segfault in sysdep/i386/backtrace.h

Sun Feb 18 16:22:00 GMT 2007

Hey all
Since it seems that mingw won't switch to DW eh soon, I invested some 
time into this bug: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=29477
It turns out to be a segfault in sysdep/i386/backtrace.h:
 /* Try to locate a "pushl %ebp; movl %esp, %ebp" function prologue
 by scanning backwards at even addresses below the return address.
 This instruction sequence is encoded either as 0x55 0x89 0xE5 
or as
 0x55 0x8B 0xEC. We give up if we do not find this sequence even
 after scanning 1024K of memory.
 FIXME: This is not robust and will probably give us false 
positives,
 but this is about the best we can do if we do not have DWARF-2 
unwind
 information based exception handling. */
 ctx.meth_addr = (_Jv_uintptr_t)NULL;
 _Jv_uintptr_t scan_addr = (ctx.ret_addr & 0xFFFFFFFE) - 2;
 _Jv_uintptr_t limit_addr
 = (scan_addr > 1024 * 1024) ? (scan_addr - 1024 * 1024) : 2;
 for ( ; scan_addr >= limit_addr; scan_addr -= 2)
 {
 unsigned char *scan_bytes = (unsigned char *)scan_addr;
 if (scan_bytes[0] == 0x55
 && ((scan_bytes[1] == 0x89 && scan_bytes[2] == 0xE5)
 || (scan_bytes[1] == 0x8B && scan_bytes[2] == 0xEC)))
 {
 ctx.meth_addr = scan_addr;
 break;
 }
 }
The segfault happens on reading scan_bytes[x]. I assume that there is no 
"pushl %ebp; movl %esp, %ebp" function prologue in certain cases and 
thus we go reading protected areas below the function.
I don't know how the memory is set up when doing this backtrace. Are 
there always/sometimes other functions below the one we're currently in? 
Might we run into a "pushl %ebp; movl %esp, %ebp" from another function 
or go and read protected areas?
Any ideas? How to prevent this? What else might there be than a "pushl 
%ebp; movl %esp, %ebp"?
Marco