From: Simon Marchi <simon.marchi@efficios.com>
To: gdb-patches@sourceware.org
Cc: Simon Marchi <simon.marchi@efficios.com>
Subject: [PATCH 2/2] gdb/dwarf: fix UBsan crash in read_subrange_type
Date: Fri, 20 Jan 2023 00:08:24 -0500 [thread overview]
Message-ID: <20230120050824.306976-2-simon.marchi@efficios.com> (raw)
In-Reply-To: <20230120050824.306976-1-simon.marchi@efficios.com>
When running gdb.ada/arrayptr.exp (and others) on Ubuntu 22.04, with the
`gnat-11` package installed (not `gnat`), with UBSan activated, I get:
(gdb) break foo.adb:40
/home/smarchi/src/binutils-gdb/gdb/dwarf2/read.c:17689:20: runtime error: shift exponent 127 is too large for 64-bit type 'long unsigned int'
The problematic DIEs are:
0x00001460: DW_TAG_subrange_type
DW_AT_lower_bound [DW_FORM_data1] (0x00)
DW_AT_upper_bound [DW_FORM_data16] (ffffffffffffffff3f00000000000000)
DW_AT_name [DW_FORM_strp] ("foo__packed_array___XP7___XDLU_0__1180591620717411303423")
DW_AT_type [DW_FORM_ref4] (0x0000153f "long_long_long_unsigned")
DW_AT_GNAT_descriptive_type [DW_FORM_ref4] (0x0000147e)
DW_AT_artificial [DW_FORM_flag_present] (true)
0x0000153f: DW_TAG_base_type
DW_AT_byte_size [DW_FORM_data1] (0x10)
DW_AT_encoding [DW_FORM_data1] (DW_ATE_unsigned)
DW_AT_name [DW_FORM_strp] ("long_long_long_unsigned")
DW_AT_artificial [DW_FORM_flag_present] (true)
When processed by this code:
negative_mask =
-((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
if (low.kind () == PROP_CONST
&& !base_type->is_unsigned () && (low.const_val () & negative_mask))
low.set_const_val (low.const_val () | negative_mask);
When the base type's length (16 bytes in this case) is larger than a
ULONGEST (typically 8 bytes), the bit shift is too large.
My obvious fix is just to skip the fixup for base types larger than a
ULONGEST (8 bytes). I don't think we really handle constant attribute
values larger than 8 bytes anyway, so this is part of a much larger
problem.
Add a test that replicates this situation, but uses bounds that fit in a
signed 64 bit, so we get a sensible result.
Change-Id: I8d0a24f3edd83b44e0761a0ce38922d3e2e112fb
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29386
---
gdb/dwarf2/read.c | 29 ++++++++++++++++++---------
gdb/testsuite/gdb.dwarf2/subrange.exp | 22 ++++++++++++++++++++
2 files changed, 41 insertions(+), 10 deletions(-)
diff --git a/gdb/dwarf2/read.c b/gdb/dwarf2/read.c
index 44b54f77de9..87846788604 100644
--- a/gdb/dwarf2/read.c
+++ b/gdb/dwarf2/read.c
@@ -17588,7 +17588,6 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
int low_default_is_valid;
int high_bound_is_count = 0;
const char *name;
- ULONGEST negative_mask;
orig_base_type = read_subrange_index_type (die, cu);
@@ -17684,15 +17683,25 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
with GCC, for instance, where the ambiguous DW_FORM_dataN form
is used instead. To work around that ambiguity, we treat
the bounds as signed, and thus sign-extend their values, when
- the base type is signed. */
- negative_mask =
- -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
- if (low.kind () == PROP_CONST
- && !base_type->is_unsigned () && (low.const_val () & negative_mask))
- low.set_const_val (low.const_val () | negative_mask);
- if (high.kind () == PROP_CONST
- && !base_type->is_unsigned () && (high.const_val () & negative_mask))
- high.set_const_val (high.const_val () | negative_mask);
+ the base type is signed.
+
+ Skip it if the base type's length is largest than ULONGEST, to avoid
+ the undefined behavior of a too large left shift. We don't really handle
+ constants larger than 8 bytes anyway, at the moment. */
+
+ if (base_type->length () <= sizeof (ULONGEST))
+ {
+ ULONGEST negative_mask
+ = -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
+
+ if (low.kind () == PROP_CONST
+ && !base_type->is_unsigned () && (low.const_val () & negative_mask))
+ low.set_const_val (low.const_val () | negative_mask);
+
+ if (high.kind () == PROP_CONST
+ && !base_type->is_unsigned () && (high.const_val () & negative_mask))
+ high.set_const_val (high.const_val () | negative_mask);
+ }
/* Check for bit and byte strides. */
struct dynamic_prop byte_stride_prop;
diff --git a/gdb/testsuite/gdb.dwarf2/subrange.exp b/gdb/testsuite/gdb.dwarf2/subrange.exp
index 8a8443f31a8..556422629a3 100644
--- a/gdb/testsuite/gdb.dwarf2/subrange.exp
+++ b/gdb/testsuite/gdb.dwarf2/subrange.exp
@@ -77,6 +77,26 @@ Dwarf::assemble $asm_file {
{name subrange_with_buggy_negative_bounds_variable}
{type :$subrange_with_buggy_negative_bounds_label}
}
+
+ # This subrange's base type is 16-bytes long (although the bounds fit in
+ # signed 64-bit). This is to test the fix for PR 29386.
+ declare_labels a_16_byte_integer_label a_16_byte_subrange_label
+
+ a_16_byte_integer_label: base_type {
+ {byte_size 16 udata}
+ {encoding @DW_ATE_signed}
+ }
+
+ a_16_byte_subrange_label: subrange_type {
+ {lower_bound -9223372036854775808 DW_FORM_sdata}
+ {upper_bound 9223372036854775807 DW_FORM_sdata}
+ {type :$a_16_byte_integer_label}
+ }
+
+ DW_TAG_variable {
+ {name a_16_byte_subrange_variable}
+ {type :$a_16_byte_subrange_label}
+ }
}
}
}
@@ -92,3 +112,5 @@ gdb_test "ptype TByteArray" \
"type = array \\\[0\\.\\.191\\\] of byte"
gdb_test "ptype subrange_with_buggy_negative_bounds_variable" \
"type = -16..-12"
+gdb_test "ptype a_16_byte_subrange_variable" \
+ "type = -9223372036854775808..9223372036854775807"
--
2.39.1
next prev parent reply other threads:[~2023-01-20 5:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-20 5:08 [PATCH 1/2] gdb/testsuite: add test for negative subrange bounds with unsigned form Simon Marchi
2023-01-20 5:08 ` Simon Marchi [this message]
2023-01-20 13:03 ` [PATCH 2/2] gdb/dwarf: fix UBsan crash in read_subrange_type Andrew Burgess
2023-01-20 16:51 ` Simon Marchi
2023-01-20 12:51 ` [PATCH 1/2] gdb/testsuite: add test for negative subrange bounds with unsigned form Andrew Burgess
2023-01-20 16:38 ` Simon Marchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230120050824.306976-2-simon.marchi@efficios.com \
--to=simon.marchi@efficios.com \
--cc=gdb-patches@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).