[binutils-gdb] gdb/linux-nat: Fix mem access ptrace fallback (PR threads/31579)

[binutils-gdb] gdb/linux-nat: Fix mem access ptrace fallback (PR threads/31579)

[Pedro Alves]

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5e86aab85118ae705bbf9b247497167a8d801d2c

commit 5e86aab85118ae705bbf9b247497167a8d801d2c
Author: Pedro Alves <pedro@palves.net>
Date:   Wed Apr 10 20:00:26 2024 +0100

    gdb/linux-nat: Fix mem access ptrace fallback (PR threads/31579)
    
    Old RHEL systems have a kernel that does not support writing memory
    via /proc/pid/mem.  On such systems, we fallback to accessing memory
    via ptrace.  That has a few downsides described in the "Accessing
    inferior memory" section at the top of linux-nat.c.
    
    The target_xfer interface for memory access uses inferior_ptid as
    sideband argument to indicate which process to access.  Memory access
    is process-wide, it is not thread-specific, so inferior_ptid is
    sometimes pointed at a process-wide ptid_t for the memory access
    (i.e., a ptid that looks like {pid, 0, 0}).  That is the case for any
    code that uses scoped_restore_current_inferior_for_memory, for
    example.
    
    That is what causes the issue described in PR 31579, where thread_db
    calls into the debugger to read memory, which reaches our
    ps_xfer_memory function, which does:
    
      static ps_err_e
      ps_xfer_memory (const struct ps_prochandle *ph, psaddr_t addr,
                      gdb_byte *buf, size_t len, int write)
      {
        scoped_restore_current_inferior_for_memory save_inferior (ph->thread->inf);
    
        ...
          ret = target_read_memory (core_addr, buf, len);
        ...
      }
    
    If linux_nat_target::xfer_partial falls back to inf_ptrace_target with
    a pid-ptid, then the ptrace code will do the ptrace call targeting
    pid, the leader LWP.  That may fail with ESRCH if the leader is
    currently running, or zombie.  That is the case in the scenario in
    question, because thread_db is consulted for an event of a non-leader
    thread, before we've stopped the whole process.
    
    Fix this by having the ptrace fallback code try to find a stopped LWP
    to use with ptrace.
    
    I chose to handle this in the linux-nat target instead of in common
    code because (global) memory is a process-wide property, and this
    avoids having to teach all the code paths that use
    scoped_restore_current_inferior_for_memory to find some stopped thread
    to access memory through, which is a ptrace quirk.  That is
    effectively what we used to do before we started relying on writable
    /proc/pid/mem.  I'd rather not go back there.
    
    To trigger this on modern kernels you have to hack linux-nat.c to
    force the ptrace fallback code, like so:
    
     --- a/gdb/linux-nat.c
     +++ b/gdb/linux-nat.c
     @@ -3921,7 +3921,7 @@ linux_nat_target::xfer_partial (enum target_object object,
              poke would incorrectly write memory to the post-exec address
              space, while the core was trying to write to the pre-exec
              address space.  */
     -      if (proc_mem_file_is_writable ())
     +      if (0 && proc_mem_file_is_writable ())
    
    With that hack, I was able to confirm that the fix fixes hundreds of
    testsuite failures.  Compared to a test run with pristine master, the
    hack above + this commit's fix shows that some non-stop-related tests
    fail, but that is expected, because those are tests that need to
    access memory while the program is running.  (I made no effort to
    temporarily pause an lwp if no ptrace-stopped lwp is found.)
    
    Change-Id: I24a4f558e248aff7bc7c514a88c698f379f23180
    Tested-By: Hannes Domani <ssbssa@yahoo.de>
    Approved-By: Andrew Burgess <aburgess@redhat.com>

Diff:
---
 gdb/linux-nat.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 58 insertions(+), 3 deletions(-)

diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c
index c357ca3ab8b..48ecd3627ca 100644
--- a/gdb/linux-nat.c
+++ b/gdb/linux-nat.c
@@ -296,6 +296,8 @@ static struct lwp_info *find_lwp_pid (ptid_t ptid);
 
 static int lwp_status_pending_p (struct lwp_info *lp);
 
+static bool is_lwp_marked_dead (lwp_info *lp);
+
 static void save_stop_reason (struct lwp_info *lp);
 
 static bool proc_mem_file_is_writable ();
@@ -1467,9 +1469,7 @@ detach_one_lwp (struct lwp_info *lp, int *signo_p)
 
   /* If the lwp has exited or was terminated due to a signal, there's
      nothing left to do.  */
-  if (lp->waitstatus.kind () == TARGET_WAITKIND_EXITED
-      || lp->waitstatus.kind () == TARGET_WAITKIND_THREAD_EXITED
-      || lp->waitstatus.kind () == TARGET_WAITKIND_SIGNALLED)
+  if (is_lwp_marked_dead (lp))
     {
       linux_nat_debug_printf
 	("Can't detach %s - it has exited or was terminated: %s.",
@@ -2199,6 +2199,21 @@ mark_lwp_dead (lwp_info *lp, int status)
   lp->stopped = 1;
 }
 
+/* Return true if LP is dead, with a pending exit/signalled event.  */
+
+static bool
+is_lwp_marked_dead (lwp_info *lp)
+{
+  switch (lp->waitstatus.kind ())
+    {
+    case TARGET_WAITKIND_EXITED:
+    case TARGET_WAITKIND_THREAD_EXITED:
+    case TARGET_WAITKIND_SIGNALLED:
+      return true;
+    }
+  return false;
+}
+
 /* Wait for LP to stop.  Returns the wait status, or 0 if the LWP has
    exited.  */
 
@@ -3830,6 +3845,20 @@ linux_proc_xfer_memory_partial (int pid, gdb_byte *readbuf,
 				const gdb_byte *writebuf, ULONGEST offset,
 				LONGEST len, ULONGEST *xfered_len);
 
+/* Look for an LWP of PID that we know is ptrace-stopped.  Returns
+   NULL if none is found.  */
+
+static lwp_info *
+find_stopped_lwp (int pid)
+{
+  for (lwp_info *lp : all_lwps ())
+    if (lp->ptid.pid () == pid
+	&& lp->stopped
+	&& !is_lwp_marked_dead (lp))
+      return lp;
+  return nullptr;
+}
+
 enum target_xfer_status
 linux_nat_target::xfer_partial (enum target_object object,
 				const char *annex, gdb_byte *readbuf,
@@ -3876,6 +3905,32 @@ linux_nat_target::xfer_partial (enum target_object object,
 	return linux_proc_xfer_memory_partial (inferior_ptid.pid (), readbuf,
 					       writebuf, offset, len,
 					       xfered_len);
+
+      /* Fallback to ptrace.  This should only really trigger on old
+	 systems.  See "Accessing inferior memory" at the top.
+
+	 The target_xfer interface for memory access uses
+	 inferior_ptid as sideband argument to indicate which process
+	 to access.  Memory access is process-wide, it is not
+	 thread-specific, so inferior_ptid sometimes points at a
+	 process ptid_t.  If we fallback to inf_ptrace_target with
+	 that inferior_ptid, then the ptrace code will do the ptrace
+	 call targeting inferior_ptid.pid(), the leader LWP.  That
+	 may fail with ESRCH if the leader is currently running, or
+	 zombie.  So if we get a pid-ptid, we try to find a stopped
+	 LWP to use with ptrace.
+
+	 Note that inferior_ptid may not exist in the lwp / thread /
+	 inferior lists.  This can happen when we're removing
+	 breakpoints from a fork child that we're not going to stay
+	 attached to.  So if we don't find a stopped LWP, still do the
+	 ptrace call, targeting the inferior_ptid we had on entry.  */
+      scoped_restore save_inferior_ptid = make_scoped_restore (&inferior_ptid);
+      lwp_info *stopped = find_stopped_lwp (inferior_ptid.pid ());
+      if (stopped != nullptr)
+	inferior_ptid = stopped->ptid;
+      return inf_ptrace_target::xfer_partial (object, annex, readbuf, writebuf,
+					      offset, len, xfered_len);
     }
 
   return inf_ptrace_target::xfer_partial (object, annex, readbuf, writebuf,