Moi!
I'm one of the upstream developers of the audio editor glame. We've
received bug reports from a Mandrake user indicating segfaults in
code that looks completely sane and works fine on other distributions.
Now, we believe we've tracked it down to the libc Mandrake uses,
specifically the version of memcpy:
Dump of assembler code for function memcpy:
0x888e0 <memcpy>: push %edi
0x888e1 <memcpy+1>: push %esi
0x888e2 <memcpy+2>: mov 0xc(%esp,1),%edi
0x888e6 <memcpy+6>: mov 0x10(%esp,1),%esi
0x888ea <memcpy+10>: mov 0x14(%esp,1),%ecx
src is in esi, dest in edi. ecx contains the length.
0x888ee <memcpy+14>: mov %edi,%eax
0x888f0 <memcpy+16>: cld
0x888f1 <memcpy+17>: cmp $0x20,%ecx
0x888f4 <memcpy+20>: jbe 0x8894c <memcpy+108>
0x888f6 <memcpy+22>: neg %eax
0x888f8 <memcpy+24>: and $0x3,%eax
0x888fb <memcpy+27>: sub %eax,%ecx
0x888fd <memcpy+29>: xchg %eax,%ecx
0x888fe <memcpy+30>: repz movsb %ds:(%esi),%es:(%edi)
0x88900 <memcpy+32>: mov %eax,%ecx
0x88902 <memcpy+34>: sub $0x20,%ecx
0x88905 <memcpy+37>: js 0x88945 <memcpy+101>
0x88907 <memcpy+39>: mov (%edi),%eax
0x88909 <memcpy+41>: mov 0x1c(%edi),%edx
<memcpy+39> is where our user hits the segfaults. Indeed these two mov
instructions look bogus. They read from the destination address, which
will obviously bomb out if you memcpy to a region that's mmap()ed
PROT_WRITE-only (as glame does quite often).
0x8890c <memcpy+44>: sub $0x20,%ecx
0x8890f <memcpy+47>: mov (%esi),%eax
0x88911 <memcpy+49>: mov 0x4(%esi),%edx
Here the results of the reads above are discarded. If there are side-effects
that might qualify as valid optimisations, I fail to see them. To me, it
looks much more like a bug in Mandrake's libc.
0x88914 <memcpy+52>: mov %eax,(%edi)
0x88916 <memcpy+54>: mov %edx,0x4(%edi)
0x88919 <memcpy+57>: mov 0x8(%esi),%eax
0x8891c <memcpy+60>: mov 0xc(%esi),%edx
0x8891f <memcpy+63>: mov %eax,0x8(%edi)
0x88922 <memcpy+66>: mov %edx,0xc(%edi)
0x88925 <memcpy+69>: mov 0x10(%esi),%eax
0x88928 <memcpy+72>: mov 0x14(%esi),%edx
0x8892b <memcpy+75>: mov %eax,0x10(%edi)
0x8892e <memcpy+78>: mov %edx,0x14(%edi)
0x88931 <memcpy+81>: mov 0x18(%esi),%eax
0x88934 <memcpy+84>: mov 0x1c(%esi),%edx
0x88937 <memcpy+87>: mov %eax,0x18(%edi)
0x8893a <memcpy+90>: mov %edx,0x1c(%edi)
0x8893d <memcpy+93>: lea 0x20(%esi),%esi
0x88940 <memcpy+96>: lea 0x20(%edi),%edi
0x88943 <memcpy+99>: jns 0x88909 <memcpy+41>
0x88945 <memcpy+101>: add $0x20,%ecx
0x88948 <memcpy+104>: mov 0xc(%esp,1),%eax
0x8894c <memcpy+108>: repz movsb %ds:(%esi),%es:(%edi)
0x8894e <memcpy+110>: pop %esi
0x8894f <memcpy+111>: pop %edi
0x88950 <memcpy+112>: ret
0x88951 <memcpy+113>: jmp 0x88960 <memcpy+128>
Comments?
Regards,
Daniel.
--
GNU/Linux Audio Mechanics - http://www.glame.de
Cutting Edge Office - http://www.c10a02.de
GPG Key ID 89BF7E2B - http://www.keyserver.net
