This is the mail archive of the binutils@sources.redhat.com mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: arm-elf-ld 2.16.1 crash at bfd/elf32-arm.c:5536

From: Nick Clifton <nickc at redhat dot com>
To: Shaun Jackman <sjackman at gmail dot com>
Cc: binutils at sources dot redhat dot com
Date: Sat, 30 Jul 2005 13:48:36 +0100
Subject: Re: arm-elf-ld 2.16.1 crash at bfd/elf32-arm.c:5536
References: <7f45d939050728162929bb9286@mail.gmail.com> <7f45d9390507281741622c194c@mail.gmail.com> <42EA34A6.9050304@redhat.com> <7f45d939050729182759b6ea50@mail.gmail.com>

Hi Shaun,

* What is the value for elf32_arm_section_data() for that section ?
(gdb) p *(struct _arm_elf_section_data *)sec->used_by_bfd

Actually could you get the value of the "sec->used_by_bfd" field ? What I would like to know is if this value was ever allocated by a call to bfd_zalloc() in elf32_arm_new_section_hook() or if the used_by_bfd field is in fact just a rubbish pointer.

  * Are their other values in the map array, and if so are they valid ?
 (ie could something else be stomping on this, correctly allocated and
  initialised, memory).

(gdb) p *map
$7 = {vma = 0, type = 22 '\026'}

Hmm - the type field is supposed to be the second character of a mapping symbol's name. I would expect this to either be an printable ASCII value or 0. 22 looks very suspicious to me.

Would it be possible for you to place a conditional breakpoint on this line in bfd/elf32_arm.c, (line 6549 in the sources I have):

map[mapcount - 1].type = name[1];

and then find out the full name of the symbol whose name[1] is 22 ? (Or if there is no such symbol).

(gdb) p mapcount
$8 = 151410616

This looks highly suspicious to me. I seriously doubt if you have that many symbols in the .data section.

I think that the elf32_section_map_data array for this particular .data section is corrupt. Either because the used_by_bfd pointer was never allocated in elf32_arm_new_section_hook() or because it was corrupted by elf32_arm_output_symbol_hook(). (Although you say that the bfd_realloc there was never called which sounds very suspicious as well. That would mean that there are no mapping symbols associated with this .data section and so the mapcount ought to be 0).

So - some more questions for you:

To which bfd is this corrupt .data section attached ? (ie what is the value of input_bfd->filename for the input_bfd that it being processed in elf_link_input_bfd() that called elf32_arm_write_section() when the seg fault happens).

How many times is the function _bfd_elf_new_section_hook() called and is that more than the number of times that elf32_arm_new_section_hook() is called ? (If so then the problem is that _bfd_elf_new_section_hook() creates an elf_section_data structure and not an arm_elf_section_data structure).

Cheers
  Nick

References:
- arm-elf-ld 2.16.1 crash at bfd/elf32-arm.c:5536
  - From: Shaun Jackman
- Re: arm-elf-ld 2.16.1 crash at bfd/elf32-arm.c:5536
  - From: Shaun Jackman
- Re: arm-elf-ld 2.16.1 crash at bfd/elf32-arm.c:5536
  - From: Nick Clifton
- Re: arm-elf-ld 2.16.1 crash at bfd/elf32-arm.c:5536
  - From: Shaun Jackman

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]