From: Simon Marchi <simark@simark.ca>
To: Andrew Burgess <aburgess@redhat.com>, gdb-patches@sourceware.org
Subject: Re: [PATCH] gdb: fix missing null-character when using value_cstring
Date: Tue, 4 Apr 2023 09:58:37 -0400 [thread overview]
Message-ID: <3d7197c2-424c-1458-93aa-d23fedac3d70@simark.ca> (raw)
In-Reply-To: <bd413d3c6999985d51818a5b4d5d8b7d6e9552d4.1680558527.git.aburgess@redhat.com>
On 4/3/23 17:49, Andrew Burgess via Gdb-patches wrote:
> In PR gdb/21699 an issue was reported with the $_as_string convenience
> function. It was observed that the string returned by this function,
> when pushed into the inferior, was not null terminated.
>
> This was causing problems when using the result with GDB's printf
> command, as this command relies on the string having been pushed into
> the inferior and being null terminated.
>
> The bug includes a simple reproducer:
>
> #include <stddef.h>
> static char arena[51] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
>
> /* Override malloc() so value_coerce_to_target() gets a known pointer, and we
> know we"ll see an error if $_as_string() gives a string that isn't NULL
> terminated. */
> void
> *malloc (size_t size)
> {
> if (size > sizeof (arena))
> return NULL;
> return arena;
> }
>
> int
> main ()
> {
> return 0;
> }
>
> Then use this in a GDB session like this:
>
> $ gdb -q test
> Reading symbols from /tmp/test...
> (gdb) start
> Temporary breakpoint 1 at 0x4004c8: file test.c, line 17.
> Starting program: /tmp/test
>
> Temporary breakpoint 1, main () at test.c:17
> 17 return 0;
> (gdb) printf "%s\n", $_as_string("hello")
> "hello"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> (gdb) quit
>
> The problem is with the GDB function value_cstring, or at least, how
> this function is being used.
>
> When $_as_string is called we enter fnpy_call (python/py-function.c),
> this calls into Python code. The Python code returns a result, which
> will be a Python string, and then we call convert_value_from_python to
> convert the Python string to a GDB value.
>
> In convert_value_from_python (python/py-value.c) we enter the
> gdbpy_is_string case (as the result is a string), then we call
> python_string_to_target_string, which returns a null terminated C
> string. Next we then make this call:
>
> value = value_cstring (s.get (), strlen (s.get ()),
> builtin_type_pychar);
>
> This passes the pointer to the first character 's.get ()' and the
> length of the string 'strlen (s.get ())', however, this length does
> not include the trailing null character.
>
> If we look at value_cstring (valops.c) we see that an array is created
> using the passed in length, and characters are copied into the newly
> allocated array value. This means we do not copy the strings trailing
> null character, nor does value_cstring add a trailing null.
>
> Finally, when we use this array value with printf, GDB pushed the
> array to the inferior, which mallocs some space based on the array
> length, and then copies the array content to the inferior.
>
> As the array doesn't include a trailing null, non is written into the
non -> none
> inferior. So what we place into the inferior is not a C string, but
> is actually an array of characters.
>
> When printf tries to print the value it starts at the address of the
> first character and continues until it reaches a null. When that will
> be is undefined, so we may end up printing random garbage.
>
> Now, ignore for a moment that the whole push an array to the inferior
> just so we can fetch it in order to print it is clearly crazy. That's
> a problem for another day I think. The important question here is:
> should value_cstring include a null character or not.
>
> Given the function name include 'cstring', which I'm assuming means C
> style string, I think that we should be including a trailing null.
>
> Given that, I see two possibilities, either value_cstring can always
> add a trailing null, or value_cstring can assert that there is a
> trailing null, and the caller is responsible for making sure that the
> passed in length includes the null character.
>
> Given we're always passing from a C style string to begin with the
> question is really, should the length being passed to value_cstring
> include the null, or not include the null?
>
> The only place where we currently include the null in the passed
> length is from c_string_operation::evaluate. Every other use of
> value_cstring passes the length excluding the null.
>
> I was tempted to adjust c_string_operation::evaluate to exclude the
> null, and then have value_cstring add a trailing null. However, this
> does mean that if, in the future, a use is introduced that incorrectly
> includes the trailing null in the passed length, then we are unlikely
> to spot immediately - we'd instead create an array with two null
> characters at the end.o
You can always assert that the last character is not '\0'.
>
> Alternatively, if we change the requirements of value_cstring so that
> we require the passed length includes the trailing null, then we can
> assert that this is indeed the case within value_cstring. Any
> incorrect uses in the future will be quickly spotted.
>
> So that's what I did, c_string_operation::evaluate is left unchanged,
> but every other use of value_cstring is adjusted with a '+ 1' so that
> we include the null within the length being passed.
That sounds counterintuitive to me. With an API of style pointer +
length, I don't expect the length to include the null terminator. It
also unnecessarily forces the caller to have a null-terminated version
of the string, which may not always be the case (you might want to call
value_cstring on a subset of an existing string).
I think that:
struct value *
value_cstring (const char *ptr, ssize_t len, struct type *char_type)
should take a length excluding the null terminator, but a null
terminator in the result (its job is to build a C string, and a C string
requires a null terminator at the end).
We can have the following overload, for convenience, for places that
already have a C string but don't already know its length:
struct value *
value_cstring (const char *str, struct type *char_type)
{
return value_cstring (str, strlen (str), char_type);
}
> I've added a header comment to value_cstring (value.h) to describe the
> requirements.
>
> Upon testing there were two tests that failed after this fix,
> gdb.base/settings.exp and gdb.python/py-mi.exp. In both of these
> cases we end up asking for the type of a character array allocated
> through value_cstring. The length of this array has now increased by
> one. Here's the previous behaviour:
>
> (gdb) set args abc
> (gdb) p $_gdb_setting("args")
> $1 = "abc"
> (gdb) ptype $1
> type = char [3]
> (gdb)
>
> And here's the modified behaviour:
>
> (gdb) set args abc
> (gdb) p $_gdb_setting("args")
> $1 = "abc"
> (gdb) ptype $1
> type = char [4]
> (gdb)
>
> Notice the type of $1 changed from an array of length 3 to an array of
> length 4. However, I don't think this is a bad thing, consider:
>
> char lit[] = "zzz";
> int
> main()
> {
> return 0;
> }
>
> And in GDB:
>
> (gdb) ptype lit
> type = char [4]
> (gdb)
>
> The null character is considered part of the array, so I think the new
> behaviour makes sense.
Makes sense.
> diff --git a/gdb/testsuite/gdb.base/cstring-exprs.c b/gdb/testsuite/gdb.base/cstring-exprs.c
> new file mode 100644
> index 00000000000..8135edd97d4
> --- /dev/null
> +++ b/gdb/testsuite/gdb.base/cstring-exprs.c
> @@ -0,0 +1,51 @@
> +/* This testcase is part of GDB, the GNU debugger.
> +
> + Copyright 2023 Free Software Foundation, Inc.
> +
> + This program is free software; you can redistribute it and/or modify
> + it under the terms of the GNU General Public License as published by
> + the Free Software Foundation; either version 3 of the License, or
> + (at your option) any later version.
> +
> + This program is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + GNU General Public License for more details.
> +
> + You should have received a copy of the GNU General Public License
> + along with this program. If not, see <http://www.gnu.org/licenses/>. */
> +
> +#include <stddef.h>
> +#include <string.h>
> +
> +/* A memory area used as the malloc memory buffer. */
> +
> +static char arena[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
> +
> +/* Override malloc(). When GDB tries to push strings into the inferior we
> + always return the same pointer to arena. This does mean we can't have
> + multiple strings in use at the same time, but that's fine for our basic
> + testing, and this is simpler than using dlsym. */
> +
> +void
> +*malloc (size_t size)
The * is on the wrong line.
Simon
next prev parent reply other threads:[~2023-04-04 13:58 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 21:49 Andrew Burgess
2023-04-04 13:58 ` Simon Marchi [this message]
2023-04-06 13:20 ` Andrew Burgess
2023-04-11 12:58 ` Pedro Alves
2023-04-12 20:47 ` Andrew Burgess
2023-04-13 11:56 ` Pedro Alves
2023-04-07 6:35 ` [PATCHv2] " Andrew Burgess
2023-05-24 14:10 ` [PATCHv3] gdb: building inferior strings from within GDB Andrew Burgess
2023-05-24 15:42 ` Simon Marchi
2023-06-05 12:26 ` Andrew Burgess
2023-06-05 17:57 ` Simon Marchi
2023-06-06 15:50 ` Andrew Burgess
2023-06-09 13:41 ` Tom Tromey
2023-06-09 14:20 ` Andrew Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d7197c2-424c-1458-93aa-d23fedac3d70@simark.ca \
--to=simark@simark.ca \
--cc=aburgess@redhat.com \
--cc=gdb-patches@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).