Alright, here's some more analysis.
I was unable to fetch your core dump (403), but the test case and
libc/ld all 200'ed, and the crash / hang reproduces -- awesome.
and guess what? Firstly, the error we get from mach_port_mod_refs is
EMACH_RCV_INVALID_NAME 268451842 (ipc/rcv) invalid name
so my hunch that this one reply port was broken turned out correct. So
now looking at how we get it...
(gdb) disas __mig_get_reply_port
Dump of assembler code for function __GI___mig_get_reply_port:
0x0001c310 <+0>: call 0x1cb9e2 <__x86.get_pc_thunk.cx>
0x0001c315 <+5>: add $0x28ecdf,%ecx
0x0001c31b <+11>: mov %gs:0x0,%eax
0x0001c321 <+17>: mov 0x38(%eax),%edx
0x0001c324 <+20>: test %edx,%edx
0x0001c326 <+22>: je 0x1c340 <__GI___mig_get_reply_port+48>
0x0001c328 <+24>: lea 0x16d8(%ecx),%ecx
0x0001c32e <+30>: add $0x38,%eax
0x0001c331 <+33>: cmp %ecx,%eax
0x0001c333 <+35>: je 0x1c339 <__GI___mig_get_reply_port+41>
0x0001c335 <+37>: cmp (%ecx),%edx
0x0001c337 <+39>: je 0x1c340 <__GI___mig_get_reply_port+48>
0x0001c339 <+41>: mov %edx,%eax
0x0001c33b <+43>: ret
0x0001c33c <+44>: lea 0x0(%esi,%eiz,1),%esi
0x0001c340 <+48>: sub $0xc,%esp
0x0001c343 <+51>: call 0x1ba40 <__GI___mach_reply_port>
0x0001c348 <+56>: mov %gs:0x0,%eax
0x0001c34e <+62>: mov 0x38(%eax),%eax
0x0001c351 <+65>: add $0xc,%esp
0x0001c354 <+68>: ret
That is surely very different from the one I cited in the cover
letter! Look at what it's doing to the result of mach_reply_port (in
%eax) -- it straight-up overwrites it with the tcb pointer.
That is, of course, exactly the __seg_gs miscompilation I reported,
and exactly what "hurd: Remove __hurd_local_reply_port" was supposed
to work around (by not accessing it as THREAD_SELF->reply_port, but
rather using THREAD_SETMEM). I have now sent the second version of
that patch, please try applying it and test if that fixes it.
And the commit that has broken things here was
748511f0bb61785f976e18843d707a8ba8fffe29 ("hurd: i386 TLS tweaks"),
where I made THREAD_SELF (and friends) work through __seg_gs,
triggering the miscompilation. I'm surprised your testing hasn't
caught it earlier, but maybe the extra branch/indirection for the
no-tls case was masking the miscompilation. Please also check if the
other reply port tweak you reverted today is also innocent.
I have uploaded my own builds of libc.so and ld.so at [0] & [1] (but
these are with v1 of "hurd: Remove __hurd_local_reply_port", and with
all of this patchset applied).
[0] https://darnassus.sceen.net/~bugaevc/libc.so
[1] https://darnassus.sceen.net/~bugaevc/ld.so
Please test whether they work on your system.
Sergey
