8 out1=[in0],8        /* Retrieve code pointer.       */

IMO according to ia64 RSE (Register Stack Engine) IMO there is no access for
the caller to the passed registers after the callee returns, therefore
RESTORE_ARG* should be a nop there.  Still a review from someone with a better
RSE proficiency regarding the kernel syscalls would be useful.

Fix tested on RHEL-5 kernel-2.6.18-94.el5.ia64.  Older kernels (such as
kernel-2.6.18-53.el5.ia64) do not crash as they have a bug causing strace not
tracing the children (as strace is unable to force CLONE_PTRACE there).
Sorry for no ia64 vanilla kernels testing.


Regards,
Jan
-------------- next part --------------
2008-06-30  Jan Kratochvil  <jan.kratochvil at redhat.com>

	Fix ia64 `-f' on CLONE2 formerly crashing the child.
	* util.c [IA64] (restore_arg0, restore_arg1): Define as empty.

--- util.c	20 May 2008 00:34:34 -0000	1.75
+++ util.c	30 Jun 2008 16:23:00 -0000
@@ -1379,6 +1379,12 @@ set_arg1 (struct tcb *tcp, arg_setup_sta
 	return errno ? -1 : 0;
 }
 
+/* ia64 does not return the input arguments from functions (and syscalls)
+   according to ia64 RSE (Register Stack Engine) behavior.  */
+
+# define restore_arg0(tcp, state, val) ((void) (state), 0)
+# define restore_arg1(tcp, state, val) ((void) (state), 0)
+
 #elif defined (SPARC) || defined (SPARC64)
 
 typedef struct regs arg_setup_state;
