From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on20618.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5b::618]) by sourceware.org (Postfix) with ESMTPS id 4F1433858D28 for ; Wed, 15 Feb 2023 18:45:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4F1433858D28 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=efficios.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=efficios.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lqytRIDosbNjvRZFrUXaegan2ezwnBX1wDFxF/obfPRxhhh9oAugrY0xHD21/b02xH0ru6p2yhTwGKEpsP+kLsWlp/3WHug3/+qWQGVDPtdhUw2NQ5kbHfVFYpWEOl36svqLDYwyKFihI25wRkVA4ClOmcexWQ7eM09AcJwlOm06FnSneluAILqMoh2FbOD+Gw5q0EbX7cAhKDK4RnJ0qheyLlaJ5xkBuU9LTmTpfesD76+3V4qLnrxYFSzGdpv4t6LMfBUb8+kyeHJSBmif0fBIfVSzJ/fAddJOj+SY3EYVhwL6OxOfJibbgFzGmMVRBxRw5cbkMPsLZtsyjopKpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IP8fsr4KF1czkRmJmmafD5HXTQAjjrs99l/xEhQkD2g=; b=DQSVeTT3ydjrL3FoRNakrJFThW+LrXT/VzjktPCB288rw4Y5+hYI0eAgvLAL/U7jf9eDxVlDzlZYIMFTGRBSEywVJkwaZ6gY8Z28w5MLLT4wNUAsUJP4/bMr5cePQtwN83wwcT7kDMw9qSry40L1yeUf63MwrsHRFDNWPCGsVMeIHGViEUbdWn/2nImdeCTn2Cd21+z42Go0jXeniPtYc+4SgNQpNe5k04BprpOUdwuDBNuKkvQ2rViYmXoj69ViahQGrBQifu6eRhRf5Zzpkd/BEi3NPSMT99Gpp2MDjvE7AVA9SZ7JnPPONsn+Isc7ZQ0Z8W6L9p9n80yjwQhDqw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=efficios.com; dmarc=pass action=none header.from=efficios.com; dkim=pass header.d=efficios.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficios.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IP8fsr4KF1czkRmJmmafD5HXTQAjjrs99l/xEhQkD2g=; b=PBRxs8QqWP8dwew6C0QftwMKD0LFkQuQcU0hJA7o1vV5y2c4LzA7n+HHJR2a8l0b+pR1Gwd0Uzp8sldMr7YjnupyX2ym1BqnVz8j7SkkY3U/qIoXx4y67e7yzHbVhiEbWZrfMZ0IhbF6Xq4EJ8I+FO3MT3Jwd6e7LaF3RSTxfXCsbxG9QU8pc1BWsIVRaCL7uKbiya1WOL6bhFF208PYRhsqeHg1teSxGoNOo4T2iBvtanYgVZlTWot0Zqb9/MBdi+7icWNJR8K9TJG5mOh+zpxkYzCbobmq9O6R2IsenRjHUV43BbAQwY2cJVRSLJ0Vfbs3CtOkyWzrv33h79x5Og== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=efficios.com; Received: from YT1PR01MB2828.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:a::23) by YT2PR01MB6032.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:4e::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.26; Wed, 15 Feb 2023 18:45:04 +0000 Received: from YT1PR01MB2828.CANPRD01.PROD.OUTLOOK.COM ([fe80::2e20:aebe:9849:7408]) by YT1PR01MB2828.CANPRD01.PROD.OUTLOOK.COM ([fe80::2e20:aebe:9849:7408%5]) with mapi id 15.20.6086.026; Wed, 15 Feb 2023 18:45:04 +0000 Message-ID: Date: Wed, 15 Feb 2023 13:45:02 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.2 Subject: Re: [PATCH] gdb: fix dealloc function not being called for frame 0 Content-Language: fr To: Tom de Vries , gdb-patches@sourceware.org References: <20230209195037.100368-1-simon.marchi@efficios.com> <5be9ed74-04cf-b909-9e8c-d0f38cf28501@suse.de> From: Simon Marchi In-Reply-To: <5be9ed74-04cf-b909-9e8c-d0f38cf28501@suse.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ClientProxiedBy: YQBPR0101CA0193.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:67::32) To YT1PR01MB2828.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:a::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: YT1PR01MB2828:EE_|YT2PR01MB6032:EE_ X-MS-Office365-Filtering-Correlation-Id: 24103d9c-7159-4fbf-961f-08db0f84c074 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DOAGv+PRo3UVW3YGDvHUQcrJvWZE2sr/yB8VQlmpm/Ov+v+z4i4h0xDoQwNKS9zdPmzyKcIlkTskypMmYKFQ9ZKxVaUeH6uzBbgirI5H6y010B6L2i83HeHTVGb61pps2DXYaDCioZFuv+E5hS7umrlOP/sdgBFF4XWiXD1scYkiNi+q8CVWUdrWG1KDnRSh7aclxSXk6EEQ00k0FWvb5fHCohyod8g1Iua7D/0XNXker7amO3gsZ+nGwQlHM1+SDaTMHjBUub9vYrN9kQWHfH/OoR3omRcOjSe0WZM0u2cViV/0F4a4OhlTBthaqKNXH66rBG0RLLe0iYkNebr181W3owdV587tuQHI57mDq0YvITe+1jCMEm9gF40W/CktiTmVAvw7cjudurJinjSFatEeNiP3XROBVFFDmbxIfyal6XYvwQYKPS+0byC7ApNGvBs2nZ2LtME6WcYHZVo+z9J0cDxd1/qkpD2Uu8vbrk0zNAKULurJM4ZNRzXW3GwKlcOeSi81qpSu4SzCZjPdWb/ma4Y1NauMGLUv3cdZcrq8RaRTQJXJcxEl9pwIQOBtcj1gQl7CET9WDFKPlWO7J8s3H56YIwf9fbpWA3Qkek3+bDtl95JrwAlVnDs+PKmROBMGkkSp7o7cGG/yIy4ki+AYO/toFWbFiUbMXIHhPxGlKZLe7lMg5IsfrFi/p3nlmM8CjCPLie8GKWvcZI/YXQ6fbF1AlACaBQpmp8g8mD4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT1PR01MB2828.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230025)(39830400003)(346002)(396003)(366004)(376002)(136003)(451199018)(6512007)(186003)(36756003)(6506007)(53546011)(2616005)(83380400001)(66899018)(8936002)(2906002)(5660300002)(316002)(31686004)(38100700002)(44832011)(66476007)(6486002)(478600001)(66556008)(8676002)(31696002)(66946007)(84970400001)(41300700001)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?ZTFURWhpVUdHSlhoNDBKUlpWRUpCWXdSN1d6SGZLUjBNRlhRTmFUNEpYcVZZ?= =?utf-8?B?aXByN0hnZW5KZDh4SXltV0lWWVdhZ1ZNS3lDT1lTMkt6aWR5cWdQd2pBN2FL?= =?utf-8?B?WVllbk1paXVjRndDRllKNkpORWhsbVVQak9jTlZmcUNBSWZoN2FKQk93Q3RW?= =?utf-8?B?Q2treVFyMDNKNDNMcE8xN3I1NUVxaXdWUkE1a2FYTThvUTdSSk9MN1k5U1g4?= =?utf-8?B?R0lIVU9ydHd4UkNYYXhFMHpxZjNIVjdkaURqYW5lT2VVMEVzcGtlay8ydXN0?= =?utf-8?B?QVRJUWoxdnhpRU9xTXQzUTBKQjFYRHArMTdEWXc0Y2hZR3pPWkNwVWd4OTdq?= =?utf-8?B?RVdld3psRVdVN3ROaDIyU3grNlMxcVp2K3htZHYyNk9saWJmTkZiY3N1TFF0?= =?utf-8?B?bnVKU2pJSUpxQnlMVlQxSTJ1aU1JK2lvZ2ZhbWtQUzUwcWh5cWxYaHI5aUY1?= =?utf-8?B?QUQyeUZFU3BVcDBCYUM2UFRDbitlRkpIeEtVYk9wb1phN2Ezc0ZIc1NMcnFU?= =?utf-8?B?T2RKMUFWdjIzb3Z0ZUlFek83c20zSU5nd0lhcm9pMWZYMFREdjJOZlBWSTBD?= =?utf-8?B?dlFGdnVUNVI2eXdadlBVaTM5VkNZenhpTWZuYXV6eVZlNkQrU055ZTFpMFJQ?= =?utf-8?B?RFdHNzA2OEprbW45Rk9OeDNwVWJLbG1zMUJ2VEtIWVVOWU95Y0dQaDVEZXFj?= =?utf-8?B?Y25iL1VLMEd5bGhRYlpOVWR6S0pBRXgrNHJzZGQySENNRzF5Mmtzdk4vTjBa?= =?utf-8?B?NVRHOHVFMjllTjZQYWtiQ0NQNTl4NkhZRGp4cnRUTTd0cEJNZmF5eGdvVlFG?= =?utf-8?B?QzFvckIyY0JIMjNIaitUY1kzaGFqZG1hMHBLQzJVdnh3bHlJUHFyY3BNSkVj?= =?utf-8?B?SDEwRzlObkwrc1J6ZnVYSDVFNjU4ckVuVGNGTkloQnI3aUVtaUlZelVNVTBI?= =?utf-8?B?UnIyQXR2NkRaeVBvdktLdlh2S3VnRzEycmppUUV2LzRsemNJVnYrOVdMMmh6?= =?utf-8?B?UXpXU3ZtS1hoM3I1Q3o3YnVnbTJDN2ZidWJXWUFjZVRvbzFoSm9jdGo1aHpU?= =?utf-8?B?NWtzNWQ3T3QxeWozTWhkd0VESWpQbzRIbGdWYjBTSW9rTlNJdWIwSzNFRXVJ?= =?utf-8?B?M0R2Nk1zazRYT2c3SDBBL2xHZUZiNkNKUXFCdWR3NEVkZmNqMk1YVCtWZnd2?= =?utf-8?B?TU9EQ3VDaVVpSWZDQkdwT2p2NFViN25BQjN4TmNiRmU0VDl5RzlDV202Y3VH?= =?utf-8?B?SXgvVnMwaWNnTG9DWnhjV2JLS2lyRVcwUkp3MTlVS1ViKytzaWFlbTE5T3RX?= =?utf-8?B?Q2xCejduclFwTE1sY2l6R3JsbGhrV2U2cW9pTFVSenJTVHdlM0ZERW10Ykhq?= =?utf-8?B?ZmNTZEkzZnFJMXdpa08xdDY3d1lVdlp5MDQ5NElINnBHYWQvallaRzJ5Y0ZL?= =?utf-8?B?anFHMzJTQnJTaGg5UERiRTFsOWdnZHgyS01rNjkyWnUybFRUWWR2cHltU0R3?= =?utf-8?B?anNvRmhMMWgyc2UzbXEwV1FMVjNwSDNyOUZSSFhlVHRKeEhBbkV1aFA5OGhr?= =?utf-8?B?Nmp6UlA0MWlZUVNwMEVVNGtxSk04dUxZSGF4VVU2cEdPbXNtTEdKOGdsVGVw?= =?utf-8?B?Qm9IamNnS3hXamZncFBmVEo0VG5KN2tVZUVKUjMybThQd2ZoUk9WdGRoM2ZB?= =?utf-8?B?a2o3bW1hQ2xFR0Z3RWIxWlFmNWFmS1NQZHdCK3NPZ0RsL01sY2wwMUhUcng4?= =?utf-8?B?YjgrUUI5RHdiN29JMStXeFBuSStLQWNtRi9GbFphaW5KY0N5YlZRZkZjblRa?= =?utf-8?B?NnBZR1dURFBRRDQ0SzdJWDh5eVFrbTNUNllXMWJTZFMxdG5JWEdibGdMa0NQ?= =?utf-8?B?UEo2akk1NTN5Snc1MWhWckJvNkZ4VnNyMXNSNnFaTUVHZjZxR1JockJIWUYr?= =?utf-8?B?VEV4VVFLM2VMbGhadUQ1MytJSGRQTU9pOThmd3ZXYzJrS0xNaFRtNkNUc0Nz?= =?utf-8?B?bHp1eXRFU29hM0JBQTZsNkJ5bHZNUzJmcU02Yk4zYTUwcG1IK0tDSEErZ0pE?= =?utf-8?B?RlJrZEEzVVg1dWltVnR4ZDA3aUgxN2RQRCtwQ21iMGs5a0NRTEYyTG94MHRi?= =?utf-8?B?WUo3aHRxSm5hNlcwRGYvY0d1SVFpT0trK0U1UWs3dXIwcHVZaVBDc1JpOVEy?= =?utf-8?Q?zBeAaMte/tGP7qlKP5lQj+M=3D?= X-OriginatorOrg: efficios.com X-MS-Exchange-CrossTenant-Network-Message-Id: 24103d9c-7159-4fbf-961f-08db0f84c074 X-MS-Exchange-CrossTenant-AuthSource: YT1PR01MB2828.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Feb 2023 18:45:04.4054 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4f278736-4ab6-415c-957e-1f55336bd31e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: l0YLb5QO05aOG05yRh4P+A/gDTCbH3AnG9I8slydfD3N3OFuovZMvZYbmV/lQQ7jEAlTFZjVoB7YmA9dNWMuEw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT2PR01MB6032 X-Spam-Status: No, score=-3032.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_NUMSUBJECT,NICE_REPLY_A,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2/15/23 13:01, Tom de Vries wrote: > On 2/9/23 20:50, Simon Marchi wrote: >> Tom de Vries reported [1] a regression in gdb.btrace/record_goto.exp >> caused by 6d3717d4c4 ("gdb: call frame unwinders' dealloc_cache methods >> through destroying the frame cache"). This issue is caught by ASan. On >> a non-ASan build, it may or may not cause a crash or some other issue, I >> haven't tried. >> >> I managed to narrow it down to: >> >> $ ./gdb -nx -q --data-directory=data-directory testsuite/outputs/gdb.btrace/record_goto/record_goto -ex "start" -ex "record btrace" -ex "next" >> >> ... and then doing repeatedly "record goto 19" and "record goto 27". >> Eventually, I get: >> >> (gdb) record goto 27 >> ================================================================= >> ==1527735==ERROR: AddressSanitizer: heap-use-after-free on address 0x6210003392a8 at pc 0x55e4c26eef86 bp 0x7ffd229f24e0 sp 0x7ffd229f24d8 >> READ of size 8 at 0x6210003392a8 thread T0 >> #0 0x55e4c26eef85 in bfcache_eq /home/simark/src/binutils-gdb/gdb/record-btrace.c:1639 >> #1 0x55e4c37cdeff in htab_find_slot_with_hash /home/simark/src/binutils-gdb/libiberty/hashtab.c:659 >> #2 0x55e4c37ce24a in htab_find_slot /home/simark/src/binutils-gdb/libiberty/hashtab.c:703 >> #3 0x55e4c26ef0c6 in bfcache_new /home/simark/src/binutils-gdb/gdb/record-btrace.c:1653 >> #4 0x55e4c26f1242 in record_btrace_frame_sniffer /home/simark/src/binutils-gdb/gdb/record-btrace.c:1820 >> #5 0x55e4c1b926a1 in frame_unwind_try_unwinder /home/simark/src/binutils-gdb/gdb/frame-unwind.c:136 >> #6 0x55e4c1b930d7 in frame_unwind_find_by_frame(frame_info_ptr, void**) /home/simark/src/binutils-gdb/gdb/frame-unwind.c:196 >> #7 0x55e4c1bb867f in get_frame_type(frame_info_ptr) /home/simark/src/binutils-gdb/gdb/frame.c:2925 >> #8 0x55e4c2ae6798 in print_frame_info(frame_print_options const&, frame_info_ptr, int, print_what, int, int) /home/simark/src/binutils-gdb/gdb/stack.c:1049 >> #9 0x55e4c2ade3e1 in print_stack_frame(frame_info_ptr, int, print_what, int) /home/simark/src/binutils-gdb/gdb/stack.c:367 >> #10 0x55e4c26fda03 in record_btrace_set_replay /home/simark/src/binutils-gdb/gdb/record-btrace.c:2779 >> #11 0x55e4c26fddc3 in record_btrace_target::goto_record(unsigned long) /home/simark/src/binutils-gdb/gdb/record-btrace.c:2843 >> #12 0x55e4c2de2bb2 in target_goto_record(unsigned long) /home/simark/src/binutils-gdb/gdb/target.c:4169 >> #13 0x55e4c275ed98 in record_goto(char const*) /home/simark/src/binutils-gdb/gdb/record.c:372 >> #14 0x55e4c275edba in cmd_record_goto /home/simark/src/binutils-gdb/gdb/record.c:383 >> >> 0x6210003392a8 is located 424 bytes inside of 4064-byte region [0x621000339100,0x62100033a0e0) >> freed by thread T0 here: >> #0 0x7f6ca34a5b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 >> #1 0x55e4c38a4c17 in rpl_free /home/simark/src/binutils-gdb/gnulib/import/free.c:44 >> #2 0x55e4c1bbd378 in xfree /home/simark/src/binutils-gdb/gdb/../gdbsupport/gdb-xfree.h:37 >> #3 0x55e4c37d1b63 in call_freefun /home/simark/src/binutils-gdb/libiberty/obstack.c:103 >> #4 0x55e4c37d25a2 in _obstack_free /home/simark/src/binutils-gdb/libiberty/obstack.c:280 >> #5 0x55e4c1bad701 in reinit_frame_cache() /home/simark/src/binutils-gdb/gdb/frame.c:2112 >> #6 0x55e4c27705a3 in registers_changed_ptid(process_stratum_target*, ptid_t) /home/simark/src/binutils-gdb/gdb/regcache.c:564 >> #7 0x55e4c27708c7 in registers_changed_thread(thread_info*) /home/simark/src/binutils-gdb/gdb/regcache.c:573 >> #8 0x55e4c26fd922 in record_btrace_set_replay /home/simark/src/binutils-gdb/gdb/record-btrace.c:2772 >> #9 0x55e4c26fddc3 in record_btrace_target::goto_record(unsigned long) /home/simark/src/binutils-gdb/gdb/record-btrace.c:2843 >> #10 0x55e4c2de2bb2 in target_goto_record(unsigned long) /home/simark/src/binutils-gdb/gdb/target.c:4169 >> #11 0x55e4c275ed98 in record_goto(char const*) /home/simark/src/binutils-gdb/gdb/record.c:372 >> #12 0x55e4c275edba in cmd_record_goto /home/simark/src/binutils-gdb/gdb/record.c:383 >> >> previously allocated by thread T0 here: >> #0 0x7f6ca34a5e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 >> #1 0x55e4c0b55c60 in xmalloc /home/simark/src/binutils-gdb/gdb/alloc.c:57 >> #2 0x55e4c37d1a6d in call_chunkfun /home/simark/src/binutils-gdb/libiberty/obstack.c:94 >> #3 0x55e4c37d1c20 in _obstack_begin_worker /home/simark/src/binutils-gdb/libiberty/obstack.c:141 >> #4 0x55e4c37d1ed7 in _obstack_begin /home/simark/src/binutils-gdb/libiberty/obstack.c:164 >> #5 0x55e4c1bad728 in reinit_frame_cache() /home/simark/src/binutils-gdb/gdb/frame.c:2113 >> #6 0x55e4c27705a3 in registers_changed_ptid(process_stratum_target*, ptid_t) /home/simark/src/binutils-gdb/gdb/regcache.c:564 >> #7 0x55e4c27708c7 in registers_changed_thread(thread_info*) /home/simark/src/binutils-gdb/gdb/regcache.c:573 >> #8 0x55e4c26fd922 in record_btrace_set_replay /home/simark/src/binutils-gdb/gdb/record-btrace.c:2772 >> #9 0x55e4c26fddc3 in record_btrace_target::goto_record(unsigned long) /home/simark/src/binutils-gdb/gdb/record-btrace.c:2843 >> #10 0x55e4c2de2bb2 in target_goto_record(unsigned long) /home/simark/src/binutils-gdb/gdb/target.c:4169 >> #11 0x55e4c275ed98 in record_goto(char const*) /home/simark/src/binutils-gdb/gdb/record.c:372 >> #12 0x55e4c275edba in cmd_record_goto /home/simark/src/binutils-gdb/gdb/record.c:383 >> >> The problem is a stale entry in the bfcache hash table (in >> record-btrace.c), left across a reinit_frame_cache. This entry points >> to something that used to be allocated on the frame obstack, that has >> since been wiped by reinit_frame_cache. >> >> Before the aforementioned, unwinder deallocation functions were called >> by iterating on the frame chain, starting with the sentinel frame, like >> so: >> >> /* Tear down all frame caches. */ >> for (frame_info *fi = sentinel_frame; fi != NULL; fi = fi->prev) >> { >> if (fi->prologue_cache && fi->unwind->dealloc_cache) >> fi->unwind->dealloc_cache (fi, fi->prologue_cache); >> if (fi->base_cache && fi->base->unwind->dealloc_cache) >> fi->base->unwind->dealloc_cache (fi, fi->base_cache); >> } >> >> After that patch, we relied on the fact that all frames are (supposedly) >> in the frame_stash. A deletion function was added to the frame_stash >> hash table, so that dealloc functions would be called when emptying the >> frame stash. There is one case, however, where a frame_info is not in >> the frame stash. That is when we create the frame_info for the current >> frame (level 0, unwound from the sentinel frame), but don't computed its > > computed -> compute Fixed. >> frame id. The computation of the frame id for that frame (and only that >> frame, AFAIK) is done lazily. And putting a frame_info in the frame stash >> requires knowing its id. So a frame 0 whose frame id is not computed >> yet is necessarily not in the frame stash. >> >> When replaying with btrace, record_btrace_frame_sniffer insert entries >> corresponding to frames in the "bfcache" hash table. It then relies on >> record_btrace_frame_dealloc_cache being called for each frame to remove >> all those entries when the frames get invalidated. If a frame reinit >> happens while frame 0's id is not computed (and thefore that frame is > > thefore -> therefore Fixed. > >> not in frame_stash), record_btrace_frame_dealloc_cache does not get >> called for it, and it leaves a stale entry in bfcache. That then leads >> to a use-after-free when that entry is accessed later, which ASan >> catches. >> >> The proposed solution is to explicitly call frame_info_del on frame 0, >> if it exists, and if its frame id is not computed. If it's frame id is > > it's -> its Fixed. I will push the patch shortly, thanks. Simon