From: Andrew Burgess <aburgess@redhat.com>
To: Simon Marchi <simark@simark.ca>, gdb-patches@sourceware.org
Subject: Re: [PATCH] gdb: fix missing null-character when using value_cstring
Date: Thu, 06 Apr 2023 14:20:49 +0100 [thread overview]
Message-ID: <87r0sxb0zy.fsf@redhat.com> (raw)
In-Reply-To: <3d7197c2-424c-1458-93aa-d23fedac3d70@simark.ca>
Simon Marchi <simark@simark.ca> writes:
> On 4/3/23 17:49, Andrew Burgess via Gdb-patches wrote:
>> In PR gdb/21699 an issue was reported with the $_as_string convenience
>> function. It was observed that the string returned by this function,
>> when pushed into the inferior, was not null terminated.
>>
>> This was causing problems when using the result with GDB's printf
>> command, as this command relies on the string having been pushed into
>> the inferior and being null terminated.
>>
>> The bug includes a simple reproducer:
>>
>> #include <stddef.h>
>> static char arena[51] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
>>
>> /* Override malloc() so value_coerce_to_target() gets a known pointer, and we
>> know we"ll see an error if $_as_string() gives a string that isn't NULL
>> terminated. */
>> void
>> *malloc (size_t size)
>> {
>> if (size > sizeof (arena))
>> return NULL;
>> return arena;
>> }
>>
>> int
>> main ()
>> {
>> return 0;
>> }
>>
>> Then use this in a GDB session like this:
>>
>> $ gdb -q test
>> Reading symbols from /tmp/test...
>> (gdb) start
>> Temporary breakpoint 1 at 0x4004c8: file test.c, line 17.
>> Starting program: /tmp/test
>>
>> Temporary breakpoint 1, main () at test.c:17
>> 17 return 0;
>> (gdb) printf "%s\n", $_as_string("hello")
>> "hello"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> (gdb) quit
>>
>> The problem is with the GDB function value_cstring, or at least, how
>> this function is being used.
>>
>> When $_as_string is called we enter fnpy_call (python/py-function.c),
>> this calls into Python code. The Python code returns a result, which
>> will be a Python string, and then we call convert_value_from_python to
>> convert the Python string to a GDB value.
>>
>> In convert_value_from_python (python/py-value.c) we enter the
>> gdbpy_is_string case (as the result is a string), then we call
>> python_string_to_target_string, which returns a null terminated C
>> string. Next we then make this call:
>>
>> value = value_cstring (s.get (), strlen (s.get ()),
>> builtin_type_pychar);
>>
>> This passes the pointer to the first character 's.get ()' and the
>> length of the string 'strlen (s.get ())', however, this length does
>> not include the trailing null character.
>>
>> If we look at value_cstring (valops.c) we see that an array is created
>> using the passed in length, and characters are copied into the newly
>> allocated array value. This means we do not copy the strings trailing
>> null character, nor does value_cstring add a trailing null.
>>
>> Finally, when we use this array value with printf, GDB pushed the
>> array to the inferior, which mallocs some space based on the array
>> length, and then copies the array content to the inferior.
>>
>> As the array doesn't include a trailing null, non is written into the
>
> non -> none
>
>> inferior. So what we place into the inferior is not a C string, but
>> is actually an array of characters.
>>
>> When printf tries to print the value it starts at the address of the
>> first character and continues until it reaches a null. When that will
>> be is undefined, so we may end up printing random garbage.
>>
>> Now, ignore for a moment that the whole push an array to the inferior
>> just so we can fetch it in order to print it is clearly crazy. That's
>> a problem for another day I think. The important question here is:
>> should value_cstring include a null character or not.
>>
>> Given the function name include 'cstring', which I'm assuming means C
>> style string, I think that we should be including a trailing null.
>>
>> Given that, I see two possibilities, either value_cstring can always
>> add a trailing null, or value_cstring can assert that there is a
>> trailing null, and the caller is responsible for making sure that the
>> passed in length includes the null character.
>>
>> Given we're always passing from a C style string to begin with the
>> question is really, should the length being passed to value_cstring
>> include the null, or not include the null?
>>
>> The only place where we currently include the null in the passed
>> length is from c_string_operation::evaluate. Every other use of
>> value_cstring passes the length excluding the null.
>>
>> I was tempted to adjust c_string_operation::evaluate to exclude the
>> null, and then have value_cstring add a trailing null. However, this
>> does mean that if, in the future, a use is introduced that incorrectly
>> includes the trailing null in the passed length, then we are unlikely
>> to spot immediately - we'd instead create an array with two null
>> characters at the end.o
>
> You can always assert that the last character is not '\0'.
I thought about that, but I worried about strings that might contain
embedded '\0' characters... maybe we just don't care about them.
>
>>
>> Alternatively, if we change the requirements of value_cstring so that
>> we require the passed length includes the trailing null, then we can
>> assert that this is indeed the case within value_cstring. Any
>> incorrect uses in the future will be quickly spotted.
>>
>> So that's what I did, c_string_operation::evaluate is left unchanged,
>> but every other use of value_cstring is adjusted with a '+ 1' so that
>> we include the null within the length being passed.
>
> That sounds counterintuitive to me. With an API of style pointer +
> length, I don't expect the length to include the null terminator. It
> also unnecessarily forces the caller to have a null-terminated version
> of the string, which may not always be the case (you might want to call
> value_cstring on a subset of an existing string).
>
> I think that:
>
> struct value *
> value_cstring (const char *ptr, ssize_t len, struct type *char_type)
>
> should take a length excluding the null terminator, but a null
> terminator in the result (its job is to build a C string, and a C string
> requires a null terminator at the end).
This is why writing comments is so important :)
I read it as "build a value* from this C-string", which is why I figured
we can assume there will be a '\0' at the end.
Anyway, I don't really mind either way, just so long as we can get
something that works! I'll flip this around to the way you suggest and
repost.
Thanks for the feedback,
Andrew
>
> We can have the following overload, for convenience, for places that
> already have a C string but don't already know its length:
>
> struct value *
> value_cstring (const char *str, struct type *char_type)
> {
> return value_cstring (str, strlen (str), char_type);
> }
>
>> I've added a header comment to value_cstring (value.h) to describe the
>> requirements.
>>
>> Upon testing there were two tests that failed after this fix,
>> gdb.base/settings.exp and gdb.python/py-mi.exp. In both of these
>> cases we end up asking for the type of a character array allocated
>> through value_cstring. The length of this array has now increased by
>> one. Here's the previous behaviour:
>>
>> (gdb) set args abc
>> (gdb) p $_gdb_setting("args")
>> $1 = "abc"
>> (gdb) ptype $1
>> type = char [3]
>> (gdb)
>>
>> And here's the modified behaviour:
>>
>> (gdb) set args abc
>> (gdb) p $_gdb_setting("args")
>> $1 = "abc"
>> (gdb) ptype $1
>> type = char [4]
>> (gdb)
>>
>> Notice the type of $1 changed from an array of length 3 to an array of
>> length 4. However, I don't think this is a bad thing, consider:
>>
>> char lit[] = "zzz";
>> int
>> main()
>> {
>> return 0;
>> }
>>
>> And in GDB:
>>
>> (gdb) ptype lit
>> type = char [4]
>> (gdb)
>>
>> The null character is considered part of the array, so I think the new
>> behaviour makes sense.
>
> Makes sense.
>
>> diff --git a/gdb/testsuite/gdb.base/cstring-exprs.c b/gdb/testsuite/gdb.base/cstring-exprs.c
>> new file mode 100644
>> index 00000000000..8135edd97d4
>> --- /dev/null
>> +++ b/gdb/testsuite/gdb.base/cstring-exprs.c
>> @@ -0,0 +1,51 @@
>> +/* This testcase is part of GDB, the GNU debugger.
>> +
>> + Copyright 2023 Free Software Foundation, Inc.
>> +
>> + This program is free software; you can redistribute it and/or modify
>> + it under the terms of the GNU General Public License as published by
>> + the Free Software Foundation; either version 3 of the License, or
>> + (at your option) any later version.
>> +
>> + This program is distributed in the hope that it will be useful,
>> + but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> + GNU General Public License for more details.
>> +
>> + You should have received a copy of the GNU General Public License
>> + along with this program. If not, see <http://www.gnu.org/licenses/>. */
>> +
>> +#include <stddef.h>
>> +#include <string.h>
>> +
>> +/* A memory area used as the malloc memory buffer. */
>> +
>> +static char arena[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
>> +
>> +/* Override malloc(). When GDB tries to push strings into the inferior we
>> + always return the same pointer to arena. This does mean we can't have
>> + multiple strings in use at the same time, but that's fine for our basic
>> + testing, and this is simpler than using dlsym. */
>> +
>> +void
>> +*malloc (size_t size)
>
> The * is on the wrong line.
>
> Simon
next prev parent reply other threads:[~2023-04-06 13:20 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 21:49 Andrew Burgess
2023-04-04 13:58 ` Simon Marchi
2023-04-06 13:20 ` Andrew Burgess [this message]
2023-04-11 12:58 ` Pedro Alves
2023-04-12 20:47 ` Andrew Burgess
2023-04-13 11:56 ` Pedro Alves
2023-04-07 6:35 ` [PATCHv2] " Andrew Burgess
2023-05-24 14:10 ` [PATCHv3] gdb: building inferior strings from within GDB Andrew Burgess
2023-05-24 15:42 ` Simon Marchi
2023-06-05 12:26 ` Andrew Burgess
2023-06-05 17:57 ` Simon Marchi
2023-06-06 15:50 ` Andrew Burgess
2023-06-09 13:41 ` Tom Tromey
2023-06-09 14:20 ` Andrew Burgess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0sxb0zy.fsf@redhat.com \
--to=aburgess@redhat.com \
--cc=gdb-patches@sourceware.org \
--cc=simark@simark.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).