[Bug ld/22706] bfd/elf32-sh.c fails asserts without additional information: sh4-unknown-linux-gnu-ld: BFD assertion fail bfd/elf32-sh.c:5171

[slyfox at inbox dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=22706

--- Comment #5 from Sergei Trofimovich <slyfox at inbox dot ru> ---
Managed to craft an object file to trigger needed asserts.

As a bonus the test also causes out-of-bounds read access in ld and causes
SIGSEGV:

    # cat bug.S
    # trying to trigger BFD_ASSERTs to make errors better:
    #   https://sourceware.org/PR22706
    # originally was found on toolchain that hits those asserts
    # and makes failures hard to discover

    .text
    .globl _start
    _start:
        .word 0
        .word 0
        .word 0

    .globl bar
    .hidden bar
    bar:
        .word 0
        .word 0
        .word 0

    .reloc _start, R_SH_TLS_LE_32, bar-5
    .reloc _start, R_SH_TLS_IE_32, bar-5
    .reloc _start, R_SH_TLS_GD_32, bar-5

Triggering (already patched binutils to produce nicer failures):

$ sh4-unknown-linux-gnu-as bug.S -o bug.o
$ sh4-unknown-linux-gnu-ld -m shlelf_linux -dynamic-linker /lib/ld-linux.so.2
-o bug.elf bug.o
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5156
sh4-unknown-linux-gnu-ld: bug.o(.text+0xfffffffffffffff6): unexpected
instruction 0000 (expected 0xd0??, mov.l)
sh4-unknown-linux-gnu-ld: bug.o(.text+0xfffffffffffffff8): unexpected
instruction 0021 (expected 0x0?12, stc)
sh4-unknown-linux-gnu-ld: bug.o(.text+0xfffffffffffffffa): unexpected
instruction 0000 (expected 0x0?ce, mov.l)
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5115
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5126
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5128
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5130
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5132
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5134
sh4-unknown-linux-gnu-ld: BFD (Gentoo 2.30 p3) 2.30.0 assertion fail
/tmp/portage-tmpdir/portage/cross-sh4-unknown-linux-gnu/binutils-2.30-r3/work/binutils-2.30/bfd/elf32-sh.c:5136
free(): invalid size
./do.sh: line 7: 17526 Aborted                 (core dumped)
sh4-unknown-linux-gnu-ld -m shlelf_linux -dynamic-linker /lib/ld-linux.so.2 -o
bug.elf bug.o

valgrind suggests SIGSEGV might be related to out-of-bounds write:

==22276== Invalid read of size 2
==22276==    at 0x4E790A0: bfd_getl16 (libbfd.c:505)
==22276==    by 0x4E91634: sh_elf_relocate_section (elf32-sh.c:5159)
==22276==    by 0x4EB870F: elf_link_input_bfd (elflink.c:10715)
==22276==    by 0x4EBA25E: bfd_elf_final_link (elflink.c:12033)
==22276==    by 0x1294CE: ldwrite (ldwrite.c:581)
==22276==    by 0x11202F: main (ldmain.c:456)
==22276==  Address 0x596b806 is 10 bytes before a block of size 12 alloc'd
==22276==    at 0x4C2CE6F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==22276==    by 0x4E78E81: bfd_malloc (libbfd.c:193)
==22276==    by 0x4EB9DE0: bfd_elf_final_link (elflink.c:11910)
==22276==    by 0x1294CE: ldwrite (ldwrite.c:581)
==22276==    by 0x11202F: main (ldmain.c:456)

-- 
You are receiving this mail because:
You are on the CC list for the bug.