public inbox for gdb-patches@sourceware.org
 help / color / mirror / Atom feed
* over-permissive stack_chk_guard on ARM
@ 2014-10-22 14:22 Joel Brobecker
  2014-10-23  2:53 ` Yao Qi
  0 siblings, 1 reply; 9+ messages in thread
From: Joel Brobecker @ 2014-10-22 14:22 UTC (permalink / raw)
  To: Yao Qi; +Cc: gdb-patches

[-- Attachment #1: Type: text/plain, Size: 3183 bytes --]

Hi Yao,

I don't know if you remember, but we discussed an ARM patch back
in Dec 2010, which was adding support for skipping stack-check-guard
code as part of the prologue:
https://www.sourceware.org/ml/gdb-patches/2010-12/msg00110.html

I discovered that the heuristic used is mistakenly thinking that
some code that fetches a global is some stack_chk_guard code,
which, in turn, causes the debugger to skip it when inserting
breakpoints.

The full code is attached, but I suspect you will not have the Ada
compiler to build it. But I can send you the binary if you need it.
At this point, I am just trying to collect for more info.

In our case, we're trying to insert a breakpoint on str.adb:4,
where the code looks like this:

  3 procedure STR is
  4    XX : String (1 .. Blocks.Sz) := (others => 'X'); -- STOP
  5    K : Integer;
  6 begin
  7    K := 13;

Line 4 declares a new variable "XX" whihch is an array whose
size is determined by the value of a global variable "Sz"
from package "Blocks", and then assigns it an initial value
(all 'X'-s).

The generated code starts like this:

    (gdb) disass str'address
    Dump of assembler code for function _ada_str:
       --# Line str.adb:3
       0x08000014 <+0>:     push    {r4, r7, lr}
       0x08000016 <+2>:     sub     sp, #28
       0x08000018 <+4>:     add     r7, sp, #0
       0x0800001a <+6>:     mov     r3, sp
       0x0800001c <+8>:     mov     r4, r3
       --# Line str.adb:4
       0x0800001e <+10>:    ldr     r3, [pc, #84]   ; (0x8000074 <_ada_str+96>)
       0x08000020 <+12>:    ldr     r3, [r3, #0]
       0x08000022 <+14>:    str     r3, [r7, #20]
       0x08000024 <+16>:    ldr     r3, [r7, #20]
       [...]

When computing the address related to str.adb:4, GDB correctly
resolves it to 0x0800001e first, but then considers the next
3 instructions as being part of the prologue because it thinks
they are part of stack-protector code. As a result, instead
of inserting the breakpoint at line 4, it skips those instruction
and consequently the rest of the instructions until the next
line start, which his line 7.

Looking at the implementation of the prologue analyzing, it seems
that a normal sequence would be what you put in the comments:

        ldr     Rn, .Label
        ....
        .Lable:
        .word   __stack_chk_guard

But the implementation seems to be going further than that.
If the location of the first ldr points to data that's not
the address of __stack_chk_guard, then it looks at the next
two instructions, to see if they might following another
pattern:

      /* Step 2: ldr Rd, [Rn, #immed], encoding T1.  */
      /* Step 3: str Rd, [Rn, #immed], encoding T1.  */

Looking at the code and the function description, it seems to me
that the normal situation would be what the comment alluded to,
and that if it was the entire story, we wouldn't have needed
the code doing steps 2 & 3. But, looking at the email archives
as well as the bug report initially referenced, I can't find
really any explanation for what prompted you to add that code.
I would need that in order to adjust the heuristics without
breaking your situation.

Do you remember, by any chance?

-- 
Joel

[-- Attachment #2: blocks.ads --]
[-- Type: text/plain, Size: 109 bytes --]

with System;

package Blocks is

   SZ : Integer := 15;

   procedure Do_Nothing (A : System.Address);

end;

[-- Attachment #3: blocks.adb --]
[-- Type: text/plain, Size: 118 bytes --]

package body Blocks is

   procedure Do_Nothing (A : System.Address) is
   begin
      null;
   end Do_Nothing;

end;

[-- Attachment #4: str.adb --]
[-- Type: text/plain, Size: 200 bytes --]

with Blocks;

procedure STR is
   XX : String (1 .. Blocks.Sz) := (others => 'X'); -- STOP
   K : Integer;
begin
   K := 13;
   Blocks.Do_Nothing (XX'Address);
   Blocks.Do_Nothing (K'Address);
end;


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2014-10-29 13:12 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-10-22 14:22 over-permissive stack_chk_guard on ARM Joel Brobecker
2014-10-23  2:53 ` Yao Qi
2014-10-23 15:39   ` [RFA] ARM: stricter __stack_chk_guard check during prologue (was: "Re: over-permissive stack_chk_guard on ARM") Joel Brobecker
2014-10-24  8:29     ` [RFA] ARM: stricter __stack_chk_guard check during prologue Yao Qi
2014-10-24 12:23       ` Joel Brobecker
2014-10-24 12:48         ` Yao Qi
2014-10-27  6:26           ` Yao Qi
2014-10-29  5:48             ` Yao Qi
2014-10-29 13:12               ` Joel Brobecker

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).