Re: [PATCH] gdb: fix missing null-character when using value_cstring

[Andrew Burgess <aburgess@redhat.com>]

Simon Marchi <simark@simark.ca> writes:

> On 4/3/23 17:49, Andrew Burgess via Gdb-patches wrote:
>> In PR gdb/21699 an issue was reported with the $_as_string convenience
>> function.  It was observed that the string returned by this function,
>> when pushed into the inferior, was not null terminated.
>> 
>> This was causing problems when using the result with GDB's printf
>> command, as this command relies on the string having been pushed into
>> the inferior and being null terminated.
>> 
>> The bug includes a simple reproducer:
>> 
>>   #include <stddef.h>
>>   static char arena[51] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
>> 
>>   /* Override malloc() so value_coerce_to_target() gets a known pointer, and we
>>      know we"ll see an error if $_as_string() gives a string that isn't NULL
>>      terminated. */
>>   void
>>   *malloc (size_t size)
>>   {
>>       if (size > sizeof (arena))
>>           return NULL;
>>       return arena;
>>   }
>> 
>>   int
>>   main ()
>>   {
>>     return 0;
>>   }
>> 
>> Then use this in a GDB session like this:
>> 
>>   $ gdb -q test
>>   Reading symbols from /tmp/test...
>>   (gdb) start
>>   Temporary breakpoint 1 at 0x4004c8: file test.c, line 17.
>>   Starting program: /tmp/test
>> 
>>   Temporary breakpoint 1, main () at test.c:17
>>   17        return 0;
>>   (gdb) printf "%s\n", $_as_string("hello")
>>   "hello"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>   (gdb) quit
>> 
>> The problem is with the GDB function value_cstring, or at least, how
>> this function is being used.
>> 
>> When $_as_string is called we enter fnpy_call (python/py-function.c),
>> this calls into Python code.  The Python code returns a result, which
>> will be a Python string, and then we call convert_value_from_python to
>> convert the Python string to a GDB value.
>> 
>> In convert_value_from_python (python/py-value.c) we enter the
>> gdbpy_is_string case (as the result is a string), then we call
>> python_string_to_target_string, which returns a null terminated C
>> string.  Next we then make this call:
>> 
>>   value = value_cstring (s.get (), strlen (s.get ()),
>>                          builtin_type_pychar);
>> 
>> This passes the pointer to the first character 's.get ()' and the
>> length of the string 'strlen (s.get ())', however, this length does
>> not include the trailing null character.
>> 
>> If we look at value_cstring (valops.c) we see that an array is created
>> using the passed in length, and characters are copied into the newly
>> allocated array value.  This means we do not copy the strings trailing
>> null character, nor does value_cstring add a trailing null.
>> 
>> Finally, when we use this array value with printf, GDB pushed the
>> array to the inferior, which mallocs some space based on the array
>> length, and then copies the array content to the inferior.
>> 
>> As the array doesn't include a trailing null, non is written into the
>
> non -> none
>
>> inferior.  So what we place into the inferior is not a C string, but
>> is actually an array of characters.
>> 
>> When printf tries to print the value it starts at the address of the
>> first character and continues until it reaches a null.  When that will
>> be is undefined, so we may end up printing random garbage.
>> 
>> Now, ignore for a moment that the whole push an array to the inferior
>> just so we can fetch it in order to print it is clearly crazy.  That's
>> a problem for another day I think.  The important question here is:
>> should value_cstring include a null character or not.
>> 
>> Given the function name include 'cstring', which I'm assuming means C
>> style string, I think that we should be including a trailing null.
>> 
>> Given that, I see two possibilities, either value_cstring can always
>> add a trailing null, or value_cstring can assert that there is a
>> trailing null, and the caller is responsible for making sure that the
>> passed in length includes the null character.
>> 
>> Given we're always passing from a C style string to begin with the
>> question is really, should the length being passed to value_cstring
>> include the null, or not include the null?
>> 
>> The only place where we currently include the null in the passed
>> length is from c_string_operation::evaluate.  Every other use of
>> value_cstring passes the length excluding the null.
>> 
>> I was tempted to adjust c_string_operation::evaluate to exclude the
>> null, and then have value_cstring add a trailing null.  However, this
>> does mean that if, in the future, a use is introduced that incorrectly
>> includes the trailing null in the passed length, then we are unlikely
>> to spot immediately - we'd instead create an array with two null
>> characters at the end.o
>
> You can always assert that the last character is not '\0'.

I thought about that, but I worried about strings that might contain
embedded '\0' characters... maybe we just don't care about them.

>
>> 
>> Alternatively, if we change the requirements of value_cstring so that
>> we require the passed length includes the trailing null, then we can
>> assert that this is indeed the case within value_cstring.  Any
>> incorrect uses in the future will be quickly spotted.
>> 
>> So that's what I did, c_string_operation::evaluate is left unchanged,
>> but every other use of value_cstring is adjusted with a '+ 1' so that
>> we include the null within the length being passed.
>
> That sounds counterintuitive to me.  With an API of style pointer +
> length, I don't expect the length to include the null terminator.  It
> also unnecessarily forces the caller to have a null-terminated version
> of the string, which may not always be the case (you might want to call
> value_cstring on a subset of an existing string).
>
> I think that:
>
> struct value *
> value_cstring (const char *ptr, ssize_t len, struct type *char_type)
>
> should take a length excluding the null terminator, but a null
> terminator in the result (its job is to build a C string, and a C string
> requires a null terminator at the end).

This is why writing comments is so important :)

I read it as "build a value* from this C-string", which is why I figured
we can assume there will be a '\0' at the end.

Anyway, I don't really mind either way, just so long as we can get
something that works!  I'll flip this around to the way you suggest and
repost.

Thanks for the feedback,
Andrew

>
> We can have the following overload, for convenience, for places that
> already have a C string but don't already know its length:
>
> struct value *
> value_cstring (const char *str, struct type *char_type)
> {
>   return value_cstring (str, strlen (str), char_type);
> }
>
>> I've added a header comment to value_cstring (value.h) to describe the
>> requirements.
>> 
>> Upon testing there were two tests that failed after this fix,
>> gdb.base/settings.exp and gdb.python/py-mi.exp.  In both of these
>> cases we end up asking for the type of a character array allocated
>> through value_cstring.  The length of this array has now increased by
>> one.  Here's the previous behaviour:
>> 
>>   (gdb) set args abc
>>   (gdb) p $_gdb_setting("args")
>>   $1 = "abc"
>>   (gdb) ptype $1
>>   type = char [3]
>>   (gdb)
>> 
>> And here's the modified behaviour:
>> 
>>   (gdb) set args abc
>>   (gdb) p $_gdb_setting("args")
>>   $1 = "abc"
>>   (gdb) ptype $1
>>   type = char [4]
>>   (gdb)
>> 
>> Notice the type of $1 changed from an array of length 3 to an array of
>> length 4.  However, I don't think this is a bad thing, consider:
>> 
>>   char lit[] = "zzz";
>>   int
>>   main()
>>   {
>>     return 0;
>>   }
>> 
>> And in GDB:
>> 
>>   (gdb) ptype lit
>>   type = char [4]
>>   (gdb)
>> 
>> The null character is considered part of the array, so I think the new
>> behaviour makes sense.
>
> Makes sense.
>
>> diff --git a/gdb/testsuite/gdb.base/cstring-exprs.c b/gdb/testsuite/gdb.base/cstring-exprs.c
>> new file mode 100644
>> index 00000000000..8135edd97d4
>> --- /dev/null
>> +++ b/gdb/testsuite/gdb.base/cstring-exprs.c
>> @@ -0,0 +1,51 @@
>> +/* This testcase is part of GDB, the GNU debugger.
>> +
>> +   Copyright 2023 Free Software Foundation, Inc.
>> +
>> +   This program is free software; you can redistribute it and/or modify
>> +   it under the terms of the GNU General Public License as published by
>> +   the Free Software Foundation; either version 3 of the License, or
>> +   (at your option) any later version.
>> +
>> +   This program is distributed in the hope that it will be useful,
>> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> +   GNU General Public License for more details.
>> +
>> +   You should have received a copy of the GNU General Public License
>> +   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
>> +
>> +#include <stddef.h>
>> +#include <string.h>
>> +
>> +/* A memory area used as the malloc memory buffer.  */
>> +
>> +static char arena[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
>> +
>> +/* Override malloc().  When GDB tries to push strings into the inferior we
>> +   always return the same pointer to arena.  This does mean we can't have
>> +   multiple strings in use at the same time, but that's fine for our basic
>> +   testing, and this is simpler than using dlsym.  */
>> +
>> +void
>> +*malloc (size_t size)
>
> The * is on the wrong line.
>
> Simon