Re: [coLinux-users] coLinux daemon program crash (colinux-slirp-net-daemon)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello Henry,

Here's the output from gdb:

====== START GDB OUTPUT ======
C:\Program Files\coLinux>\MinGW\bin\gdb.exe colinux-slirp-net-daemon-dbg.exe
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-mingw32"...
(gdb) set args -i 5244 -u 0
(gdb) run
Starting program: C:\Program Files\coLinux/colinux-slirp-net-daemon-dbg.exe -i 5
244 -u 0
conet-slirp-daemon: running

Program received signal SIGSEGV, Segmentation fault.
tcp_input (m=0xaba528, iphlen=20, inso=0xe07ef8)
    at src/colinux/user/slirp/tcp_input.c:1460
1460            if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
(gdb) print ti
$1 = (struct tcpiphdr *) 0xaba55c
(gdb) print ti->ti_len
There is no member named ti_len.
(gdb) print ti->ti_i.ih_len
Cannot access memory at address 0xaba566
(gdb) print ti->ti_i
Cannot access memory at address 0xaba55c
(gdb)
====== END GDB OUTPUT ======

As you can see, ti_len is not a member of ti, it's a macro, per file
tcpip.h in slirp source directory (see line 40):
struct tcpiphdr {
	struct 	ipovly ti_i;		/* overlaid ip structure */
	struct	tcphdr ti_t;		/* tcp header */
};
#define	ti_next		ti_i.ih_next
#define	ti_prev		ti_i.ih_prev
#define	ti_x1		ti_i.ih_x1
#define	ti_pr		ti_i.ih_pr
#define	ti_len		ti_i.ih_len
#define	ti_src		ti_i.ih_src
#define	ti_dst		ti_i.ih_dst
#define	ti_sport	ti_t.th_sport
#define	ti_dport	ti_t.th_dport

And at line 65:
/*
 * Just a clean way to get to the first byte
 * of the packet
 */
struct tcpiphdr_2 {
	struct tcpiphdr dummy;
	char first_char;
};

So I've tried to access using the explicit name for gdb, that is,
ti->ti_i.ih_len but it appears ti is pointing to a memory area which
is not inside its own memory space, causing a segment fault.  That's
also why I can't access any of the values in the ti structure.

Here's gdb's backtrace:

====== START GDB OUTPUT ======
(gdb) bt
#0  tcp_input (m=0xaba528, iphlen=20, inso=0xe07ef8)
    at src/colinux/user/slirp/tcp_input.c:1460
#1  0x00402b90 in tcp_input (m=0x9ca850, iphlen=2358284, inso=0x23fb08)
    at src/colinux/user/slirp/tcp_input.c:1403
#2  0x00402b90 in tcp_input (m=0x40cc50, iphlen=206528, inso=0x23ff68)
    at src/colinux/user/slirp/tcp_input.c:1403
#3  0x00402b90 in tcp_input (m=0xffffffff, iphlen=2147315712, inso=0x23ffb0)
    at src/colinux/user/slirp/tcp_input.c:1403
#4  0x00402b90 in tcp_input (m=0x23ff68, iphlen=9, inso=0x23fff0)
    at src/colinux/user/slirp/tcp_input.c:1403
#5  0x00402b90 in tcp_input (m=0xffffffff, iphlen=0, inso=0x7ffd7000)
    at src/colinux/user/slirp/tcp_input.c:1403
#6  0x00402b90 in tcp_input (m=0x32ac0, iphlen=0, inso=0x78746341)
    at src/colinux/user/slirp/tcp_input.c:1403
#7  0x00402b90 in tcp_input (m=Cannot access memory at address 0xffffff98
) at src/colinux/user/slirp/tcp_input.c:1403
Previous frame inner to this frame (corrupt stack?)
(gdb) up
#1  0x00402b90 in tcp_input (m=0x9ca850, iphlen=2358284, inso=0x23fb08)
    at src/colinux/user/slirp/tcp_input.c:1403
1403                    switch (tp->t_state) {
====== END GDB OUTPUT ======

Thanks,
- Shai

On Fri, Feb 6, 2009 at 2:07 AM, Henry Nestler <hen...@ar...> wrote:
> Hello Shai,
>
>> Shai Vaingast wrote:
>>>
>>> I've caused this to happen several times and it seems that the crash
>>> happens at the same point (i.e., same IP, same call stack, same
>>> disassembly location, etc.)
>>>
>>> Call stack:
>>> COLINUX-SLIRP-NET-DAEMON! 00402b90()
>>> COLINUX-SLIRP-NET-DAEMON! 004089db()
>>> COLINUX-SLIRP-NET-DAEMON! 00401d77()
>>> COLINUX-SLIRP-NET-DAEMON! 0040130d()
>>> COLINUX-SLIRP-NET-DAEMON! 00401247()
>>> COLINUX-SLIRP-NET-DAEMON! 00401298()
>>> KERNEL32! 7c817067()
>
> The stack with labels:
> COLINUX-SLIRP-NET-DAEMON! 00402b90()    _tcp_input+0x5f0
> COLINUX-SLIRP-NET-DAEMON! 004089db()    _slirp_select_poll+0x11b
> COLINUX-SLIRP-NET-DAEMON! 00401d77()    _co_slirp_main+0x237
> COLINUX-SLIRP-NET-DAEMON! 0040130d()    _main+0x2d
> COLINUX-SLIRP-NET-DAEMON! 00401247()    ___mingw_CRTStartup+0xf7
> COLINUX-SLIRP-NET-DAEMON! 00401298()    _mainCRTStartup+0x18
>
>>> Registers:
>>> EAX = 00000001 EBX = 00000002
>>>   ECX = 77C2C2E3 EDX = 00030608
>>>   ESI = 0051B03C EDI = 005143E0
>>>   EIP = 00402B90 ESP = 0023FA20
>>>   EBP = 0023FA98 EFL = 00000246
>>>   [...]
>>>   CS = 001B DS = 0023 ES = 0023 SS = 0023
>>>   FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0
>>>   ZR=1 AC=0 PE=1 CY=0
>>>
>>>   0051B046 = ????
>>>
>>>   [...]
>>>   CTRL = 037F STAT = 0000 TAGS = FFFF
>>>   EIP = 00000000
>>>   CS = 0000 DS = 0000 EDO = 00000000
>>>
>>> Disassembly (current location is 00402B90, I've added a few lines
>>> before as well).
>>> 00402B66   je          00402B90
>>> 00402B68   mov         ecx,dword ptr [ebp-30h]
>>> 00402B6B   cmp         word ptr [ecx+8],9
>>> 00402B70   jle         00402D67
>>> 00402B76   mov         edi,dword ptr [ebp-30h]
>>> 00402B79   mov         eax,dword ptr [edi+8]
>>> 00402B7C   sub         eax,3
>>> 00402B7F   cmp         ax,7
>>> 00402B83   jbe         00402D5D
>>> 00402B89   lea         esi,[esi]
>>> --->   00402B90   movzx       eax,word ptr [esi+0Ah]
>>> 00402B94   dec         eax
>>> 00402B95   cmp         ax,4
>>> 00402B99   ja          00402BA5
>
> OK. I have the same from "objdump":
>
> src/colinux/user/slirp/tcp_input.c:1403
>  402b76:       8b 7d d0                mov    0xffffffd0(%ebp),%edi
>  402b79:       8b 47 08                mov    0x8(%edi),%eax
>  402b7c:       83 e8 03                sub    $0x3,%eax
>  402b7f:       66 83 f8 07             cmp    $0x7,%ax
>  402b83:       0f 86 d4 01 00 00       jbe    402d5d <_tcp_input+0x7bd>
>  402b89:       8d b4 26 00 00 00 00    lea    0x0(%esi),%esi
> src/colinux/user/slirp/tcp_input.c:1460
> ===>  402b90:   0f b7 46 0a             movzwl 0xa(%esi),%eax   <===
>  402b94:       48                      dec    %eax
>  402b95:       66 83 f8 04             cmp    $0x4,%ax
>  402b99:       77 0a                   ja     402ba5 <_tcp_input+0x605>
>  402b9b:       80 7e 28 1b             cmpb   $0x1b,0x28(%esi)
>  402b9f:       0f 84 e6 01 00 00       je     402d8b <_tcp_input+0x7eb>
> src/colinux/user/slirp/tcp_input.c:1468
>  402ba5:       8b 45 b4                mov    0xffffffb4(%ebp),%eax
>  402ba8:       85 c0                   test   %eax,%eax
>  402baa:       75 0d                   jne    402bb9 <_tcp_input+0x619>
>  402bac:       8b 4d d0                mov    0xffffffd0(%ebp),%ecx
>  402baf:       f6 41 1c 01             testb  $0x1,0x1c(%ecx)
>  402bb3:       0f 84 29 fe ff ff       je     4029e2 <_tcp_input+0x442>
> src/colinux/user/slirp/tcp_input.c:1469
>
> Here is this source line number 1460 on SF:
> http://colinux.svn.sourceforge.net/viewvc/colinux/branches/devel/src/colinux/user/slirp/tcp_input.c?view=markup#l_1460
>
> I don't see the problem.
> This is not the "first_char == (char)27", this I can see later as assembler
> "$0x1b".
>
> I have created a executable [1] with full debug (-ggdb). It would be nice,
> if you starts this under gdb.exe. Please use gdb-6.3-2.exe from the "Release
> Candidate: gdb-6.3" [2].
>
> Install GDB and copy the SLiRP with debug version in your coLinux
> installation. The name is different to avoids problems. This special build
> you can use with coLinux version 0.7.3 or with one of the 0.8.0. Please use
> the coLinux version, you have currently installed, don't change or replace
> any coLinux exe files.
>
> Here is a small step guide for GDB session:
> * First run coLinux in normal way.
> * Note the current parameters of colinux-slirp-net-daemon.exe, with
> "ProcesExplorer" [3] you can do it
> * Kill the current colinux-slirp-net-daemon.exe, ignore the warning message
> * Open a new windows command prompt, change into coLinux directory and run
> GDB.EXE with colinux-slirp-net-daemon-dbg.exe, for example:
>  C:\colinux> C:\mingw\bin\gdb colinux-slirp-net-daemon-dbg.exe
> * Set the parameters you noted on step 2, for example:
>  (gdb) set args -i 2496 -u 0
> * Run the SLiRP:
>  (gdb) run
> * Now, use your network (SLiRP) in your error case to force the crash.
> * After the crash you should see any variable, that was out of range. (I
> hope)
> * Please print the "backtrace" from such session.
>
> If GDB needs any source, I think "src/colinux/user/slirp/tcp_input.c" would
> need. Then create such source tree under your current install directory
> ("C:\colinux" in my example) and store the file tcp_input.c there. Or unpack
> the complete source. Than GDB should give some more details about the
> variables. So, my hope.
> Use the gdb command "print" and try to give us an output from the variables
> "ti", "ti->ti_len" and "((struct tcpiphdr_2 *)ti)->first_char".
>
> [1]
> http://www.henrynestler.com/colinux/testing/devel-0.8.0/20090205-Snapshot/packages/colinux-slirp-net-daemon-dbg.zip
> [2]
> http://sourceforge.net/project/showfiles.php?group_id=2435&package_id=20507&release_id=38019
> [3] technet.microsoft.com/en-us/sysinternals/bb896653.aspx
>
> --
> Henry N.
>

Re: [coLinux-users] coLinux daemon program crash (colinux-slirp-net-daemon)

Run Linux on Windows or other OSes, natively.

Re: [coLinux-users] coLinux daemon program crash (colinux-slirp-net-daemon)