Bug#886496: libopengl-perl: glutTimerFunc: Segmentation fault
Bernhard Übelacker
bernhardu at mailbox.org
Mon Jan 7 17:50:50 GMT 2019
Dear Maintainer,
I tried to have a look at this segfault.
It seems this is a case of pointer truncation.
In following location [1] a pointer gets casted to int (pogl_glut.xs:1021)
and stored in freeglut_callbacks.c:115 into field ID of a SFG_Timer struct.
This leads later [2] to the crash when in Perl_av_fetch that truncated
pointer is tried to be dereferenced.
Therefore this function seems broken on all architectures
where sizeof(void*) > sizeof(int).
I can just guess from the field name ID, that this field
might not be intended to store pointers and therefore
libopengl-perl might use some kind of mapping of pointers to IDs.
Kind regards,
Bernhard
[1]
Thread 1 "perl" hit Breakpoint 1, glutTimerFunc (timeOut=timeOut at entry=1000, callback=callback at entry=0x7ffff785cf90 <generic_glut_timer_handler>, timerID=timerID at entry=1434891376) at freeglut_callbacks.c:98
98 {
(gdb) next
101 FREEGLUT_EXIT_IF_NOT_INITIALISED ( "glutTimerFunc" );
(gdb)
98 {
(gdb)
101 FREEGLUT_EXIT_IF_NOT_INITIALISED ( "glutTimerFunc" );
(gdb)
103 if( (timer = fgState.FreeTimers.Last) )
(gdb)
109 if( ! (timer = malloc(sizeof(SFG_Timer))) )
(gdb)
114 timer->Callback = callback;
(gdb)
115 timer->ID = timerID;
(gdb) print timerID
$1 = 1434891376
(gdb) print/x timerID
$2 = 0x5586b470
(gdb) up
#1 0x00007ffff7865a14 in XS_OpenGL_glutTimerFunc (my_perl=<optimized out>, cv=<optimized out>) at pogl_glut.xs:1021
1021 glutTimerFunc(msecs, generic_glut_timer_handler, (int)handler_data);
(gdb) print handler_data
$3 = (AV *) 0x55555586b470
(gdb) bt
#0 glutTimerFunc (timeOut=timeOut at entry=1000, callback=callback at entry=0x7ffff785cf90 <generic_glut_timer_handler>, timerID=timerID at entry=1434891376) at freeglut_callbacks.c:115
#1 0x00007ffff7865a14 in XS_OpenGL_glutTimerFunc (my_perl=<optimized out>, cv=<optimized out>) at pogl_glut.xs:1021
#2 0x000055555563fd11 in Perl_pp_entersub ()
#3 0x0000555555636026 in Perl_runops_standard ()
#4 0x00005555555b2097 in perl_run ()
#5 0x0000555555588402 in main ()
[2]
(gdb) cont
Continuing.
Thread 1 "perl" received signal SIGSEGV, Segmentation fault.
0x0000555555634b03 in Perl_av_fetch ()
(gdb) bt
#0 0x0000555555634b03 in Perl_av_fetch ()
#1 0x00007ffff785cfcd in generic_glut_timer_handler (value=1434891376) at pogl_glut.xs:452
#2 0x00007ffff72dae24 in fghCheckTimers () at freeglut_main.c:324
#3 glutMainLoopEvent () at freeglut_main.c:1521
#4 0x00007ffff72db6a5 in glutMainLoop () at freeglut_main.c:1571
#5 0x00007ffff78680d4 in XS_OpenGL_glutMainLoop (my_perl=<optimized out>, cv=0x555555c33d98) at pogl_glut.c:791
#6 0x000055555563fd11 in Perl_pp_entersub ()
#7 0x0000555555636026 in Perl_runops_standard ()
#8 0x00005555555b2097 in perl_run ()
#9 0x0000555555588402 in main ()
(gdb) up
#1 0x00007ffff785cfcd in generic_glut_timer_handler (value=1434891376) at pogl_glut.xs:452
452 handler = *av_fetch(handler_data, 0, 0);
(gdb) print handler_data
$4 = (AV *) 0x5586b470
(gdb) up
#2 0x00007ffff72dae24 in fghCheckTimers () at freeglut_main.c:324
324 timer->Callback( timer->ID );
(gdb) print timer->ID
$5 = 1434891376
(gdb) print/x timer->ID
$6 = 0x5586b470
-------------- next part --------------
# Buster amd64 qemu VM
apt install systemd-coredump gdb mc xserver-xorg lightdm openbox libopengl-perl libopengl-perl-dbgsym freeglut3-dbgsym
apt install devscripts dpkg-dev
systemctl start lightdm
mkdir source/libopengl-perl/orig -p
cd source/libopengl-perl/orig
apt source libopengl-perl
cd
mkdir source/freeglut3/orig -p
cd source/freeglut3/orig
apt source freeglut3
cd
export DISPLAY=:0
perl -e 'use OpenGL ":all"; glutInit(); glutCreateWindow("title"); glutTimerFunc(1000,sub{}); glutMainLoop();'
benutzer at debian:~$ perl -e 'use OpenGL ":all"; glutInit(); glutCreateWindow("title"); glutTimerFunc(1000,sub{}); glutMainLoop();'
Speicherzugriffsfehler (Speicherabzug geschrieben)
root at debian:~# coredumpctl list
TIME PID UID GID SIG COREFILE EXE
Mon 2019-01-07 17:52:34 CET 21003 1000 1000 11 present /usr/bin/perl
root at debian:~# coredumpctl gdb 21003
PID: 21003 (perl)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 11 (SEGV)
Timestamp: Mon 2019-01-07 17:52:33 CET (28s ago)
Command Line: perl -e use OpenGL ":all"; glutInit(); glutCreateWindow("title"); glutTimerFunc(1000,sub{}); glutMainLoop();
Executable: /usr/bin/perl
Control Group: /user.slice/user-1000.slice/session-3.scope
Unit: session-3.scope
Slice: user-1000.slice
Session: 3
Owner UID: 1000 (benutzer)
Boot ID: acee30c7da674fe9bd5375e03eb824e7
Machine ID: 32f43b50ac8c4b21941bc0b02f8e7811
Hostname: debian
Storage: /var/lib/systemd/coredump/core.perl.1000.acee30c7da674fe9bd5375e03eb824e7.21003.1546879953000000.lz4
Message: Process 21003 (perl) of user 1000 dumped core.
Stack trace of thread 21003:
#0 0x0000561f31dc7b03 Perl_av_fetch (perl)
#1 0x00007f60e4103fcd n/a (OpenGL.so)
#2 0x00007f60e3b81e24 glutMainLoopEvent (libglut.so.3)
#3 0x00007f60e3b826a5 glutMainLoop (libglut.so.3)
#4 0x00007f60e410f0d4 n/a (OpenGL.so)
#5 0x0000561f31dd2d11 Perl_pp_entersub (perl)
#6 0x0000561f31dc9026 Perl_runops_standard (perl)
#7 0x0000561f31d45097 perl_run (perl)
#8 0x0000561f31d1b402 main (perl)
#9 0x00007f60e452509b __libc_start_main (libc.so.6)
#10 0x0000561f31d1b44a _start (perl)
...
Core was generated by `perl -e use OpenGL ":all"; glutInit(); glutCreateWindow("title"); glutTimerFunc'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000561f31dc7b03 in Perl_av_fetch ()
[Current thread is 1 (Thread 0x7f60e44c61c0 (LWP 21003))]
(gdb) set pagination off
(gdb) set width 0
(gdb) directory /home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg
Source directories searched: /home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg:$cdir:$cwd
(gdb) directory /home/benutzer/source/freeglut3/orig/freeglut-2.8.1
Source directories searched: /home/benutzer/source/freeglut3/orig/freeglut-2.8.1:/home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg:$cdir:$cwd
(gdb) directory /home/benutzer/source/freeglut3/orig/freeglut-2.8.1/src
Source directories searched: /home/benutzer/source/freeglut3/orig/freeglut-2.8.1/src:/home/benutzer/source/freeglut3/orig/freeglut-2.8.1:/home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg:$cdir:$cwd
(gdb) bt
#0 0x0000561f31dc7b03 in Perl_av_fetch ()
#1 0x00007f60e4103fcd in generic_glut_timer_handler (value=844162160) at pogl_glut.xs:452
#2 0x00007f60e3b81e24 in fghCheckTimers () at freeglut_main.c:324
#3 glutMainLoopEvent () at freeglut_main.c:1521
#4 0x00007f60e3b826a5 in glutMainLoop () at freeglut_main.c:1571
#5 0x00007f60e410f0d4 in XS_OpenGL_glutMainLoop (my_perl=<optimized out>, cv=0x561f328d7230) at pogl_glut.c:791
#6 0x0000561f31dd2d11 in Perl_pp_entersub ()
#7 0x0000561f31dc9026 in Perl_runops_standard ()
#8 0x0000561f31d45097 in perl_run ()
#9 0x0000561f31d1b402 in main ()
(gdb) up
#1 0x00007f60e4103fcd in generic_glut_timer_handler (value=844162160) at pogl_glut.xs:452
452 handler = *av_fetch(handler_data, 0, 0);
(gdb) print handler_data
$1 = (AV *) 0x3250e470
(gdb) print *handler_data
Cannot access memory at address 0x3250e470
(gdb) list generic_glut_timer_handler
443
444 /* Callback for glutTimerFunc */
445 static void generic_glut_timer_handler(int value)
446 {
447 AV * handler_data = (AV*)value;
448 SV * handler;
449 int i;
450 dSP;
451
452 handler = *av_fetch(handler_data, 0, 0);
453
454 GLUT_PUSHMARK(sp);
455 GLUT_EXTEND_STACK(sp,av_len(handler_data));
456 for (i=1;i<=av_len(handler_data);i++)
457 GLUT_PUSH_NEW_SV(*av_fetch(handler_data, i, 0));
458
459 PUTBACK;
460 DO_perl_call_sv(handler, G_DISCARD);
461
462 SvREFCNT_dec(handler_data);
463 }
464
(gdb) up
#2 0x00007f60e3b81e24 in fghCheckTimers () at freeglut_main.c:324
324 timer->Callback( timer->ID );
(gdb) print timer->ID
$2 = 844162160
(gdb) list fghCheckTimers
307 /*
308 * Check the global timers
309 */
310 static void fghCheckTimers( void )
311 {
312 long checkTime = fgElapsedTime( );
313
314 while( fgState.Timers.First )
315 {
316 SFG_Timer *timer = fgState.Timers.First;
317
318 if( timer->TriggerTime > checkTime )
319 break;
320
321 fgListRemove( &fgState.Timers, &timer->Node );
322 fgListAppend( &fgState.FreeTimers, &timer->Node );
323
324 timer->Callback( timer->ID );
325 }
326 }
###########
benutzer at debian:~$ gdb -q --args /usr/bin/perl -e 'use OpenGL ":all"; glutInit(); glutCreateWindow("title"); glutTimerFunc(1000,sub{}); glutMainLoop();'
Reading symbols from /usr/bin/perl...(no debugging symbols found)...done.
(gdb) set pagination off
(gdb) set width 0
(gdb) directory /home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg
Source directories searched: /home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg:$cdir:$cwd
(gdb) directory /home/benutzer/source/freeglut3/orig/freeglut-2.8.1/src
Source directories searched: /home/benutzer/source/freeglut3/orig/freeglut-2.8.1/src:/home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg:$cdir:$cwd
(gdb) b glutTimerFunc
Function "glutTimerFunc" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (glutTimerFunc) pending.
(gdb) run
Starting program: /usr/bin/perl -e use\ OpenGL\ \":all\"\;\ glutInit\(\)\;\ glutCreateWindow\(\"title\"\)\;\ glutTimerFunc\(1000,sub\{\}\)\;\ glutMainLoop\(\)\;
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff1085700 (LWP 21536)]
[New Thread 0x7ffff0884700 (LWP 21537)]
[New Thread 0x7fffebfff700 (LWP 21538)]
[New Thread 0x7fffeb7fe700 (LWP 21539)]
[New Thread 0x7fffeaffd700 (LWP 21540)]
[New Thread 0x7fffea7fc700 (LWP 21541)]
[New Thread 0x7fffe9ffb700 (LWP 21542)]
[New Thread 0x7fffe97fa700 (LWP 21543)]
[New Thread 0x7fffe8ff9700 (LWP 21544)]
[New Thread 0x7fffcbfff700 (LWP 21545)]
[New Thread 0x7fffcb7fe700 (LWP 21546)]
[New Thread 0x7fffcaffd700 (LWP 21547)]
Thread 1 "perl" hit Breakpoint 1, glutTimerFunc (timeOut=timeOut at entry=1000, callback=callback at entry=0x7ffff785cf90 <generic_glut_timer_handler>, timerID=timerID at entry=1434891376) at freeglut_callbacks.c:98
98 {
(gdb) next
101 FREEGLUT_EXIT_IF_NOT_INITIALISED ( "glutTimerFunc" );
(gdb)
98 {
(gdb)
101 FREEGLUT_EXIT_IF_NOT_INITIALISED ( "glutTimerFunc" );
(gdb)
103 if( (timer = fgState.FreeTimers.Last) )
(gdb)
109 if( ! (timer = malloc(sizeof(SFG_Timer))) )
(gdb)
114 timer->Callback = callback;
(gdb)
115 timer->ID = timerID;
(gdb) print timerID
$1 = 1434891376
(gdb) print/x timerID
$2 = 0x5586b470
(gdb) up
#1 0x00007ffff7865a14 in XS_OpenGL_glutTimerFunc (my_perl=<optimized out>, cv=<optimized out>) at pogl_glut.xs:1021
1021 glutTimerFunc(msecs, generic_glut_timer_handler, (int)handler_data);
(gdb) print handler_data
$3 = (AV *) 0x55555586b470
(gdb) bt
#0 glutTimerFunc (timeOut=timeOut at entry=1000, callback=callback at entry=0x7ffff785cf90 <generic_glut_timer_handler>, timerID=timerID at entry=1434891376) at freeglut_callbacks.c:115
#1 0x00007ffff7865a14 in XS_OpenGL_glutTimerFunc (my_perl=<optimized out>, cv=<optimized out>) at pogl_glut.xs:1021
#2 0x000055555563fd11 in Perl_pp_entersub ()
#3 0x0000555555636026 in Perl_runops_standard ()
#4 0x00005555555b2097 in perl_run ()
#5 0x0000555555588402 in main ()
(gdb) cont
Continuing.
Thread 1 "perl" received signal SIGSEGV, Segmentation fault.
0x0000555555634b03 in Perl_av_fetch ()
(gdb) bt
#0 0x0000555555634b03 in Perl_av_fetch ()
#1 0x00007ffff785cfcd in generic_glut_timer_handler (value=1434891376) at pogl_glut.xs:452
#2 0x00007ffff72dae24 in fghCheckTimers () at freeglut_main.c:324
#3 glutMainLoopEvent () at freeglut_main.c:1521
#4 0x00007ffff72db6a5 in glutMainLoop () at freeglut_main.c:1571
#5 0x00007ffff78680d4 in XS_OpenGL_glutMainLoop (my_perl=<optimized out>, cv=0x555555c33d98) at pogl_glut.c:791
#6 0x000055555563fd11 in Perl_pp_entersub ()
#7 0x0000555555636026 in Perl_runops_standard ()
#8 0x00005555555b2097 in perl_run ()
#9 0x0000555555588402 in main ()
(gdb) up
#1 0x00007ffff785cfcd in generic_glut_timer_handler (value=1434891376) at pogl_glut.xs:452
452 handler = *av_fetch(handler_data, 0, 0);
(gdb) print handler_data
$4 = (AV *) 0x5586b470
(gdb) up
#2 0x00007ffff72dae24 in fghCheckTimers () at freeglut_main.c:324
324 timer->Callback( timer->ID );
(gdb) print timer->ID
$5 = 1434891376
(gdb) print/x timer->ID
$6 = 0x5586b470
(gdb) info share
From To Syms Read Shared Object Library
0x00007ffff7fd6090 0x00007ffff7ff3b80 Yes /lib64/ld-linux-x86-64.so.2
0x00007ffff7fc0130 0x00007ffff7fc0e75 Yes /lib/x86_64-linux-gnu/libdl.so.2
0x00007ffff7e49270 0x00007ffff7ee7302 Yes /lib/x86_64-linux-gnu/libm.so.6
0x00007ffff7e215b0 0x00007ffff7e2f5c1 Yes /lib/x86_64-linux-gnu/libpthread.so.0
0x00007ffff7c7c320 0x00007ffff7dc27ab Yes /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7c211a0 0x00007ffff7c263a0 Yes /lib/x86_64-linux-gnu/libcrypt.so.1
0x00007ffff7819620 0x00007ffff78f82e8 Yes /usr/lib/x86_64-linux-gnu/perl5/5.28/auto/OpenGL/OpenGL.so
0x00007ffff77b5220 0x00007ffff77b85df Yes (*) /usr/lib/x86_64-linux-gnu/libGL.so.1
0x00007ffff75076d0 0x00007ffff7559b13 Yes (*) /usr/lib/x86_64-linux-gnu/libGLU.so.1
0x00007ffff72d0070 0x00007ffff72e17f9 Yes /usr/lib/x86_64-linux-gnu/libglut.so.3
0x00007ffff7196950 0x00007ffff721d796 Yes (*) /usr/lib/x86_64-linux-gnu/libX11.so.6
0x00007ffff7147460 0x00007ffff71511f5 Yes (*) /usr/lib/x86_64-linux-gnu/libGLX.so.0
0x00007ffff70c7280 0x00007ffff70ca0a7 Yes (*) /usr/lib/x86_64-linux-gnu/libGLdispatch.so.0
0x00007ffff6f90470 0x00007ffff703830e Yes (*) /usr/lib/x86_64-linux-gnu/libstdc++.so.6
0x00007ffff6eed2e0 0x00007ffff6efdb6d Yes (*) /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff6cdb700 0x00007ffff6ce549f Yes (*) /usr/lib/x86_64-linux-gnu/libXext.so.6
0x00007ffff6aca1d0 0x00007ffff6ad4a27 Yes (*) /usr/lib/x86_64-linux-gnu/libXi.so.6
0x00007ffff68c2fa0 0x00007ffff68c5878 Yes (*) /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1
0x00007ffff68a4710 0x00007ffff68b6b15 Yes (*) /usr/lib/x86_64-linux-gnu/libxcb.so.1
0x00007ffff6694e60 0x00007ffff6695ba9 Yes (*) /usr/lib/x86_64-linux-gnu/libXau.so.6
0x00007ffff648f340 0x00007ffff6490c48 Yes (*) /usr/lib/x86_64-linux-gnu/libXdmcp.so.6
0x00007ffff627aec0 0x00007ffff6288b45 Yes (*) /lib/x86_64-linux-gnu/libbsd.so.0
0x00007ffff626f3b0 0x00007ffff627248c Yes /lib/x86_64-linux-gnu/librt.so.1
0x00007ffff620de40 0x00007ffff624f44e Yes (*) /usr/lib/x86_64-linux-gnu/libGLX_mesa.so.0
0x00007ffff5fd83d0 0x00007ffff5feba70 Yes (*) /lib/x86_64-linux-gnu/libz.so.1
0x00007ffff5f9d130 0x00007ffff5fbd023 Yes (*) /lib/x86_64-linux-gnu/libexpat.so.1
0x00007ffff5f950c0 0x00007ffff5f95e93 Yes (*) /usr/lib/x86_64-linux-gnu/libxcb-dri3.so.0
0x00007ffff5f8c080 0x00007ffff5f8e68a Yes (*) /usr/lib/x86_64-linux-gnu/libxcb-xfixes.so.0
0x00007ffff5f85070 0x00007ffff5f858d6 Yes (*) /usr/lib/x86_64-linux-gnu/libxcb-present.so.0
0x00007ffff5f7d120 0x00007ffff5f7f1a2 Yes (*) /usr/lib/x86_64-linux-gnu/libxcb-sync.so.1
0x00007ffff5d78960 0x00007ffff5d78c2c Yes (*) /usr/lib/x86_64-linux-gnu/libxshmfence.so.1
0x00007ffff5d50100 0x00007ffff5d5bbf4 Yes (*) /usr/lib/x86_64-linux-gnu/libglapi.so.0
0x00007ffff5b42b90 0x00007ffff5b4347b Yes (*) /usr/lib/x86_64-linux-gnu/libXdamage.so.1
0x00007ffff593d590 0x00007ffff593f8c6 Yes (*) /usr/lib/x86_64-linux-gnu/libXfixes.so.3
0x00007ffff5938040 0x00007ffff593811b Yes (*) /usr/lib/x86_64-linux-gnu/libX11-xcb.so.1
0x00007ffff59250b0 0x00007ffff592d4d5 Yes (*) /usr/lib/x86_64-linux-gnu/libxcb-glx.so.0
0x00007ffff5915090 0x00007ffff59161d5 Yes (*) /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.0
0x00007ffff5904570 0x00007ffff590cd9b Yes (*) /usr/lib/x86_64-linux-gnu/libdrm.so.2
0x00007ffff4bf3730 0x00007ffff542116e Yes (*) /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
0x00007ffff4b67320 0x00007ffff4b6b16c Yes (*) /usr/lib/x86_64-linux-gnu/libdrm_nouveau.so.2
0x00007ffff4b591b0 0x00007ffff4b60ac2 Yes (*) /usr/lib/x86_64-linux-gnu/libdrm_radeon.so.1
0x00007ffff4b4e3d0 0x00007ffff4b5239d Yes (*) /usr/lib/x86_64-linux-gnu/libdrm_amdgpu.so.1
0x00007ffff4b33350 0x00007ffff4b43e05 Yes (*) /usr/lib/x86_64-linux-gnu/libelf.so.1
0x00007ffff1985fa0 0x00007ffff365c07f Yes (*) /usr/lib/x86_64-linux-gnu/libLLVM-7.so.1
0x00007ffff11132d0 0x00007ffff1117b4a Yes (*) /usr/lib/x86_64-linux-gnu/libffi.so.6
0x00007ffff10e2b80 0x00007ffff10fbfd0 Yes (*) /usr/lib/x86_64-linux-gnu/libedit.so.2
0x00007ffff10ba940 0x00007ffff10c7d68 Yes (*) /lib/x86_64-linux-gnu/libtinfo.so.6
(*): Shared library is missing debugging information.
##########
set pagination off
set width 0
directory /home/benutzer/source/libopengl-perl/orig/libopengl-perl-0.7000+dfsg
directory /home/benutzer/source/freeglut3/orig/freeglut-2.8.1/src
More information about the pkg-perl-maintainers
mailing list