dyld: lazy symbol binding failed: fast lazy bind offset out of range

Nick_Kledzik · October 24, 2012, 12:10am

Jack,

Do you know about
(gdb) display/i $pc

It will cause gdb to disassemble the next instruction after each single step.

The program goes bad after only 25 instructions:

Breakpoint 1, 0x0000000100ebb5b0 in pch_address_space ()
(gdb) si
0x0000000100ebb5b1 in pch_address_space ()
(gdb)
0x0000000100ebb5b4 in pch_address_space ()
(gdb)
0x0000000100ebb590 in pch_address_space ()
(gdb)
0x0000000100ebb591 in pch_address_space ()
(gdb)
0x0000000100ebb594 in pch_address_space ()
(gdb)
0x0000000100ebb59b in pch_address_space ()
(gdb)
0x0000000100ebad50 in pch_address_space ()
(gdb)
0x0000000100ebad51 in pch_address_space ()
(gdb)
0x0000000100ebad54 in pch_address_space ()
(gdb)
0x0000000100ebad58 in pch_address_space ()
(gdb)
0x0000000100ebad5c in pch_address_space ()
(gdb)
0x0000000100ebad60 in pch_address_space ()
(gdb)
0x0000000100ebb480 in pch_address_space ()
(gdb)
0x0000000100ebb481 in pch_address_space ()
(gdb)
0x0000000100ebb484 in pch_address_space ()
(gdb)
0x0000000100ebb48b in pch_address_space ()
(gdb)
0x0000000100ebb492 in pch_address_space ()
(gdb)
0x0000000100ebb496 in pch_address_space ()
(gdb)
0x0000000100ebb499 in pch_address_space ()
(gdb)
0x0000000100f5f96e in pch_address_space ()
(gdb)
0x0000000100f62356 in dyld_stub___cxa_guard_release ()
(gdb)
0x0000000100f6235b in dyld_stub___cxa_guard_release ()
(gdb)
0x0000000100f607d0 in dyld_stub___cxa_guard_release ()
(gdb)
0x0000000100f607d7 in dyld_stub___cxa_guard_release ()
(gdb)
0x0000000100f607d9 in dyld_stub___cxa_guard_release ()
(gdb)
0x00007fff8bd80878 in dyld_stub_binder ()

The call to dyld_stub_binder already has a bad parameter at this point.

To double check what image is 0x0000000100ebb499 and 0x0000000100f5f96e in ? LLVMPolly.so?

It looks like it is trying to call __cxa_guard_release (at least gdb thinks that). That is odd for the start of an initializer. There should have been a previous call to __cxa_guard_acquire.

For reference, here is stepping through hello-world:

(gdb) disassemble main
Dump of assembler code for function main:
0x0000000100000f00 <main+0>: push %rbp
0x0000000100000f01 <main+1>: mov %rsp,%rbp
0x0000000100000f04 <main+4>: sub $0x10,%rsp
0x0000000100000f08 <main+8>: lea 0x51(%rip),%rdi # 0x100000f60
0x0000000100000f0f <main+15>: movl $0x0,-0x4(%rbp)
0x0000000100000f16 <main+22>: mov $0x0,%al
0x0000000100000f18 <main+24>: callq 0x100000f34 <dyld_stub_printf>
0x0000000100000f1d <main+29>: mov $0x0,%ecx
0x0000000100000f22 <main+34>: mov %eax,-0x8(%rbp)
0x0000000100000f25 <main+37>: mov %ecx,%eax
0x0000000100000f27 <main+39>: add $0x10,%rsp
0x0000000100000f2b <main+43>: pop %rbp
0x0000000100000f2c <main+44>: retq
End of assembler dump.
(gdb) display/i $pc
1: x/i $pc 0x100000f08 <main+8>: lea 0x51(%rip),%rdi # 0x100000f60
(gdb) si
0x0000000100000f0f in main ()
1: x/i $pc 0x100000f0f <main+15>: movl $0x0,-0x4(%rbp)
(gdb)
0x0000000100000f16 in main ()
1: x/i $pc 0x100000f16 <main+22>: mov $0x0,%al
(gdb)
0x0000000100000f18 in main ()
1: x/i $pc 0x100000f18 <main+24>: callq 0x100000f34 <dyld_stub_printf>
(gdb)
0x0000000100000f34 in dyld_stub_printf ()
1: x/i $pc 0x100000f34 <dyld_stub_printf>: jmpq *0x106(%rip) # 0x100001040
(gdb)
0x0000000100000f56 in dyld_stub_printf ()
1: x/i $pc 0x100000f56: pushq $0xc
(gdb)
0x0000000100000f5b in dyld_stub_printf ()
1: x/i $pc 0x100000f5b: jmpq 0x100000f3c
(gdb)
0x0000000100000f3c in dyld_stub_printf ()
1: x/i $pc 0x100000f3c: lea 0xed(%rip),%r11 # 0x100001030
(gdb)
0x0000000100000f43 in dyld_stub_printf ()
1: x/i $pc 0x100000f43: push %r11
(gdb)
0x0000000100000f45 in dyld_stub_printf ()
1: x/i $pc 0x100000f45: jmpq *0xdd(%rip) # 0x100001028
(gdb)
0x00007fff8e2576a0 in dyld_stub_binder ()
1: x/i $pc 0x7fff8e2576a0 <dyld_stub_binder>: push %rbp
(gdb)

The stub (PLT entry) is just a single instruction jump through a pointer ("jmpq *0x106(%rip)"). The first time used, it points to a helper the push extra parameters and jumps into dyld. In this example, the "pushq $0xc" instruction tells dyld which lazy pointer to bind. In your crashing case, the 114808 seems to have been pushed, but that is too big.

-Nick

Jack_Howarth1 · October 24, 2012, 1:04am

I get...

% gdb /sw/lib/gcc4.7/libexec/gcc/x86_64-apple-darwin12.2.0/4.7.2/cc1
GNU gdb 6.3.50-20050815 (Apple version gdb-1822) (Sun Aug 5 03:00:42 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ..
warning: Could not find object file "/sw/src/fink.build/libiconv-1.12-5/libiconv-1.12/lib/.libs/iconv.o" - no debug information available for "iconv.c".

warning: Could not find object file "/sw/src/fink.build/libiconv-1.12-5/libiconv-1.12/lib/.libs/localcharset.o" - no debug information available for "localcharset.c".

warning: Could not find object file "/sw/src/fink.build/libiconv-1.12-5/libiconv-1.12/lib/.libs/relocatable.o" - no debug information available for "relocatable.c".

...... done

(gdb) break *0x100ebb5b0
Breakpoint 1 at 0x100ebb5b0
(gdb) r -quiet -v -iplugindir=/sw/lib/gcc4.7/lib/gcc/x86_64-apple-darwin12.2.0/4.7.2/plugin -D__DYNAMIC__ himenoBMTxpa.c -iplugindir=/sw/lib/gcc4.7/lib/gcc/x86_64-apple-darwin12.2.0/4.7.2/plugin -fPIC -quiet -dumpbase himenoBMTxpa.c -mmacosx-version-min=10.8.2 -mtune=core2 -auxbase himenoBMTxpa -O3 -version -fplugin=/sw/src/fink.build/dragonegg-gcc47-3.2-0/dragonegg-3.2/dragonegg.so -fplugin-arg-dragonegg-llvm-option=-load:/sw/src/fink.build/llvm32-3.2-0/llvm-3.2/build/lib/LLVMPolly.so -fplugin-arg-dragonegg-llvm-option=-polly -o /var/folders/1l/n78sywl52lz6kkys6nv7mnph0000gp/T//ccFoHtO9.s
Starting program: /sw/lib/gcc4.7/libexec/gcc/x86_64-apple-darwin12.2.0/4.7.2/cc1 -quiet -v -iplugindir=/sw/lib/gcc4.7/lib/gcc/x86_64-apple-darwin12.2.0/4.7.2/plugin -D__DYNAMIC__ himenoBMTxpa.c -iplugindir=/sw/lib/gcc4.7/lib/gcc/x86_64-apple-darwin12.2.0/4.7.2/plugin -fPIC -quiet -dumpbase himenoBMTxpa.c -mmacosx-version-min=10.8.2 -mtune=core2 -auxbase himenoBMTxpa -O3 -version -fplugin=/sw/src/fink.build/dragonegg-gcc47-3.2-0/dragonegg-3.2/dragonegg.so -fplugin-arg-dragonegg-llvm-option=-load:/sw/src/fink.build/llvm32-3.2-0/llvm-3.2/build/lib/LLVMPolly.so -fplugin-arg-dragonegg-llvm-option=-polly -o /var/folders/1l/n78sywl52lz6kkys6nv7mnph0000gp/T//ccFoHtO9.s
Reading symbols for shared libraries +++++++................................. done
Reading symbols for shared libraries . done
GNU C (GCC) version 4.7.2 (x86_64-apple-darwin12.2.0)
compiled by GNU C version 4.7.2, GMP version 5.0.5, MPFR version 3.1.1, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Versions of loaded plugins:
dragonegg: 3.2svn
ignoring nonexistent directory "/usr/local/include"
ignoring nonexistent directory "/sw/lib/gcc4.7/lib/gcc/x86_64-apple-darwin12.2.0/4.7.2/../../../../x86_64-apple-darwin12.2.0/include"
#include "..." search starts here:
#include <...> search starts here:
/sw/lib/gcc4.7/lib/gcc/x86_64-apple-darwin12.2.0/4.7.2/include
/sw/lib/gcc4.7/include
/sw/lib/gcc4.7/lib/gcc/x86_64-apple-darwin12.2.0/4.7.2/include-fixed
/usr/include
/System/Library/Frameworks
/Library/Frameworks
End of search list.
GNU C (GCC) version 4.7.2 (x86_64-apple-darwin12.2.0)
compiled by GNU C version 4.7.2, GMP version 5.0.5, MPFR version 3.1.1, MPC version 1.0.1
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Versions of loaded plugins:
dragonegg: 3.2svn
Compiler executable checksum: 8e74eeb00f08b286a112e27009c3d775
himenoBMTxpa.c: In function ‘main’:
himenoBMTxpa.c:79:5: warning: incompatible implicit declaration of built-in function ‘strcpy’ [enabled by default]
himenoBMTxpa.c: In function ‘set_param’:
himenoBMTxpa.c:226:5: warning: incompatible implicit declaration of built-in function ‘exit’ [enabled by default]
himenoBMTxpa.c: In function ‘newMat’:
himenoBMTxpa.c:239:5: warning: incompatible implicit declaration of built-in function ‘malloc’ [enabled by default]
himenoBMTxpa.c: In function ‘clearMat’:
himenoBMTxpa.c:248:5: warning: incompatible implicit declaration of built-in function ‘free’ [enabled by default]
Reading symbols for shared libraries ... done

Breakpoint 1, 0x0000000100ebb5b0 in pch_address_space ()
(gdb) display/i $pc
1: x/i $pc 0x100ebb5b0 <_ZL17pch_address_space+2581936>: push %rbp
(gdb) si
0x0000000100ebb5b1 in pch_address_space ()
1: x/i $pc 0x100ebb5b1 <_ZL17pch_address_space+2581937>: mov %rsp,%rbp
(gdb)
0x0000000100ebb5b4 in pch_address_space ()
1: x/i $pc 0x100ebb5b4 <_ZL17pch_address_space+2581940>: callq 0x100ebb590 <_ZL17pch_address_space+2581904>
(gdb)
0x0000000100ebb590 in pch_address_space ()
1: x/i $pc 0x100ebb590 <_ZL17pch_address_space+2581904>: push %rbp
(gdb)
0x0000000100ebb591 in pch_address_space ()
1: x/i $pc 0x100ebb591 <_ZL17pch_address_space+2581905>: mov %rsp,%rbp
(gdb)
0x0000000100ebb594 in pch_address_space ()
1: x/i $pc 0x100ebb594 <_ZL17pch_address_space+2581908>: lea 0xf9635(%rip),%rdi # 0x100fb4bd0 <_ZN12_GLOBAL__N_121PollyForcePassLinkingE>
(gdb)
0x0000000100ebb59b in pch_address_space ()
1: x/i $pc 0x100ebb59b <_ZL17pch_address_space+2581915>: callq 0x100ebad50 <_ZL17pch_address_space+2579792>
(gdb)
0x0000000100ebad50 in pch_address_space ()
1: x/i $pc 0x100ebad50 <_ZL17pch_address_space+2579792>: push %rbp
(gdb)
0x0000000100ebad51 in pch_address_space ()
1: x/i $pc 0x100ebad51 <_ZL17pch_address_space+2579793>: mov %rsp,%rbp
(gdb)
0x0000000100ebad54 in pch_address_space ()
1: x/i $pc 0x100ebad54 <_ZL17pch_address_space+2579796>: sub $0x10,%rsp
(gdb)
0x0000000100ebad58 in pch_address_space ()
1: x/i $pc 0x100ebad58 <_ZL17pch_address_space+2579800>: mov %rdi,-0x8(%rbp)
(gdb)
0x0000000100ebad5c in pch_address_space ()
1: x/i $pc 0x100ebad5c <_ZL17pch_address_space+2579804>: mov -0x8(%rbp),%rdi
(gdb)
0x0000000100ebad60 in pch_address_space ()
1: x/i $pc 0x100ebad60 <_ZL17pch_address_space+2579808>: callq 0x100ebb480 <_ZL17pch_address_space+2581632>
(gdb)
0x0000000100ebb480 in pch_address_space ()
1: x/i $pc 0x100ebb480 <_ZL17pch_address_space+2581632>: push %rbp
(gdb)
0x0000000100ebb481 in pch_address_space ()
1: x/i $pc 0x100ebb481 <_ZL17pch_address_space+2581633>: mov %rsp,%rbp
(gdb)
0x0000000100ebb484 in pch_address_space ()
1: x/i $pc 0x100ebb484 <_ZL17pch_address_space+2581636>: sub $0xb0,%rsp
(gdb)
0x0000000100ebb48b in pch_address_space ()
1: x/i $pc 0x100ebb48b <_ZL17pch_address_space+2581643>: lea 0xa7655(%rip),%rax # 0x100f62ae7 <dyld_stub___cxa_guard_release+12149>
(gdb)
0x0000000100ebb492 in pch_address_space ()
1: x/i $pc 0x100ebb492 <_ZL17pch_address_space+2581650>: mov %rdi,-0x8(%rbp)
(gdb)
0x0000000100ebb496 in pch_address_space ()
1: x/i $pc 0x100ebb496 <_ZL17pch_address_space+2581654>: mov %rax,%rdi
(gdb)
0x0000000100ebb499 in pch_address_space ()
1: x/i $pc 0x100ebb499 <_ZL17pch_address_space+2581657>: callq 0x100f5f96e <_ZL17pch_address_space+3254638>
(gdb)
0x0000000100f5f96e in pch_address_space ()
1: x/i $pc 0x100f5f96e <_ZL17pch_address_space+3254638>: jmpq *0x5352c(%rip) # 0x100fb2ea0
(gdb)
0x0000000100f62356 in dyld_stub___cxa_guard_release ()
1: x/i $pc 0x100f62356 <dyld_stub___cxa_guard_release+10212>: pushq $0xd0bd
(gdb)
0x0000000100f6235b in dyld_stub___cxa_guard_release ()
1: x/i $pc 0x100f6235b <dyld_stub___cxa_guard_release+10217>: jmpq 0x100f607d0 <dyld_stub___cxa_guard_release+3166>
(gdb)
0x0000000100f607d0 in dyld_stub___cxa_guard_release ()
1: x/i $pc 0x100f607d0 <dyld_stub___cxa_guard_release+3166>: lea 0x4ec09(%rip),%r11 # 0x100faf3e0
(gdb)
0x0000000100f607d7 in dyld_stub___cxa_guard_release ()
1: x/i $pc 0x100f607d7 <dyld_stub___cxa_guard_release+3173>: push %r11
(gdb)
0x0000000100f607d9 in dyld_stub___cxa_guard_release ()
1: x/i $pc 0x100f607d9 <dyld_stub___cxa_guard_release+3175>: jmpq *0x4ebf9(%rip) # 0x100faf3d8
(gdb)
0x00007fff8bd80878 in dyld_stub_binder ()
1: x/i $pc 0x7fff8bd80878 <dyld_stub_binder>: push %rbp
(gdb)

To double check what image is 0x0000000100ebb499 and 0x0000000100f5f96e in ? LLVMPolly.so?

Sorry to be dim, but I am unclear on how I can get at the information in LLVMPolly.so for those images.
I tried 'set env DYLD_PRINT_SEGMENTS 1' but that didn't seem to provide numbers that match those above.