public inbox for gdb-cvs@sourceware.org
help / color / mirror / Atom feed
* [binutils-gdb] gdb/dwarf: fix UBsan crash in read_subrange_type
@ 2023-01-20 16:52 Simon Marchi
0 siblings, 0 replies; only message in thread
From: Simon Marchi @ 2023-01-20 16:52 UTC (permalink / raw)
To: gdb-cvs
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b70bff5ea52550c7cd48af7579a75ac2624ec13d
commit b70bff5ea52550c7cd48af7579a75ac2624ec13d
Author: Simon Marchi <simon.marchi@polymtl.ca>
Date: Fri Jan 20 11:51:54 2023 -0500
gdb/dwarf: fix UBsan crash in read_subrange_type
When running gdb.ada/arrayptr.exp (and others) on Ubuntu 22.04, with the
`gnat-11` package installed (not `gnat`), with UBSan activated, I get:
(gdb) break foo.adb:40
/home/smarchi/src/binutils-gdb/gdb/dwarf2/read.c:17689:20: runtime error: shift exponent 127 is too large for 64-bit type 'long unsigned int'
The problematic DIEs are:
0x00001460: DW_TAG_subrange_type
DW_AT_lower_bound [DW_FORM_data1] (0x00)
DW_AT_upper_bound [DW_FORM_data16] (ffffffffffffffff3f00000000000000)
DW_AT_name [DW_FORM_strp] ("foo__packed_array___XP7___XDLU_0__1180591620717411303423")
DW_AT_type [DW_FORM_ref4] (0x0000153f "long_long_long_unsigned")
DW_AT_GNAT_descriptive_type [DW_FORM_ref4] (0x0000147e)
DW_AT_artificial [DW_FORM_flag_present] (true)
0x0000153f: DW_TAG_base_type
DW_AT_byte_size [DW_FORM_data1] (0x10)
DW_AT_encoding [DW_FORM_data1] (DW_ATE_unsigned)
DW_AT_name [DW_FORM_strp] ("long_long_long_unsigned")
DW_AT_artificial [DW_FORM_flag_present] (true)
When processed by this code:
negative_mask =
-((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
if (low.kind () == PROP_CONST
&& !base_type->is_unsigned () && (low.const_val () & negative_mask))
low.set_const_val (low.const_val () | negative_mask);
When the base type's length (16 bytes in this case) is larger than a
ULONGEST (typically 8 bytes), the bit shift is too large.
My obvious fix is just to skip the fixup for base types larger than a
ULONGEST (8 bytes). I don't think we really handle constant attribute
values larger than 8 bytes anyway, so this is part of a much larger
problem.
Add a test that replicates this situation, but uses bounds that fit in a
signed 64 bit, so we get a sensible result.
Change-Id: I8d0a24f3edd83b44e0761a0ce38922d3e2e112fb
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29386
Diff:
---
gdb/dwarf2/read.c | 29 +++++++++++++++++++----------
gdb/testsuite/gdb.dwarf2/subrange.exp | 22 ++++++++++++++++++++++
2 files changed, 41 insertions(+), 10 deletions(-)
diff --git a/gdb/dwarf2/read.c b/gdb/dwarf2/read.c
index 44b54f77de9..cd937f24ee7 100644
--- a/gdb/dwarf2/read.c
+++ b/gdb/dwarf2/read.c
@@ -17588,7 +17588,6 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
int low_default_is_valid;
int high_bound_is_count = 0;
const char *name;
- ULONGEST negative_mask;
orig_base_type = read_subrange_index_type (die, cu);
@@ -17684,15 +17683,25 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
with GCC, for instance, where the ambiguous DW_FORM_dataN form
is used instead. To work around that ambiguity, we treat
the bounds as signed, and thus sign-extend their values, when
- the base type is signed. */
- negative_mask =
- -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
- if (low.kind () == PROP_CONST
- && !base_type->is_unsigned () && (low.const_val () & negative_mask))
- low.set_const_val (low.const_val () | negative_mask);
- if (high.kind () == PROP_CONST
- && !base_type->is_unsigned () && (high.const_val () & negative_mask))
- high.set_const_val (high.const_val () | negative_mask);
+ the base type is signed.
+
+ Skip it if the base type's length is larger than ULONGEST, to avoid
+ the undefined behavior of a too large left shift. We don't really handle
+ constants larger than 8 bytes anyway, at the moment. */
+
+ if (base_type->length () <= sizeof (ULONGEST))
+ {
+ ULONGEST negative_mask
+ = -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
+
+ if (low.kind () == PROP_CONST
+ && !base_type->is_unsigned () && (low.const_val () & negative_mask))
+ low.set_const_val (low.const_val () | negative_mask);
+
+ if (high.kind () == PROP_CONST
+ && !base_type->is_unsigned () && (high.const_val () & negative_mask))
+ high.set_const_val (high.const_val () | negative_mask);
+ }
/* Check for bit and byte strides. */
struct dynamic_prop byte_stride_prop;
diff --git a/gdb/testsuite/gdb.dwarf2/subrange.exp b/gdb/testsuite/gdb.dwarf2/subrange.exp
index 97743ee1099..4d7bcfb5f9c 100644
--- a/gdb/testsuite/gdb.dwarf2/subrange.exp
+++ b/gdb/testsuite/gdb.dwarf2/subrange.exp
@@ -77,6 +77,26 @@ Dwarf::assemble $asm_file {
{name subrange_with_buggy_negative_bounds_variable}
{type :$subrange_with_buggy_negative_bounds_label}
}
+
+ # This subrange's base type is 16-bytes long (although the bounds fit in
+ # signed 64-bit). This is to test the fix for PR 29386.
+ declare_labels a_16_byte_integer_label a_16_byte_subrange_label
+
+ a_16_byte_integer_label: base_type {
+ {byte_size 16 udata}
+ {encoding @DW_ATE_signed}
+ }
+
+ a_16_byte_subrange_label: subrange_type {
+ {lower_bound -9223372036854775808 DW_FORM_sdata}
+ {upper_bound 9223372036854775807 DW_FORM_sdata}
+ {type :$a_16_byte_integer_label}
+ }
+
+ DW_TAG_variable {
+ {name a_16_byte_subrange_variable}
+ {type :$a_16_byte_subrange_label}
+ }
}
}
}
@@ -92,3 +112,5 @@ gdb_test "ptype TByteArray" \
"type = array \\\[0\\.\\.191\\\] of byte"
gdb_test "ptype subrange_with_buggy_negative_bounds_variable" \
"type = -16\\.\\.-12"
+gdb_test "ptype a_16_byte_subrange_variable" \
+ "type = -9223372036854775808\\.\\.9223372036854775807"
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-01-20 16:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-20 16:52 [binutils-gdb] gdb/dwarf: fix UBsan crash in read_subrange_type Simon Marchi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).