RHEL7: segfault occurs in vim when unlink() is attempted
Issue
Segfault occurs in vim. According to backtrace it seems that segfault is in the process of unlink(). Backtrace is shown below:
(gdb) bt
#0 0x00007f170cd0c8c7 in kill () at ../sysdeps/unix/syscall-template.S:81
#1 0x00000000005071e3 in may_core_dump () at os_unix.c:3230
#2 0x0000000000508dc5 in may_core_dump () at os_unix.c:3187
#3 mch_exit (r=1) at os_unix.c:3196
#4 0x00000000005a493b in getout (exitval=<optimized out>, exitval@entry=1) at main.c:1509
#5 0x0000000000507f5a in deathtrap (sigarg=<optimized out>) at os_unix.c:1100
#6 <signal handler called>
#7 0x00007f170e3b148c in do_lookup_x (new_hash=new_hash@entry=550380534, old_hash=old_hash@entry=0xb630a0, result=result@entry=0xb630b0,
scope=0x7f170e5cb4c0, i=i@entry=0, flags=flags@entry=1, skip=skip@entry=0x0, undef_map=undef_map@entry=0x7f170e5cb208) at dl-lookup.c:82
#8 0x00007f170e3b1e6f in _dl_lookup_symbol_x (undef_name=0x41d965 "unlink", undef_map=0x7f170e5cb208, ref=ref@entry=0xb63168,
symbol_scope=0x7f170e5cb560, version=0x7f170e5c2740, type_class=type_class@entry=1, flags=1, skip_map=skip_map@entry=0x0) at dl-lookup.c:739
#9 0x00007f170e3b6776 in _dl_fixup (l=<optimized out>, reloc_arg=<optimized out>) at ../elf/dl-runtime.c:113
#10 0x00007f170e3bd260 in _dl_runtime_resolve () at ../sysdeps/x86_64/dl-trampoline.S:87
#11 0x000000000049c180 in vim_rename (from=0xb6ce10 "/root/.viminft.tmp", to=0xd231d0 "/root/.viminfo") at fileio.c:6635
#12 0x0000000000000000 in ?? ()
(gdb) f 7
#7 0x00007f170e3b148c in do_lookup_x (new_hash=new_hash@entry=550380534, old_hash=old_hash@entry=0xb630a0, result=result@entry=0xb630b0,
scope=0x7f170e5cb4c0, i=i@entry=0, flags=flags@entry=1, skip=skip@entry=0x0, undef_map=undef_map@entry=0x7f170e5cb208) at dl-lookup.c:82
(gdb) l
warning: Source file is more recent than executable.
77 do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
78 unsigned long int *old_hash, const ElfW(Sym) *ref,
79 struct sym_val *result, struct r_scope_elem *scope, size_t i,
80 const struct r_found_version *const version, int flags,
81 struct link_map *skip, int type_class, struct link_map *undef_map)
82 {
83 size_t n = scope->r_nlist;
84 /* Make sure we read the value before proceeding. Otherwise we
85 might use r_list pointing to the initial scope and r_nlist being
86 the value after a resize. That is the only path in dl-open.c not
(gdb) disass/m
Dump of assembler code for function do_lookup_x:
77 do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
0x00007f170e3b149b <+27>: mov 0xc8(%rsp),%rax
0x00007f170e3b14b8 <+56>: mov %rdi,0x58(%rsp)
0x00007f170e3b14bd <+61>: mov %rcx,0x68(%rsp)
0x00007f170e3b14c2 <+66>: mov %rax,0x48(%rsp)
0x00007f170e3b14c7 <+71>: mov 0xd0(%rsp),%eax
0x00007f170e3b14ce <+78>: mov %eax,0x74(%rsp)
0x00007f170e3b14d2 <+82>: mov 0xe0(%rsp),%eax
0x00007f170e3b14d9 <+89>: mov %eax,0x7c(%rsp)
78 unsigned long int *old_hash, const ElfW(Sym) *ref,
79 struct sym_val *result, struct r_scope_elem *scope, size_t i,
80 const struct r_found_version *const version, int flags,
81 struct link_map *skip, int type_class, struct link_map *undef_map)
82 {
0x00007f170e3b1480 <+0>: push %r15
0x00007f170e3b1482 <+2>: mov %rdx,%r11
0x00007f170e3b1485 <+5>: push %r14
0x00007f170e3b1487 <+7>: push %r13
0x00007f170e3b1489 <+9>: mov %rsi,%r13
=> 0x00007f170e3b148c <+12>: push %r12
0x00007f170e3b148e <+14>: push %rbp
0x00007f170e3b148f <+15>: push %rbx
0x00007f170e3b1490 <+16>: sub $0x88,%rsp
0x00007f170e3b14a3 <+35>: mov %r8,0x20(%rsp)
0x00007f170e3b14a8 <+40>: mov 0xc0(%rsp),%rbp
0x00007f170e3b14b0 <+48>: mov 0xd8(%rsp),%r15
(gdb) p $rsi
$1 = 550380534
(gdb) p $r13
$2 = 550380534
Environment
- Red Hat Enterprise Linux 7.2 and later
- vim-enhanced, versions between 7.4.160-1.el7 and 7.4.160-5.el7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
