[Mesa-dev] [Bug 108933] Unreal Tournament (UT99) segfault on opengl init

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Dec 12 17:28:44 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=108933

--- Comment #14 from iive at yahoo.com ---
I'm still puzzled by a number of things related to this bug and the export of
"__dynamic_cast".

If I rename it to "__dyn_cast_old" in Core.so, the game exits with "undefined
__dyn_cast_old". It does so during the start of "some" game levels. It turned
out this might be related to lazy linking.

Using "LD_BIND_NOW=1" causes the "undefined" error to happen at load time.


Now you said that it is an export. So I assumed that some of the other modules
might use it, but the original string is available only in two other modules
and they are NullDrv.so and NullRender.so. These are not (usually) used by the
game and are not loaded. Making the same change in them makes no difference.

Nothing else in the game contains the string "dynamic_cast"... I'm starting to
suspect some UUID or hashes might be involved.

objdump -dtT Core.so , seems to show __dynamic_cast at PLT and
__dynamic_cast@@BASE function that contains executable code, probably from the
static library.


Playing with LD_DEBUG=all, it seems like if libstdc++ is loaded at some point,
the __dynamic_cast of that library would be used.
Here is excerpts from the log: 

---
      6449:     symbol=__dynamic_cast;  lookup in file=./ut-bin [0]
      6449:     symbol=__dynamic_cast;  lookup in file=/lib/libdl.so.2 [0]
      6449:     symbol=__dynamic_cast;  lookup in file=/lib/libnsl.so.1 [0]
      6449:     symbol=__dynamic_cast;  lookup in file=/lib/libpthread.so.0 [0]
      6449:     symbol=__dynamic_cast;  lookup in file=./Engine.so [0]
      6449:     symbol=__dynamic_cast;  lookup in file=./Core.so [0]
      6449:     binding file ./Core.so [0] to ./Core.so [0]: normal symbol
`__dynamic_cast'
[...]
      6449:     binding file /usr/lib/libstdc++.so.6 [0] to
/usr/lib/libstdc++.so.6 [0]: normal symbol `_ZNSo9_M_insertIxEERSoT_'
[GLIBCXX_3.4.9]
      6449:     symbol=__dynamic_cast;  lookup in file=./ut-bin [0]
      6449:     symbol=__dynamic_cast;  lookup in file=/lib/libdl.so.2 [0]
      6449:     symbol=__dynamic_cast;  lookup in file=/lib/libnsl.so.1 [0]
      6449:     symbol=__dynamic_cast;  lookup in file=/lib/libpthread.so.0 [0]
      6449:     symbol=__dynamic_cast;  lookup in file=./Engine.so [0]
      6449:     symbol=__dynamic_cast;  lookup in file=./Core.so [0]
      6449:     binding file /usr/lib/libstdc++.so.6 [0] to ./Core.so [0]:
normal symbol `__dynamic_cast' [CXXABI_1.3]
---

The last part is most interesting to me, because it points that the symbol is
with specific (old) API. Meaning that it should already be versioned.
Or rather that this function should be used only with this ABI.

I also confirmed that the Core.so __dynamic_cast is used, with tracing the
assembly call with gdb. It is Core.so variant that tries to execute code at
address that is not mapped in memory (that's why valgrind says illegal
instruction, all memory access with it succeeds).

I also tried `LD_PRELOAD=/usr/lib/libstdc++.so.6 ./ut-bin` . It lets the game
start, but it segfaults when you start certain levels (aka when the game uses
__dynamic_cast() on its own, just like with the lazy binding).

I may try to bisect... if I manage to clone the repo, compile working version,
etc... 
IMHO this is gcc/libstdc++ regression and it should be reported to them.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20181212/26e1d3af/attachment-0001.html>

More information about the mesa-dev mailing list