Why is this mov causing a SIGSEGV
Could anybody please point me in the right direction why is this mov instruction causing a segfault? This is what it looks like when the core file gets loaded into gdb...
(gdb) x/8i $rip-4
0x198f6f79: nop
0x198f6f7a: nop
0x198f6f7b: nop
0x198f6f7c: nop
=> 0x198f6f7d: mov DWORD PTR ds:0x401bb410,0x2a
0x198f6f88: mov r8d,DWORD PTR ds:0x401bb4b4
0x198f6f90: movsd xmm7,QWORD PTR [r8+0x30]
0x198f6f96: cvttsd2si eax,xmm7
0x401bb410 seems like a valid address
(gdb) x/1w 0x401bb410
0x401bb410: 0x00000022
(gdb) x/1wd 0x401bb410
0x401bb410: 34
DS is set to zeroes
(gdb) i r
rax 0xc 12
rbx 0x4125bf70 1092992880
rcx 0x4125c1c0 1092993472
rdx 0x9 9
rsi 0x4125bf70 1092992880
rdi 0xfffffffb411f0580 -20382284416
rbp 0x8 0x8
rsp 0x7ffc4acc78f0 0x7ffc4acc78f0
r8 0x426bf980 1114372480
r9 0x10 16
r10 0x10 16
r11 0x51ad0c 5352716
r12 0x426bf980 1114372480
r13 0x7fade525af58 140384850521944
r14 0x8 8
r15 0xc 12
rip 0x198f6f7d 0x198f6f7d
eflags 0x10297 [ CF PF AF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
And address in $rip seems to be marked as CODE, so there should be no NX, right?
(gdb) maintenance info sections
Core file:
`/root/core_1478876914_15894', file type elf64-x86-64.
...
[17] 0x198e0000->0x19900000 at 0x00853000: load5 ALLOC LOAD READONLY CODE HAS_CONTENTS
Am I missing something obvious here? ngx_http_lua_run_thread calls lua_resume(orig_coctx->co, nrets) which passes execution to LuaJIT compiled with -fomit-frame-pointer
(gdb) bt
#0 0x00000000198f6f7d in ?? ()
#1 0x0000000040d90798 in ?? ()
#2 0x000000000051c7b1 in lj_vm_inshook ()
#3 0x00000000004daada in ngx_http_lua_run_thread (L=0xfffffffb411f0580, L@entry=0x401bb378, r=0x4125bf70, r@entry=0x7fade4f03710, ctx=0x9, ctx@entry=0x7fade525af30, nrets=0)
at ../modules/lua-nginx-module/src/ngx_http_lua_util.c:1005
...
Using openresty-gdb-utils gives me LuaJIT trace number
(gdb) ltracebymcode $rip
(GCtrace*)0x431168b8 (trace #42)
machine code start addr: 0x198f6f7d
machine code end addr: 0x198f7155
And dumps the IR code for the trace (which I do not understand at all yet)
(gdb) lir 42
(GCtrace*)0x431168b8
IR count: 36
---- TRACE 42 start 3/? mymodules_handlers.lua:97
---- TRACE 42 IR
.... SNAP #0 [ ---- ]
0001 rax > int SLOAD #7 CRI
0002 > int LE 0001 +2147483646
0003 rbp int SLOAD #6 CI
0004 r12 > tab SLOAD #2 T
0005 int FLOAD 0004 tab.hmask
0006 > int EQ 0005 +15
0007 r11 p32 FLOAD 0004 tab.node
0008 > p32 HREFK 0007 "features" @6
0009 rdx > tab HLOAD 0008
0010 rsi int FLOAD 0009 tab.asize
0011 > int ULE 0010 0003
0012 xmm0 num CONV 0003 num.int
0013 r10 p32 HREF 0009 0012
0014 > tru HLOAD 0013
0015 r9 > tab SLOAD #3 T
0016 int FLOAD 0015 tab.asize
0017 > p32 ABC 0016 0001
0018 rcx p32 FLOAD 0015 tab.array
0019 p32 AREF 0018 0003
0020 > fun ALOAD 0019
0021 > tab SLOAD #1 T
0022 > fun EQ 0020 mymodules_features.lua:208
0023 rbp + int ADD 0003 +1
.... SNAP #1 [ ---- ---- ---- ---- ---- true ]
0024 > int LE 0023 0001
.... SNAP #2 [ ---- ---- ---- ---- ---- true 0023 0001 ---- 0023 ]
0025 ------------ LOOP ------------
0026 > int UGE 0023 0010
0027 xmm7 num CONV 0023 num.int
0028 rbx p32 HREF 0009 0027
0029 > tru HLOAD 0028
0030 p32 AREF 0018 0023
0031 > fun ALOAD 0030
0032 > fun EQ 0031 mymodules_features.lua:208
0033 rbp + int ADD 0023 +1
.... SNAP #3 [ ---- ---- ---- ---- ---- true ]
0034 > int LE 0033 0001
0035 rbp int PHI 0023 0033
Any advice is highly appreciated and more information can be provided, I've been stuck with segfaults like this for days.
Thanks a lot champs!
NZT0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0