From 2dfaf6d1427c8c7f1b108a434ecf94c860bd6c37 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sun, 21 May 2017 14:09:13 +0200
Subject: [PATCH 003/325] libdtrace: Prevent an assertion from triggering with
 certain llquantize() parameters

The dtrace command that reached the assertion:

     fk@t520 ~ $sudo dtrace -n 'syscall::read:return /execname == "privoxy"/ { @[execname] = llquantize(arg0, 100, 0, 10, 100); @m = max(arg0)}'
     [...]
                 9800 |                                         0
                 9900 |                                         0
                10000 |@@@@@@@@@@@@@@@@@@@@                     37
                20000 |                                         0
     Assertion failed: (value < next), file /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c, line 1083.
     Abort trap

     (gdb) where
     #0  0x00000008011effda in thr_kill () from /lib/libc.so.7
     #1  0x00000008011effa4 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
     #2  0x00000008011eff19 in abort () at /usr/src/lib/libc/stdlib/abort.c:65
     #3  0x000000080088c3b2 in __assert (expr=0x8008d3172 "value < next", file=0x8008d3078 "/usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c", line=1083)
         at /usr/src/cddl/lib/libdtrace/../../../cddl/compat/opensolaris/include/assert.h:56
     #4  0x000000080088c190 in dt_print_llquantize (dtp=0x802633000, fp=0x8014c37e8, addr=0x80269a110, size=7840, normal=1) at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c:1083
     #5  0x000000080088e37d in dt_print_datum (dtp=0x802633000, fp=0x8014c37e8, rec=0x8026900e8, addr=0x80269a110 "d", size=7848, aggdata=0x802690150, normal=1, pd=0x7fffffffe750)
         at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c:2211
     #6  0x000000080088dc12 in dt_print_aggs (aggsdata=0x7fffffffe630, naggvars=1, arg=0x7fffffffe750) at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c:2313
     #7  0x000000080088e6cf in dt_print_agg (aggdata=0x802690150, arg=0x7fffffffe750) at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c:2361
     #8  0x0000000800895f8b in dt_aggregate_walk_sorted (dtp=0x802633000, func=0x80088e610 <dt_print_agg>, arg=0x7fffffffe750, sfunc=0x0)
         at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_aggregate.c:1585
     #9  0x0000000800895d39 in dtrace_aggregate_walk_sorted (dtp=0x802633000, func=0x80088e610 <dt_print_agg>, arg=0x7fffffffe750)
         at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_aggregate.c:1605
     #10 0x0000000800897f12 in dtrace_aggregate_print (dtp=0x802633000, fp=0x8014c37e8, func=0x800895d10 <dtrace_aggregate_walk_sorted>)
         at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_aggregate.c:2130
     #11 0x0000000000403a5e in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/cddl/usr.sbin/dtrace/../../../cddl/contrib/opensolaris/cmd/dtrace/dtrace.c:2005
     (gdb) f 4
     #4  0x000000080088c190 in dt_print_llquantize (dtp=0x802633000, fp=0x8014c37e8, addr=0x80269a110, size=7840, normal=1) at /usr/src/cddl/lib/libdtrace/../../../cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c:1083
     1083			assert(value < next);
     (gdb) p step
     $2915 = 77662796314522419
     (gdb) p value
     $2916 = 7834326075677972872
     (gdb) p next
     $2917 = 7766279631452241920

It works as expected when replacing the 10 with a 5.
Various other parameter combinations work as expected as well
and I've used similar commands for weeks without issues.

The problem is reproducible with other execnames as long as the probe fires.

The "@m = max(arg0)" part isn't required to trigger the assertion but
I only noticed it after already patching the system where libdtrace is
build with reduced optimizations.

This commit may not be the best solution but it seems to reliably
prevent the core dumps and the output continues to look reasonable.

The code flow in dt_print_llquantize() seems strange to me and maybe the
loop should break if "bin" reaches "last_bin" instead. My impression is that
it does a bunch of cycles at the end without doing meaningful work.

PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219451
PR submission date: 2017-05-22
Superior upstream commit in HEAD: r322773/95f65483b371f

Obtained from: ElectroBSD
---
 cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c
index 62c120388b18..51d7f332a28d 100644
--- a/cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c
+++ b/cddl/contrib/opensolaris/lib/libdtrace/common/dt_consume.c
@@ -1084,7 +1084,7 @@ dt_print_llquantize(dtrace_hdl_t *dtp, FILE *fp, const void *addr,
 		assert(value < next);
 		bin++;
 
-		if ((value += step) != next)
+		if ((value += step) < next)
 			continue;
 
 		next = value * factor;
-- 
2.32.0