Preload library is broken by pointer guard in glibc

[stephenrkell]

Testing on a CircleCI Ubuntu 18.04 box, I find that preload test cases crash during glibc finalization.

#0  0x00007faf504bd205 in _IO_flush_all_lockp (do_lock=do_lock@entry=0) at genops.c:754
#1  0x00007faf504bd4d5 in _IO_cleanup () at genops.c:929
#2  0x00007faf50471222 in __run_exit_handlers (status=0, listp=<optimized out>, 
    run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:130
#3  0x00007faf5047125a in __GI_exit (status=<optimized out>) at exit.c:139
#4  0x00007faf5044fbfe in __libc_start_main (main=0x55a570c0b63a <main>, argc=1, argv=0x7ffc5b527b98, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc5b527b88)
    at ../csu/libc-start.c:344
#5  0x000055a570c0b55a in _start ()

... because _IO_flush_all_lockp is doing this:

   0x00007faf504bd1e3 <+51>:    mov    0x36179e(%rip),%rax        # 0x7faf5081e988 <__libc_pthread_functions+360>
   ..                                                                   ^-- this is ptr__pthread_cleanup_push_defer
   0x00007faf504bd1f1 <+65>:    ror    $0x11,%rax
   0x00007faf504bd1f5 <+69>:    xor    %fs:0x30,%rax
   ..
=> 0x00007faf504bd205 <+85>:    callq  *%rax

... where rax is a garbled mess, not a legit function pointer.

This is something to do with 'pointer guard'. Clearly we don't have the right value in %fs:0x30. We can probably put a watchpoint on this (use __runt_tls_block_base()) and see what's happening.

[stephenrkell]

Actually this was a more generic double-init bug; appears fixed in 0601d29.