Re: What is the purpose of %fs?

John Reiser wrote: 
Josef Moellers wrote:

While trying to analyse a problem with snmpd, I stumbled across
instructions in the tls/libc that reference %fs. Where could I find
information about the contents of that segment?

I've single-stepped through a small printf("Hello, world")-program but
have found no instruction which populates this segment, yet it seems to
exist and contains data.


It provides an addressing space for thread-local storage ("TLS"). 

I thought so.

See __NR_set_thread_area, __NR_get_thread_area in /usr/include/asm/unistd.h
and the code for clone() in the glibc sources in
glibc-2.3.5/sysdeps/unix/sysv/linux/i386/clone.S .


Thanks, I'll follow this.

Note that clone() takes 7 arguments as glibc routine,
but only 5 as a system call.  One of the arguments is
the address to use for the base of %fs (or %gs, depending on machine.)

Strange thing is that snmpd (my target of investigation, see below) is single-threaded!

Note that glibc considers this to be none of your business. 

When I'm need to find out what's happening, it _is_ my business.

In our setup, snmpd crashes during startup of our own sub-agents and we have set things up so it dumps core. One of the cores shows a stack trace where vfprintf calls strlen(0x7). Unfortunately, I cannot find this value 0x7 in vfprintf's parameters (as far as I can find them, which is pretty nasty in x86_64)!
So I tried to trace vfprintf's execution (using a perl script that interprets disassembled machine code) and it references %fs and later branches depending upon the values read from TLS.

We also use ElectricFence to see if it is somehow related to malloc/free in using a stale pointer. It does crash at a different location where it reads from an already freed location. That's our current state. It may be a race-condition during the concurrent initialization of several sub-agents, but we're far from anything definite.

Nonetheless: I'm a very curious person and it just bothers me not to know what's happening there. As we put it in German: Ich möchte nicht dumm sterben (I don't want to die stupid).

--
Josef Möllers (Pinguinpfleger bei FSC)
	If failure had no penalty success would not be a prize
						-- T.  Pratchett

.

Relevant Pages

  • Re: What is the purpose of %fs?
    ... instructions in the tls/libc that reference %fs. ... have found no instruction which populates this segment, ... The "application visible part" of these registers is 16 bit, no matter whether the architecture is 16, 32 or 64 bit! ...
    (comp.os.linux.development.system)
  • Re: What is the purpose of %fs?
    ... instructions in the tls/libc that reference %fs. ... have found no instruction which populates this segment, ... The "E" is in parens because the register did not appear ...
    (comp.os.linux.development.system)
  • What is the purpose of %fs?
    ... While trying to analyse a problem with snmpd, I stumbled across instructions in the tls/libc that reference %fs. ... Where could I find information about the contents of that segment? ...
    (comp.os.linux.development.system)
  • Re: use-package & name conflict: why they are not deferred?
    ... All symbols in C++ are in fact in one global namespace. ... All names are strings in the BSS segment. ... When C++ compilers generate code for this kind of linkage, ... resolving a reference of an identifier to a symbol). ...
    (comp.lang.lisp)
  • Re: Value Types and Reference Types
    ... Well, the compiler writes IL, and the CLR defines certain IL instructions ... shape just to avoid boxing; chances are that the indirection you'd need to ... I thought the Int32 was the reference type for int. ...
    (microsoft.public.dotnet.languages.csharp)