From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from barracuda.ebox.ca (barracuda.ebox.ca [96.127.255.19]) by sourceware.org (Postfix) with ESMTPS id 923A03858C52 for ; Fri, 20 Jan 2023 05:08:27 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 923A03858C52 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=efficios.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=efficios.com X-ASG-Debug-ID: 1674191305-0c856e762a6bc9d0001-fS2M51 Received: from smtp.ebox.ca (smtp.ebox.ca [96.127.255.82]) by barracuda.ebox.ca with ESMTP id vhQQajEPVyU4Csc6 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO); Fri, 20 Jan 2023 00:08:25 -0500 (EST) X-Barracuda-Envelope-From: simon.marchi@efficios.com X-Barracuda-RBL-Trusted-Forwarder: 96.127.255.82 Received: from epycamd.internal.efficios.com (192-222-180-24.qc.cable.ebox.net [192.222.180.24]) by smtp.ebox.ca (Postfix) with ESMTP id 9FF59441B21; Fri, 20 Jan 2023 00:08:25 -0500 (EST) From: Simon Marchi X-Barracuda-RBL-IP: 192.222.180.24 X-Barracuda-Effective-Source-IP: 192-222-180-24.qc.cable.ebox.net[192.222.180.24] X-Barracuda-Apparent-Source-IP: 192.222.180.24 To: gdb-patches@sourceware.org Cc: Simon Marchi Subject: [PATCH 2/2] gdb/dwarf: fix UBsan crash in read_subrange_type Date: Fri, 20 Jan 2023 00:08:24 -0500 X-ASG-Orig-Subj: [PATCH 2/2] gdb/dwarf: fix UBsan crash in read_subrange_type Message-Id: <20230120050824.306976-2-simon.marchi@efficios.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230120050824.306976-1-simon.marchi@efficios.com> References: <20230120050824.306976-1-simon.marchi@efficios.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Barracuda-Connect: smtp.ebox.ca[96.127.255.82] X-Barracuda-Start-Time: 1674191305 X-Barracuda-Encrypted: AES128-SHA X-Barracuda-URL: https://96.127.255.19:443/cgi-mod/mark.cgi X-Barracuda-BRTS-Status: 1 X-Virus-Scanned: by bsmtpd at ebox.ca X-Barracuda-Scan-Msg-Size: 5734 X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.103676 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- X-Spam-Status: No, score=-3498.2 required=5.0 tests=BAYES_00,GIT_PATCH_0,KAM_DMARC_NONE,KAM_DMARC_STATUS,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: When running gdb.ada/arrayptr.exp (and others) on Ubuntu 22.04, with the `gnat-11` package installed (not `gnat`), with UBSan activated, I get: (gdb) break foo.adb:40 /home/smarchi/src/binutils-gdb/gdb/dwarf2/read.c:17689:20: runtime error: shift exponent 127 is too large for 64-bit type 'long unsigned int' The problematic DIEs are: 0x00001460: DW_TAG_subrange_type DW_AT_lower_bound [DW_FORM_data1] (0x00) DW_AT_upper_bound [DW_FORM_data16] (ffffffffffffffff3f00000000000000) DW_AT_name [DW_FORM_strp] ("foo__packed_array___XP7___XDLU_0__1180591620717411303423") DW_AT_type [DW_FORM_ref4] (0x0000153f "long_long_long_unsigned") DW_AT_GNAT_descriptive_type [DW_FORM_ref4] (0x0000147e) DW_AT_artificial [DW_FORM_flag_present] (true) 0x0000153f: DW_TAG_base_type DW_AT_byte_size [DW_FORM_data1] (0x10) DW_AT_encoding [DW_FORM_data1] (DW_ATE_unsigned) DW_AT_name [DW_FORM_strp] ("long_long_long_unsigned") DW_AT_artificial [DW_FORM_flag_present] (true) When processed by this code: negative_mask = -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1)); if (low.kind () == PROP_CONST && !base_type->is_unsigned () && (low.const_val () & negative_mask)) low.set_const_val (low.const_val () | negative_mask); When the base type's length (16 bytes in this case) is larger than a ULONGEST (typically 8 bytes), the bit shift is too large. My obvious fix is just to skip the fixup for base types larger than a ULONGEST (8 bytes). I don't think we really handle constant attribute values larger than 8 bytes anyway, so this is part of a much larger problem. Add a test that replicates this situation, but uses bounds that fit in a signed 64 bit, so we get a sensible result. Change-Id: I8d0a24f3edd83b44e0761a0ce38922d3e2e112fb Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29386 --- gdb/dwarf2/read.c | 29 ++++++++++++++++++--------- gdb/testsuite/gdb.dwarf2/subrange.exp | 22 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 10 deletions(-) diff --git a/gdb/dwarf2/read.c b/gdb/dwarf2/read.c index 44b54f77de9..87846788604 100644 --- a/gdb/dwarf2/read.c +++ b/gdb/dwarf2/read.c @@ -17588,7 +17588,6 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu) int low_default_is_valid; int high_bound_is_count = 0; const char *name; - ULONGEST negative_mask; orig_base_type = read_subrange_index_type (die, cu); @@ -17684,15 +17683,25 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu) with GCC, for instance, where the ambiguous DW_FORM_dataN form is used instead. To work around that ambiguity, we treat the bounds as signed, and thus sign-extend their values, when - the base type is signed. */ - negative_mask = - -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1)); - if (low.kind () == PROP_CONST - && !base_type->is_unsigned () && (low.const_val () & negative_mask)) - low.set_const_val (low.const_val () | negative_mask); - if (high.kind () == PROP_CONST - && !base_type->is_unsigned () && (high.const_val () & negative_mask)) - high.set_const_val (high.const_val () | negative_mask); + the base type is signed. + + Skip it if the base type's length is largest than ULONGEST, to avoid + the undefined behavior of a too large left shift. We don't really handle + constants larger than 8 bytes anyway, at the moment. */ + + if (base_type->length () <= sizeof (ULONGEST)) + { + ULONGEST negative_mask + = -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1)); + + if (low.kind () == PROP_CONST + && !base_type->is_unsigned () && (low.const_val () & negative_mask)) + low.set_const_val (low.const_val () | negative_mask); + + if (high.kind () == PROP_CONST + && !base_type->is_unsigned () && (high.const_val () & negative_mask)) + high.set_const_val (high.const_val () | negative_mask); + } /* Check for bit and byte strides. */ struct dynamic_prop byte_stride_prop; diff --git a/gdb/testsuite/gdb.dwarf2/subrange.exp b/gdb/testsuite/gdb.dwarf2/subrange.exp index 8a8443f31a8..556422629a3 100644 --- a/gdb/testsuite/gdb.dwarf2/subrange.exp +++ b/gdb/testsuite/gdb.dwarf2/subrange.exp @@ -77,6 +77,26 @@ Dwarf::assemble $asm_file { {name subrange_with_buggy_negative_bounds_variable} {type :$subrange_with_buggy_negative_bounds_label} } + + # This subrange's base type is 16-bytes long (although the bounds fit in + # signed 64-bit). This is to test the fix for PR 29386. + declare_labels a_16_byte_integer_label a_16_byte_subrange_label + + a_16_byte_integer_label: base_type { + {byte_size 16 udata} + {encoding @DW_ATE_signed} + } + + a_16_byte_subrange_label: subrange_type { + {lower_bound -9223372036854775808 DW_FORM_sdata} + {upper_bound 9223372036854775807 DW_FORM_sdata} + {type :$a_16_byte_integer_label} + } + + DW_TAG_variable { + {name a_16_byte_subrange_variable} + {type :$a_16_byte_subrange_label} + } } } } @@ -92,3 +112,5 @@ gdb_test "ptype TByteArray" \ "type = array \\\[0\\.\\.191\\\] of byte" gdb_test "ptype subrange_with_buggy_negative_bounds_variable" \ "type = -16..-12" +gdb_test "ptype a_16_byte_subrange_variable" \ + "type = -9223372036854775808..9223372036854775807" -- 2.39.1