By Jonathan Corbet
July 16, 2014

The GNU C library (glibc) project has lengthy lived up to a repute for
conservatism; glibc developers know that an in uncomfortable health-chosen change can construct a
gigantic deal of anguish downstream, so that they proceed with warning. Even so,
mistakes can occur. A latest budge-up appealing the s390 architecture
makes it wonderful how a kind of mistakes can cascade correct into a major
mess that is hard to understanding up later on.

The setjmp()
and longjmp()
capabilities were share of the abnormal C library since something shut to
the starting. They’ll even be feeble to invent stack unwinding — a kind of
“lengthy return” from a feature that skips over any assortment of intervening
feature calls. Both of these capabilities glean an opaque jmp_buf
recordsdata structure as an argument. The caller affords the buffer to
setjmp(), which fills it with the knowledge wished to construct
one other return to the gap of that choice. A later call to
longjmp() with that buffer will then space off setjmp() to
appear to have returned a 2d time.

Serve in April, developers from IBM dedicated
a
patch
that changed the scale of the jmp_buf structure on the
s390 architecture; this alteration, which therefore was share of the two.19
birth, was it seems wished to enable better hardware make stronger for
setjmp() and longjmp(). Since jmp_buf is a sort
that is considered to capabilities, this was a clear ABI change, with all of
the skill concerns that can plod along with it. As an illustration, newer glibc
releases demand of the upper jmp_buf dimension, but they would be linked
(at budge time) in opposition to capabilities which have no longer been rebuilt
and, thus, are calm working with the older version of
jmp_buf.

This possibility was taken into account, although. Symbol versioning was
feeble to map successfully well-behaved variations of setjmp() and
longjmp() for these older capabilities. So, in theory, things
ought to Stunning Work with out extra concerns. This particular theory did
no longer closing lengthy after its stumble upon with the true world, although.

The grief is that jmp_buf buildings are essentially embedded into
varied buildings, so a change in the scale of that structure will change the
containing buildings too. To search out victims, one needn’t even watch birth air
of glibc; it turns out that glibc’s POSIX threads (pthreads) implementation
embeds a jmp_buf structure into
its have __pthread_unwind_buf_t structure which, in turn, is considered to
capabilities. So, as a result, a assortment of pthreads capabilities must
change into versioned as successfully.

Versioning would not work, although, for concerns that pop up birth air of
glibc. Put in thoughts, as an illustration, the Perl interpreter, which embeds a
jmp_buf in its necessary “here’s a working Perl occasion” structure.
That has triggered varied Perl modules to fail (example) and
can only in actuality be fastened by rebuilding the general Perl atmosphere. The
PNG list layout library (libpng) also has an embedded jmp_buf — in a
structure that is feeble by all PNG-the utilization of capabilities.

Debian’s developers, who were seeking to understanding up this mess, regarded as
rebuilding all of Perl and then, in all likelihood, all (500 or so) capabilities
reckoning on the PNG library. Nonetheless, by this point, it was wonderful that
the ripples from this alteration unfold broadly indeed and that taking part in
whack-a-mole might per chance just never rep all of them fastened. So the Debian developers
have figured
that the direction they would just must judge is to “conclude cherish Red Hat, ie
correct rebuild the total lot and warn the customers their machine might per chance destroy in some unspecified time in the future of
give a purchase to.” Clearly, this kind lacks allure, in particular
in the Debian world, where mass rebuilds are a uncommon tournament.

Even then, in any case, there is the grief of pause-person capabilities.
Distributors can no longer rebuild those; even worse, the person might per chance just no longer
present the choice to both. So some things might per chance correct be broken.

One might per chance be thinking that there is a mechanism in station for this vogue of
incompatible ABI change. Shared libraries have a shared-object title
(“soname”) built into them; capabilities linked in opposition to those libraries
also comprise that title. For glibc in your editor’s machine, as an illustration,
the soname is “libc.so.6“. The runtime linker will no longer hyperlink an
utility in opposition to a shared object if the sonames conclude no longer match. On this
manner, the machine can disallow working in opposition to a library which will no longer work.
It also enables, in theory, the parallel installation of just a few variations
of the library; older capabilities would continue to make use of the older library,
whereas newly built binaries would use the most up-to-date version.

So the glibc project might per chance judge making a point birth with a sure
soname (libc.so.6.1, shriek); distributors might per chance then install the
result alongside an older version of the library and, in theory, things
ought to work. Moreover that glibc developer Carlos O’Donell tried it and concluded that:

It also turns out to be painful to bootstrap a machine with a
fresh, ABI-incompatible version of the C library. So it sounds as if the
soname change will no longer occur and that, on s390, masses of rebuilding is
going to must cross on. It goes to must also change into no longer skill to cross affected
capabilities between methods with pre- and put up-change libraries. Now not enjoyable,
but, as David Miller set it:

Therefore, on the opposed side, we might per chance be stuck with this. Nonetheless,
on the sure side, we are able to refer to with this incident subsequent time a
the same incident arises. We now know exactly what the
ramifications are for no longer coping with this successfully.

That ends in the evident query: what’s going to even be executed to steer wonderful of this vogue of
grief someday? Carlos plans to position
together a policy on the correct technique to administer ABI adjustments, with “don’t destroy
ABI ever” as
the principle item. There has been talk of bettering the attempting out instruments in an
are trying and take care of this vogue of ABI destroy someday.

Within the pause, although, nothing can change a high diploma of care on the percentage of
the developers sharp. Glibc developers have constantly proven that care,
which is why reports cherish this one are uncommon. Within the aftermath of this
mistake, one can purchase that they’ll be doubly cautious someday.
That, along with some attempting out make stronger, ought to aid to guarantee that upcoming
glibc releases are free of this vogue of grief.

(Log in to put up feedback)