Ubuntu
binutils package

Bug #663294
Comment #3

Comment 3 for bug 663294

Revision history for this message

Chris Coulson (chrisccoulson) wrote on 2010-10-20: Re: Firefox built with gcc-4.5 is a non-starter on i386

Ok, with a good build, I see the following:

(gdb) print arenas[0]
$1 = (arena_t *) 0xf58d2040
(gdb) print &arenas[0]
$2 = (arena_t **) 0xf58d2000

Inside arena_malloc:

(gdb) print arena
$3 = (arena_t *) 0xf58d2040

Yay \o/

And:

And the interesting bit of malloc disassembled:

   0x0804f010 <+0>: push %ebp
   0x0804f011 <+1>: mov %esp,%ebp
   0x0804f013 <+3>: sub $0x58,%esp
   0x0804f016 <+6>: mov %ebx,-0xc(%ebp)
   0x0804f019 <+9>: call 0x8049853 <__i686.get_pc_thunk.bx>
   0x0804f01e <+14>: add $0x58ca,%ebx
   0x0804f024 <+20>: mov %esi,-0x8(%ebp)
   0x0804f027 <+23>: mov 0x8(%ebp),%esi
   0x0804f02a <+26>: mov %edi,-0x4(%ebp)
   0x0804f02d <+29>: cmpb $0x0,0x1230(%ebx)
   0x0804f034 <+36>: je 0x804f068 <malloc+88>
   0x0804f036 <+38>: test %esi,%esi
   0x0804f038 <+40>: jne 0x804f03e <malloc+46>
   0x0804f03a <+42>: mov $0x1,%si
   0x0804f03e <+46>: cmp 0x194(%ebx),%esi
   0x0804f044 <+52>: jbe 0x804f090 <malloc+128>
   0x0804f046 <+54>: mov %esi,%eax
   0x0804f048 <+56>: call 0x804e5f0 <huge_malloc>
   0x0804f04d <+61>: mov %eax,%esi
   0x0804f04f <+63>: test %esi,%esi
   0x0804f051 <+65>: je 0x804f071 <malloc+97>
   0x0804f053 <+67>: mov %esi,%eax
   0x0804f055 <+69>: mov -0xc(%ebp),%ebx
   0x0804f058 <+72>: mov -0x8(%ebp),%esi
   0x0804f05b <+75>: mov -0x4(%ebp),%edi
   0x0804f05e <+78>: mov %ebp,%esp
   0x0804f060 <+80>: pop %ebp
   0x0804f061 <+81>: ret
   0x0804f062 <+82>: lea 0x0(%esi),%esi
   0x0804f068 <+88>: call 0x804cee0 <malloc_init_hard>
   0x0804f06d <+93>: test %al,%al
   0x0804f06f <+95>: je 0x804f036 <malloc+38>
   0x0804f071 <+97>: call 0x804929c <__errno_location@plt>
   0x0804f076 <+102>: xor %esi,%esi
   0x0804f078 <+104>: movl $0xc,(%eax)
   0x0804f07e <+110>: mov %esi,%eax
   0x0804f080 <+112>: mov -0xc(%ebp),%ebx
   0x0804f083 <+115>: mov -0x8(%ebp),%esi
   0x0804f086 <+118>: mov -0x4(%ebp),%edi
   0x0804f089 <+121>: mov %ebp,%esp
   0x0804f08b <+123>: pop %ebp
   0x0804f08c <+124>: ret
   0x0804f08d <+125>: lea 0x0(%esi),%esi
   0x0804f090 <+128>: mov %gs:0x0,%eax
   0x0804f096 <+134>: nop
   0x0804f097 <+135>: lea 0x0(%esi,%eiz,1),%esi
   0x0804f09b <+139>: lea 0xfffffffc,%edx
   0x0804f0a1 <+145>: mov %edx,-0x1c(%ebp)
   0x0804f0a4 <+148>: mov (%edx,%eax,1),%edi
   0x0804f0a7 <+151>: test %edi,%edi
   0x0804f0a9 <+153>: je 0x804f2e0 <malloc+720>
   0x0804f0af <+159>: cmp 0x120c(%ebx),%esi
   0x0804f0b5 <+165>: ja 0x804f220 <malloc+528>
   0x0804f0bb <+171>: cmp 0x1204(%ebx),%esi
   0x0804f0c1 <+177>: jae 0x804f1d8 <malloc+456>
   0x0804f0c7 <+183>: sub $0x1,%esi
   0x0804f0ca <+186>: xor %ecx,%ecx
   0x0804f0cc <+188>: mov %esi,%edx
   0x0804f0ce <+190>: shr %edx
   0x0804f0d0 <+192>: or %esi,%edx
   0x0804f0d2 <+194>: mov %edx,%eax
   0x0804f0d4 <+196>: shr $0x2,%eax
   0x0804f0d7 <+199>: or %edx,%eax
   0x0804f0d9 <+201>: mov %eax,%edx
   0x0804f0db <+203>: shr $0x4,%edx
   0x0804f0de <+206>: or %eax,%edx
   0x0804f0e0 <+208>: mov %edx,%eax
   0x0804f0e2 <+210>: shr $0x8,%eax
   0x0804f0e5 <+213>: or %edx,%eax
   0x0804f0e7 <+215>: mov %eax,%esi
   0x0804f0e9 <+217>: shr $0x10,%esi
   0x0804f0ec <+220>: or %eax,%esi
   0x0804f0ee <+222>: add $0x1,%esi
   0x0804f0f1 <+225>: mov %esi,%eax
   0x0804f0f3 <+227>: shr $0x2,%eax
   0x0804f0f6 <+230>: bsf %eax,%eax
   0x0804f0f9 <+233>: sete %cl
   0x0804f0fc <+236>: neg %ecx
   0x0804f0fe <+238>: or %ecx,%eax
   0x0804f100 <+240>: add $0x1,%eax
   0x0804f103 <+243>: cmp $0x1,%esi
   0x0804f106 <+246>: lea (%eax,%eax,8),%eax
   0x0804f109 <+249>: lea 0x94(%edi,%eax,8),%eax
   0x0804f110 <+256>: mov %esi,-0x24(%ebp)
   0x0804f113 <+259>: mov %eax,-0x1c(%ebp)
   0x0804f116 <+262>: jbe 0x804f3c8 <malloc+952>
   0x0804f11c <+268>: mov %edi,(%esp)
   0x0804f11f <+271>: call 0x804934c <pthread_mutex_lock@plt>

Note that the previously suspicious intruction sequence before now looks like this:

   0x0804f090 <+128>: mov %gs:0x0,%eax
   0x0804f09b <+139>: lea 0xfffffffc,%edx
   0x0804f0a4 <+148>: mov (%edx,%eax,1),%edi

...with eax=0xf59d3870 and edx=0xfffffffc, this is loading the contents of 0xf59d386c in to edi, and:

(gdb) print *0xf59d386c
$5 = -175300544

(which is 0xf58d2040 - ie, the valid pointer we expect in arena_malloc)

/me pops champagne cork

Ok, with a good build, I see the following:

(gdb) print arenas[0]
$1 = (arena_t *) 0xf58d2040
(gdb) print &arenas[0]
$2 = (arena_t **) 0xf58d2000

Inside arena_malloc:

(gdb) print arena
$3 = (arena_t *) 0xf58d2040

Yay \o/

And:

(gdb) info registers
eax            0xf59d3870	-174245776
ecx            0x3	3
edx            0xfffffffc	-4
ebx            0x80548e8	134564072
esp            0xffffd484	0xffffd484
ebp            0xffffd4dc	0xffffd4dc
esi            0x160	352
edi            0xf58d2040	-175300544
eip            0x804f0af	0x804f0af <malloc+159>
eflags         0x282	[ SF IF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x63	99

And the interesting bit of malloc disassembled:

0x0804f010 <+0>:	push   %ebp
   0x0804f011 <+1>:	mov    %esp,%ebp
   0x0804f013 <+3>:	sub    $0x58,%esp
   0x0804f016 <+6>:	mov    %ebx,-0xc(%ebp)
   0x0804f019 <+9>:	call   0x8049853 <__i686.get_pc_thunk.bx>
   0x0804f01e <+14>:	add    $0x58ca,%ebx
   0x0804f024 <+20>:	mov    %esi,-0x8(%ebp)
   0x0804f027 <+23>:	mov    0x8(%ebp),%esi
   0x0804f02a <+26>:	mov    %edi,-0x4(%ebp)
   0x0804f02d <+29>:	cmpb   $0x0,0x1230(%ebx)
   0x0804f034 <+36>:	je     0x804f068 <malloc+88>
   0x0804f036 <+38>:	test   %esi,%esi
   0x0804f038 <+40>:	jne    0x804f03e <malloc+46>
   0x0804f03a <+42>:	mov    $0x1,%si
   0x0804f03e <+46>:	cmp    0x194(%ebx),%esi
   0x0804f044 <+52>:	jbe    0x804f090 <malloc+128>
   0x0804f046 <+54>:	mov    %esi,%eax
   0x0804f048 <+56>:	call   0x804e5f0 <huge_malloc>
   0x0804f04d <+61>:	mov    %eax,%esi
   0x0804f04f <+63>:	test   %esi,%esi
   0x0804f051 <+65>:	je     0x804f071 <malloc+97>
   0x0804f053 <+67>:	mov    %esi,%eax
   0x0804f055 <+69>:	mov    -0xc(%ebp),%ebx
   0x0804f058 <+72>:	mov    -0x8(%ebp),%esi
   0x0804f05b <+75>:	mov    -0x4(%ebp),%edi
   0x0804f05e <+78>:	mov    %ebp,%esp
   0x0804f060 <+80>:	pop    %ebp
   0x0804f061 <+81>:	ret    
   0x0804f062 <+82>:	lea    0x0(%esi),%esi
   0x0804f068 <+88>:	call   0x804cee0 <malloc_init_hard>
   0x0804f06d <+93>:	test   %al,%al
   0x0804f06f <+95>:	je     0x804f036 <malloc+38>
   0x0804f071 <+97>:	call   0x804929c <__errno_location@plt>
   0x0804f076 <+102>:	xor    %esi,%esi
   0x0804f078 <+104>:	movl   $0xc,(%eax)
   0x0804f07e <+110>:	mov    %esi,%eax
   0x0804f080 <+112>:	mov    -0xc(%ebp),%ebx
   0x0804f083 <+115>:	mov    -0x8(%ebp),%esi
   0x0804f086 <+118>:	mov    -0x4(%ebp),%edi
   0x0804f089 <+121>:	mov    %ebp,%esp
   0x0804f08b <+123>:	pop    %ebp
   0x0804f08c <+124>:	ret    
   0x0804f08d <+125>:	lea    0x0(%esi),%esi
   0x0804f090 <+128>:	mov    %gs:0x0,%eax
   0x0804f096 <+134>:	nop
   0x0804f097 <+135>:	lea    0x0(%esi,%eiz,1),%esi
   0x0804f09b <+139>:	lea    0xfffffffc,%edx
   0x0804f0a1 <+145>:	mov    %edx,-0x1c(%ebp)
   0x0804f0a4 <+148>:	mov    (%edx,%eax,1),%edi
   0x0804f0a7 <+151>:	test   %edi,%edi
   0x0804f0a9 <+153>:	je     0x804f2e0 <malloc+720>
   0x0804f0af <+159>:	cmp    0x120c(%ebx),%esi
   0x0804f0b5 <+165>:	ja     0x804f220 <malloc+528>
   0x0804f0bb <+171>:	cmp    0x1204(%ebx),%esi
   0x0804f0c1 <+177>:	jae    0x804f1d8 <malloc+456>
   0x0804f0c7 <+183>:	sub    $0x1,%esi
   0x0804f0ca <+186>:	xor    %ecx,%ecx
   0x0804f0cc <+188>:	mov    %esi,%edx
   0x0804f0ce <+190>:	shr    %edx
   0x0804f0d0 <+192>:	or     %esi,%edx
   0x0804f0d2 <+194>:	mov    %edx,%eax
   0x0804f0d4 <+196>:	shr    $0x2,%eax
   0x0804f0d7 <+199>:	or     %edx,%eax
   0x0804f0d9 <+201>:	mov    %eax,%edx
   0x0804f0db <+203>:	shr    $0x4,%edx
   0x0804f0de <+206>:	or     %eax,%edx
   0x0804f0e0 <+208>:	mov    %edx,%eax
   0x0804f0e2 <+210>:	shr    $0x8,%eax
   0x0804f0e5 <+213>:	or     %edx,%eax
   0x0804f0e7 <+215>:	mov    %eax,%esi
   0x0804f0e9 <+217>:	shr    $0x10,%esi
   0x0804f0ec <+220>:	or     %eax,%esi
   0x0804f0ee <+222>:	add    $0x1,%esi
   0x0804f0f1 <+225>:	mov    %esi,%eax
   0x0804f0f3 <+227>:	shr    $0x2,%eax
   0x0804f0f6 <+230>:	bsf    %eax,%eax
   0x0804f0f9 <+233>:	sete   %cl
   0x0804f0fc <+236>:	neg    %ecx
   0x0804f0fe <+238>:	or     %ecx,%eax
   0x0804f100 <+240>:	add    $0x1,%eax
   0x0804f103 <+243>:	cmp    $0x1,%esi
   0x0804f106 <+246>:	lea    (%eax,%eax,8),%eax
   0x0804f109 <+249>:	lea    0x94(%edi,%eax,8),%eax
   0x0804f110 <+256>:	mov    %esi,-0x24(%ebp)
   0x0804f113 <+259>:	mov    %eax,-0x1c(%ebp)
   0x0804f116 <+262>:	jbe    0x804f3c8 <malloc+952>
   0x0804f11c <+268>:	mov    %edi,(%esp)
   0x0804f11f <+271>:	call   0x804934c <pthread_mutex_lock@plt>

Note that the previously suspicious intruction sequence before now looks like this:

0x0804f090 <+128>:	mov    %gs:0x0,%eax
   0x0804f09b <+139>:	lea    0xfffffffc,%edx
   0x0804f0a4 <+148>:	mov    (%edx,%eax,1),%edi

...with eax=0xf59d3870 and edx=0xfffffffc, this is loading the contents of 0xf59d386c in to edi, and:

(gdb) print *0xf59d386c
$5 = -175300544

(which is 0xf58d2040 - ie, the valid pointer we expect in arena_malloc)

/me pops champagne cork

Ubuntubinutils package

Comment 3 for bug 663294

Ubuntu
binutils package