flate2 with zlib features on static link musl target throw SIGSEGV: invalid memory reference

[12101111]

This is a Gentoo Linux system with musl libc. (musl 1.2.2)

When I build cargo from source code, I I encountered this error：

error: failed to run custom build command for `cargo v0.52.0 (/home/han/rust/src/tools/cargo)`

Caused by:
  process didn't exit successfully: `/usr/obj/rust/debug/build/cargo-b44992f6566b71e6/build-script-build` (signal: 11, SIGSEGV: invalid memory reference)
warning: build failed, waiting for other jobs to finish...
error: build failed

In dmesg:

[211323.110681] build-script-bu[26357]: segfault at 0 ip 0000000000000000 sp 00007fff14933b48 error 14 cpu 9
[211323.110683] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.

Backtrace of core file:

* thread #1, name = 'build-script-bu', stop reason = signal SIGSEGV
  * frame #0: 0x0000000000000000
    frame #1: 0x00007f1aea390efb build-script-build`flate2::ffi::c::c_backend::mz_deflateInit2::h97764f0fc4000d3f(stream=0x0000555555abd180, level=9, method=8, window_bits=-15, mem_level=8, strategy=0) at c.rs:390:9
    frame #2: 0x00007f1aea388303 build-script-build`_$LT$flate2..ffi..c..Deflate$u20$as$u20$flate2..ffi..DeflateBackend$GT$::make::h97ab75fa9eccac25(level=(__0 = 9), zlib_header=false, window_bits='\x0f') at c.rs:267:23
    frame #3: 0x00007f1aea388af0 build-script-build`flate2::mem::Compress::new::hbc0716944885c9b8(level=(__0 = 9), zlib_header=false) at mem.rs:191:20
    frame #4: 0x00007f1aea35fed0 build-script-build`flate2::gz::write::gz_encoder::h414b79e0ecf5248b(header=Vec<u8, alloc::alloc::Global> @ 0x00007fff14933e58, w=File @ 0x00007fff14933e10, lvl=(__0 = 9)) at write.rs:48:36
    frame #5: 0x00007f1aea36202c build-script-build`flate2::gz::GzBuilder::write::h5030b7c1db5e069c(self=<unavailable>, w=File @ 0x00007fff14933e54, lvl=(__0 = 9)) at mod.rs:175:9
    frame #6: 0x00007f1aea365d6b build-script-build`build_script_build::compress_man::hbb84c2b2c462dad6 at build.rs:13:19
    frame #7: 0x00007f1aea365bc9 build-script-build`build_script_build::main::h3e6583ffb4fd8660 at build.rs:7:5
    frame #8: 0x00007f1aea369dab build-script-build`core::ops::function::FnOnce::call_once::hca791dbd914c92bc((null)=(build-script-build`build_script_build::main::h3e6583ffb4fd8660 at build.rs:6), (null)=<unavailable>) at function.rs:227:5
    frame #9: 0x00007f1aea35f60e build-script-build`std::sys_common::backtrace::__rust_begin_short_backtrace::hd2640dbf42955826(f=(build-script-build`build_script_build::main::h3e6583ffb4fd8660 at build.rs:6)) at backtrace.rs:125:18
    frame #10: 0x00007f1aea3647f1 build-script-build`std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::hbd1f32760f8e8c2b at rt.rs:66:18
    frame #11: 0x00007f1aea3b25a9 build-script-build`std::rt::lang_start_internal::h929041c76e60cef6 [inlined] core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::h1ae529aaf88d9d59 at function.rs:259:13
    frame #12: 0x00007f1aea3b259b build-script-build`std::rt::lang_start_internal::h929041c76e60cef6 [inlined] std::panicking::try::do_call::h3b7bcc50afadecba at panicking.rs:379
    frame #13: 0x00007f1aea3b259b build-script-build`std::rt::lang_start_internal::h929041c76e60cef6 [inlined] std::panicking::try::h3533ae220f0de338 at panicking.rs:343
    frame #14: 0x00007f1aea3b259b build-script-build`std::rt::lang_start_internal::h929041c76e60cef6 [inlined] std::panic::catch_unwind::h4b082f9a60bcb709 at panic.rs:396
    frame #15: 0x00007f1aea3b259b build-script-build`std::rt::lang_start_internal::h929041c76e60cef6 at rt.rs:51
    frame #16: 0x00007f1aea3647c7 build-script-build`std::rt::lang_start::he9c044563e4d7e32(main=(build-script-build`build_script_build::main::h3e6583ffb4fd8660 at build.rs:6), argc=1, argv=0x00007fff14934658) at rt.rs:65:5
    frame #17: 0x00007f1aea36624a build-script-build`main + 42
    frame #18: 0x00007f1aea3d2bfd build-script-build`libc_start_main_stage2 + 39
    frame #19: 0x00007f1aea35abc6 build-script-build`_start + 22

A minimal example:

[dependencies.flate2]
version = "1"
features = ["zlib"]
default-features = false

use flate2::{Compression, Compress};

fn main() {
    Compress::new(Compression::best(), false);
    println!("Ok!")
}

(The source code and dockerfile is at https://github.com/12101111/flate2-rs-zlib-musl-bug )

> echo $RUSTFLAGS

> cargo run
   Compiling pkg-config v0.3.19
   Compiling cc v1.0.66
   Compiling libc v0.2.86
   Compiling crc32fast v1.2.1
   Compiling cfg-if v1.0.0
   Compiling libz-sys v1.1.2
   Compiling flate2 v1.0.20
   Compiling compression-test v0.1.0 (/tmp/flate2-rs-zlib-musl-bug)
    Finished dev [unoptimized + debuginfo] target(s) in 2.78s
     Running `/usr/obj/rust/debug/compression-test`
zsh: segmentation fault (core dumped)  cargo run
> ldd /usr/obj/rust/debug/compression-test
	ldd (0x7f974b8e5000)
	libz.so.1 => /lib/libz.so.1 (0x7f974b865000)
	libc.so => ldd (0x7f974b8e5000)
> file /usr/obj/rust/debug/compression-test
/usr/obj/rust/debug/compression-test: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, with debug_info, not stripped
> readelf -d /usr/obj/rust/debug/compression-test
Dynamic section at offset 0x5c2a0 contains 17 entries:
  Tag                Type        Name/Value
  0x0000000000000001 (NEEDED)    Shared library: [libz.so.1]
  0x000000000000001e (FLAGS)     BIND_NOW
  0x000000006ffffffb (FLAGS_1)   NOW PIE
  0x0000000000000015 (DEBUG)     0x0
  0x0000000000000007 (RELA)      0x5c8
  0x0000000000000008 (RELASZ)    17568 (bytes)
  0x0000000000000009 (RELAENT)   24 (bytes)
  0x000000006ffffff9 (RELACOUNT) 730
  0x0000000000000006 (SYMTAB)    0x270
  0x000000000000000b (SYMENT)    24 (bytes)
  0x0000000000000005 (STRTAB)    0x530
  0x000000000000000a (STRSZ)     149 (bytes)
  0x000000006ffffef5 (GNU_HASH)  0x420
  0x0000000000000004 (HASH)      0x498
  0x000000000000000c (INIT)      0x5afbe
  0x000000000000000d (FINI)      0x5afc1
  0x0000000000000000 (NULL)      0x0
> export RUSTFLAGS=-Ctarget-feature=-crt-static
> cargo run
   Compiling pkg-config v0.3.19
   Compiling cc v1.0.66
   Compiling crc32fast v1.2.1
   Compiling libc v0.2.86
   Compiling cfg-if v1.0.0
   Compiling libz-sys v1.1.2
   Compiling flate2 v1.0.20
   Compiling compression-test v0.1.0 (/tmp/flate2-rs-zlib-musl-bug)
    Finished dev [unoptimized + debuginfo] target(s) in 2.57s
     Running `/usr/obj/rust/debug/compression-test`
Ok!
> ldd /usr/obj/rust/debug/compression-test
	/lib/ld-musl-x86_64.so.1 (0x7f947aaf3000)
	libz.so.1 => /lib/libz.so.1 (0x7f947aa8b000)
	libgcc_s.so.1 => /usr/lib/gcc/x86_64-gentoo-linux-musl/10.2.0/libgcc_s.so.1 (0x7f947aa71000)
	libc.so => /lib/ld-musl-x86_64.so.1 (0x7f947aaf3000)
> file /usr/obj/rust/debug/compression-test
/usr/obj/rust/debug/compression-test: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, with debug_info, not stripped
> readelf -d /usr/obj/rust/debug/compression-test
Dynamic section at offset 0x457a8 contains 30 entries:
  Tag                Type           Name/Value
  0x0000000000000001 (NEEDED)       Shared library: [libz.so.1]
  0x0000000000000001 (NEEDED)       Shared library: [libgcc_s.so.1]
  0x0000000000000001 (NEEDED)       Shared library: [libc.so]
  0x000000000000001e (FLAGS)        BIND_NOW
  0x000000006ffffffb (FLAGS_1)      NOW PIE
  0x0000000000000015 (DEBUG)        0x0
  0x0000000000000007 (RELA)         0x1080
  0x0000000000000008 (RELASZ)       16920 (bytes)
  0x0000000000000009 (RELAENT)      24 (bytes)
  0x000000006ffffff9 (RELACOUNT)    641
  0x0000000000000017 (JMPREL)       0x5298
  0x0000000000000002 (PLTRELSZ)     144 (bytes)
  0x0000000000000003 (PLTGOT)       0x48138
  0x0000000000000014 (PLTREL)       RELA
  0x0000000000000006 (SYMTAB)       0x2c8
  0x000000000000000b (SYMENT)       24 (bytes)
  0x0000000000000005 (STRTAB)       0xc84
  0x000000000000000a (STRSZ)        1014 (bytes)
  0x000000006ffffef5 (GNU_HASH)     0xa28
  0x0000000000000004 (HASH)         0xa4c
  0x0000000000000019 (INIT_ARRAY)   0x45550
  0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
  0x000000000000001a (FINI_ARRAY)   0x45558
  0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
  0x000000000000000c (INIT)         0x444ce
  0x000000000000000d (FINI)         0x444d1
  0x000000006ffffff0 (VERSYM)       0x958
  0x000000006ffffffe (VERNEED)      0x9e4
  0x000000006fffffff (VERNEEDNUM)   1
  0x0000000000000000 (NULL)         0x0

The backtrace is basically the same:

* thread #1, name = 'compression-tes', stop reason = signal SIGSEGV
  * frame #0: 0x0000000000000000
    frame #1: 0x00007fbaab5e89bc compression-test`flate2::ffi::c::c_backend::mz_deflateInit2::hb404a0baac12bdc2(stream=0x0000555556865120, level=9, method=8, window_bits=-15, mem_level=8, strategy=0) at c.rs:385:9
    frame #2: 0x00007fbaab5e7f33 compression-test`_$LT$flate2..ffi..c..Deflate$u20$as$u20$flate2..ffi..DeflateBackend$GT$::make::hebf4845f1f81d373(level=(__0 = 9), zlib_header=false, window_bits='\x0f') at c.rs:259:23
    frame #3: 0x00007fbaab5e81c0 compression-test`flate2::mem::Compress::new::hedc5b9bd2cf318a7(level=(__0 = 9), zlib_header=false) at mem.rs:191:20
    frame #4: 0x00007fbaab5e763f compression-test`compression_test::main::hd21505ddd81de81d at main.rs:4:5
    frame #5: 0x00007fbaab5e776b compression-test`core::ops::function::FnOnce::call_once::h4aab80b508d6152f((null)=(compression-test`compression_test::main::hd21505ddd81de81d at main.rs:3), (null)=<unavailable>) at function.rs:227:5
    frame #6: 0x00007fbaab5e788e compression-test`std::sys_common::backtrace::__rust_begin_short_backtrace::h717a3a163ad0e833(f=(compression-test`compression_test::main::hd21505ddd81de81d at main.rs:3)) at backtrace.rs:125:18
    frame #7: 0x00007fbaab5e7721 compression-test`std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::hc8e0060ea861748b at rt.rs:66:18
    frame #8: 0x00007fbaab5fec49 compression-test`std::rt::lang_start_internal::h53bf2c2c6c9e97dc [inlined] core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::hefea566cf07ef0a6 at function.rs:259:13
    frame #9: 0x00007fbaab5fec3b compression-test`std::rt::lang_start_internal::h53bf2c2c6c9e97dc [inlined] std::panicking::try::do_call::h5f7362256436cfed at panicking.rs:381
    frame #10: 0x00007fbaab5fec3b compression-test`std::rt::lang_start_internal::h53bf2c2c6c9e97dc [inlined] std::panicking::try::h1703f234309e3e9c at panicking.rs:345
    frame #11: 0x00007fbaab5fec3b compression-test`std::rt::lang_start_internal::h53bf2c2c6c9e97dc [inlined] std::panic::catch_unwind::h54d69a771c3636a5 at panic.rs:396
    frame #12: 0x00007fbaab5fec3b compression-test`std::rt::lang_start_internal::h53bf2c2c6c9e97dc at rt.rs:51
    frame #13: 0x00007fbaab5e76f7 compression-test`std::rt::lang_start::h66d6a4ec75efd437(main=(compression-test`compression_test::main::hd21505ddd81de81d at main.rs:3), argc=1, argv=0x00007fff850add98) at rt.rs:65:5
    frame #14: 0x00007fbaab5e76aa compression-test`main + 42
    frame #15: 0x00007fbaab620751 compression-test`libc_start_main_stage2 + 39
    frame #16: 0x00007fbaab5e7496 compression-test`_start + 22

The rust code that cause SIGSEVG is https://github.com/rust-lang/flate2-rs/blob/90d9e5ed866742ce8b3946d156830e300d1e5aab/src/ffi/c.rs#L377-L394

    pub unsafe extern "C" fn mz_deflateInit2(
        stream: *mut mz_stream,
        level: c_int,
        method: c_int,
        window_bits: c_int,
        mem_level: c_int,
        strategy: c_int,
    ) -> c_int {
        libz_sys::deflateInit2_(
            stream,
            level,
            method,
            window_bits,
            mem_level,
            strategy,
            ZLIB_VERSION.as_ptr() as *const c_char,
            mem::size_of::<mz_stream>() as c_int,
        )
    }

The disassemble from lldb:

compression-test`flate2::ffi::c::c_backend::mz_deflateInit2::hb404a0baac12bdc2:
    0x7ffff7fb4910 <+0>:   subq   $0x78, %rsp
    0x7ffff7fb4914 <+4>:   leaq   -0x12d12(%rip), %rax
    0x7ffff7fb491b <+11>:  movq   %rdi, 0x50(%rsp)
    0x7ffff7fb4920 <+16>:  movl   %esi, 0x5c(%rsp)
    0x7ffff7fb4924 <+20>:  movl   %edx, 0x60(%rsp)
    0x7ffff7fb4928 <+24>:  movl   %ecx, 0x64(%rsp)
    0x7ffff7fb492c <+28>:  movl   %r8d, 0x68(%rsp)
    0x7ffff7fb4931 <+33>:  movl   %r9d, 0x6c(%rsp)
    0x7ffff7fb4936 <+38>:  movq   %rdi, 0x48(%rsp)
    0x7ffff7fb493b <+43>:  movq   %rax, %rdi
    0x7ffff7fb493e <+46>:  movl   $0x6, %eax
    0x7ffff7fb4943 <+51>:  movl   %esi, 0x44(%rsp)
    0x7ffff7fb4947 <+55>:  movq   %rax, %rsi
    0x7ffff7fb494a <+58>:  movl   %edx, 0x40(%rsp)
    0x7ffff7fb494e <+62>:  movl   %ecx, 0x3c(%rsp)
    0x7ffff7fb4952 <+66>:  movl   %r8d, 0x38(%rsp)
    0x7ffff7fb4957 <+71>:  movl   %r9d, 0x34(%rsp)
    0x7ffff7fb495c <+76>:  callq  0x7ffff7fb48f0            ; core::str::_$LT$impl$u20$str$GT$::as_ptr::ha657d8d974e3c7bb at mod.rs:297
    0x7ffff7fb4961 <+81>:  movq   %rax, 0x28(%rsp)
    0x7ffff7fb4966 <+86>:  movq   $0x70, 0x70(%rsp)
    0x7ffff7fb496f <+95>:  movq   0x70(%rsp), %rax
    0x7ffff7fb4974 <+100>: movq   %rax, 0x20(%rsp)
    0x7ffff7fb4979 <+105>: movq   0x20(%rsp), %rax
    0x7ffff7fb497e <+110>: movl   %eax, %ecx
    0x7ffff7fb4980 <+112>: movq   0x48(%rsp), %rdi
    0x7ffff7fb4985 <+117>: movl   0x44(%rsp), %esi
    0x7ffff7fb4989 <+121>: movl   0x40(%rsp), %edx
    0x7ffff7fb498d <+125>: movl   0x3c(%rsp), %r8d
    0x7ffff7fb4992 <+130>: movl   %ecx, 0x1c(%rsp)
    0x7ffff7fb4996 <+134>: movl   %r8d, %ecx
    0x7ffff7fb4999 <+137>: movl   0x38(%rsp), %r8d
    0x7ffff7fb499e <+142>: movl   0x34(%rsp), %r9d
    0x7ffff7fb49a3 <+147>: movq   0x28(%rsp), %r10
    0x7ffff7fb49a8 <+152>: movq   %r10, (%rsp)
    0x7ffff7fb49ac <+156>: movl   0x1c(%rsp), %r11d
    0x7ffff7fb49b1 <+161>: movl   %r11d, 0x8(%rsp)
    0x7ffff7fb49b6 <+166>: callq  *0x46b04(%rip)
    0x7ffff7fb49bc <+172>: movl   %eax, 0x18(%rsp)
    0x7ffff7fb49c0 <+176>: movl   0x18(%rsp), %eax
    0x7ffff7fb49c4 <+180>: addq   $0x78, %rsp
    0x7ffff7fb49c8 <+184>: retq
    0x7ffff7fb49c9:        int3
    0x7ffff7fb49ca:        int3
    0x7ffff7fb49cb:        int3
    0x7ffff7fb49cc:        int3
    0x7ffff7fb49cd:        int3
    0x7ffff7fb49ce:        int3
    0x7ffff7fb49cf:        int3

The asm callq *0x46b04(%rip) is a GOT lookup code, but the address of libz_sys::deflateInit2_ in GOT somehow is 0x0, and call it cause SIGSEGV

Meta

rustc --version --verbose:

(rustc to build cargo)
rustc 1.51.0-nightly (a2f8f6281 2021-01-27)
binary: rustc
commit-hash: a2f8f6281817d430e20726128b739d3c6708561c
commit-date: 2021-01-27
host: x86_64-unknown-linux-musl
release: 1.51.0-nightly
LLVM version: 11.0.1
(rustc to build this minimal example)
rustc 1.49.0 (e1884a8e3 2020-12-29)
binary: rustc
commit-hash: e1884a8e3c3e813aada8254edfa120e85bf5ffca
commit-date: 2020-12-29
host: x86_64-unknown-linux-musl
release: 1.49.0

This issue is similar with #76021, but that is a regression on old musl version.
In this issue, I test in alpine 3.11 (docker rust:alpine3.11) and 3.12 (docker rust:alpine3.12), both of them use musl 1.1.24 which is the same version rust ship with, and have the same error.

The title may not be accurate as this issue may not be limited to flate2-rs crate

[nagisa]

The asm callq *0x46b04(%rip) is a GOT lookup code, but the address of libz_sys::deflateInit2_ in GOT somehow is 0x0, and call it cause SIGSEGV

I would suspect an issue in the linker or the loader first given this information. Especially given the fact that linking did succeed (and so supposedly the symbols were resolved).

[sfackler]

Rustc tries to statically link to its own MUSL by default for that target, while your zlib may be dynamically linking to the system MUSL. Setting -C target-feature=-crt-static may fix that.

[12101111]

Just close this as a duplicate of #82912, #39998 and #71647