[PATCH] [readline] Fix double free in _rl_scxt_dispose

[PATCH] [readline] Fix double free in _rl_scxt_dispose

[Tom de Vries]

Consider the following scenario.  We start gdb in TUI mode:
...
$ gdb -q -tui
...
and type ^R which gives us the reverse-isearch prompt in the cmd window:
...
(reverse-i-search)`':
...
and then type "foo", right-arrow-key, and ^C.

In TUI mode, gdb uses a custom rl_getc_function tui_getc.

When pressing the right-arrow-key, tui_getc:
- attempts to scroll the TUI src window, without any effect, and
- returns 0.

The intention of returning 0 is mentioned here in tui_dispatch_ctrl_char:
...
  /* We intercepted the control character, so return 0 (which readline
     will interpret as a no-op).  */
  return 0;
...

However, after this 0 is returned by the rl_read_key () call in
_rl_search_getchar, _rl_read_mbstring is called, which incorrectly interprets
0 as the first part of an utf-8 multibyte char, and tries to read the next
char.

In this state, the ^C takes effect and we run into a double free because
_rl_isearch_cleanup is called twice.

Both these issues need fixing independently, though after fixing the first we
no longer trigger the second.

The first issue is caused by the subtle difference between:
- a char array containing 0 chars, which is zero-terminated, and
- a char array containing 1 char, which is zero.

In mbrtowc terms, this is the difference between:
...
  mbrtowc (&wc, "", 0, &ps);
...
which returns -2, and:
...
  mbrtowc (&wc, "", 1, &ps);
...
which returns 0.

Note that _rl_read_mbstring calls _rl_get_char_len without passing it an
explicit length parameter, and consequently it cannot distinguish between the
two, and defaults to the "0 chars" choice.

Note that the same problem doesn't exist in _rl_read_mbchar.

Fix this by defaulting to the "1 char" choice in _rl_get_char_len:
...
-  if (_rl_utf8locale && l > 0 && UTF8_SINGLEBYTE(*src))
+  if (_rl_utf8locale && l >= 0 && UTF8_SINGLEBYTE(*src))
...

The second problem happens when the call to _rl_search_getchar in
_rl_isearch_callback returns.  At that point _rl_isearch_cleanup has already
been called from the signal handler, but we proceed regardless, using a cxt
pointer that has been freed.

Fix this by checking for "RL_ISSTATE (RL_STATE_ISEARCH)" after the call to
_rl_search_getchar:
...
   c = _rl_search_getchar (cxt);
+  if (!RL_ISSTATE (RL_STATE_ISEARCH))
+    return 1;
...

Tested on x86_64-linux.

PR tui/30056
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30056
---
 readline/readline/isearch.c | 3 +++
 readline/readline/mbutil.c  | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/readline/readline/isearch.c b/readline/readline/isearch.c
index 080ba3cbb9c..941078f790e 100644
--- a/readline/readline/isearch.c
+++ b/readline/readline/isearch.c
@@ -882,6 +882,9 @@ _rl_isearch_callback (_rl_search_cxt *cxt)
   int c, r;
 
   c = _rl_search_getchar (cxt);
+  if (!RL_ISSTATE (RL_STATE_ISEARCH))
+    return 1;
+
   /* We might want to handle EOF here */
   r = _rl_isearch_dispatch (cxt, cxt->lastc);
 
diff --git a/readline/readline/mbutil.c b/readline/readline/mbutil.c
index dc62b4cc24d..7da3ff17bb5 100644
--- a/readline/readline/mbutil.c
+++ b/readline/readline/mbutil.c
@@ -363,7 +363,7 @@ _rl_get_char_len (char *src, mbstate_t *ps)
 
   /* Look at no more than MB_CUR_MAX characters */
   l = (size_t)strlen (src);
-  if (_rl_utf8locale && l > 0 && UTF8_SINGLEBYTE(*src))
+  if (_rl_utf8locale && l >= 0 && UTF8_SINGLEBYTE(*src))
     tmp = (*src != 0) ? 1 : 0;
   else
     {

base-commit: 9196be90bd9572bd09fad63d7e0b2fa199738b90
-- 
2.35.3

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

[Andrew Burgess]

Tom de Vries <tdevries@suse.de> writes:

> Consider the following scenario.  We start gdb in TUI mode:
> ...
> $ gdb -q -tui
> ...
> and type ^R which gives us the reverse-isearch prompt in the cmd window:
> ...
> (reverse-i-search)`':
> ...
> and then type "foo", right-arrow-key, and ^C.
>
> In TUI mode, gdb uses a custom rl_getc_function tui_getc.
>
> When pressing the right-arrow-key, tui_getc:
> - attempts to scroll the TUI src window, without any effect, and
> - returns 0.
>
> The intention of returning 0 is mentioned here in tui_dispatch_ctrl_char:
> ...
>   /* We intercepted the control character, so return 0 (which readline
>      will interpret as a no-op).  */
>   return 0;
> ...
>
> However, after this 0 is returned by the rl_read_key () call in
> _rl_search_getchar, _rl_read_mbstring is called, which incorrectly interprets
> 0 as the first part of an utf-8 multibyte char, and tries to read the next
> char.
>
> In this state, the ^C takes effect and we run into a double free because
> _rl_isearch_cleanup is called twice.
>
> Both these issues need fixing independently, though after fixing the first we
> no longer trigger the second.
>
> The first issue is caused by the subtle difference between:
> - a char array containing 0 chars, which is zero-terminated, and
> - a char array containing 1 char, which is zero.
>
> In mbrtowc terms, this is the difference between:
> ...
>   mbrtowc (&wc, "", 0, &ps);
> ...
> which returns -2, and:
> ...
>   mbrtowc (&wc, "", 1, &ps);
> ...
> which returns 0.
>
> Note that _rl_read_mbstring calls _rl_get_char_len without passing it an
> explicit length parameter, and consequently it cannot distinguish between the
> two, and defaults to the "0 chars" choice.
>
> Note that the same problem doesn't exist in _rl_read_mbchar.
>
> Fix this by defaulting to the "1 char" choice in _rl_get_char_len:
> ...
> -  if (_rl_utf8locale && l > 0 && UTF8_SINGLEBYTE(*src))
> +  if (_rl_utf8locale && l >= 0 && UTF8_SINGLEBYTE(*src))
> ...
>
> The second problem happens when the call to _rl_search_getchar in
> _rl_isearch_callback returns.  At that point _rl_isearch_cleanup has already
> been called from the signal handler, but we proceed regardless, using a cxt
> pointer that has been freed.
>
> Fix this by checking for "RL_ISSTATE (RL_STATE_ISEARCH)" after the call to
> _rl_search_getchar:
> ...
>    c = _rl_search_getchar (cxt);
> +  if (!RL_ISSTATE (RL_STATE_ISEARCH))
> +    return 1;
> ...
>
> Tested on x86_64-linux.
>
> PR tui/30056
> Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30056
> ---
>  readline/readline/isearch.c | 3 +++
>  readline/readline/mbutil.c  | 2 +-
>  2 files changed, 4 insertions(+), 1 deletion(-)

Have you posted this to the readline list?  I think it would be best if
we at least posted patches like this upstream before we merge them.

Thanks,
Andrew



>
> diff --git a/readline/readline/isearch.c b/readline/readline/isearch.c
> index 080ba3cbb9c..941078f790e 100644
> --- a/readline/readline/isearch.c
> +++ b/readline/readline/isearch.c
> @@ -882,6 +882,9 @@ _rl_isearch_callback (_rl_search_cxt *cxt)
>    int c, r;
>  
>    c = _rl_search_getchar (cxt);
> +  if (!RL_ISSTATE (RL_STATE_ISEARCH))
> +    return 1;
> +
>    /* We might want to handle EOF here */
>    r = _rl_isearch_dispatch (cxt, cxt->lastc);
>  
> diff --git a/readline/readline/mbutil.c b/readline/readline/mbutil.c
> index dc62b4cc24d..7da3ff17bb5 100644
> --- a/readline/readline/mbutil.c
> +++ b/readline/readline/mbutil.c
> @@ -363,7 +363,7 @@ _rl_get_char_len (char *src, mbstate_t *ps)
>  
>    /* Look at no more than MB_CUR_MAX characters */
>    l = (size_t)strlen (src);
> -  if (_rl_utf8locale && l > 0 && UTF8_SINGLEBYTE(*src))
> +  if (_rl_utf8locale && l >= 0 && UTF8_SINGLEBYTE(*src))
>      tmp = (*src != 0) ? 1 : 0;
>    else
>      {
>
> base-commit: 9196be90bd9572bd09fad63d7e0b2fa199738b90
> -- 
> 2.35.3

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

[Tom de Vries]

On 5/24/23 20:13, Andrew Burgess wrote:
> Tom de Vries <tdevries@suse.de> writes:
> Have you posted this to the readline list?  I think it would be best if
> we at least posted patches like this upstream before we merge them.

Yes, I send this to both gdb-patches and bug-readline, as you can see in 
the CC of your reply ;)

Thanks,
- Tom

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

[Chet Ramey]

On 5/24/23 2:31 PM, Tom de Vries wrote:
> On 5/24/23 20:13, Andrew Burgess wrote:
>> Tom de Vries <tdevries@suse.de> writes:
>> Have you posted this to the readline list?  I think it would be best if
>> we at least posted patches like this upstream before we merge them.
> 
> Yes, I send this to both gdb-patches and bug-readline, as you can see in 
> the CC of your reply ;)

I got it; I just haven't looked at it yet.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

[Chet Ramey]

On 5/23/23 12:04 PM, Tom de Vries wrote:

> Both these issues need fixing independently, though after fixing the first we
> no longer trigger the second.

Thanks for the report. These are both good fixes.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

[Tom de Vries]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]

On 5/27/23 21:10, Chet Ramey wrote:
> On 5/23/23 12:04 PM, Tom de Vries wrote:
> 
>> Both these issues need fixing independently, though after fixing the 
>> first we
>> no longer trigger the second.
> 
> Thanks for the report. These are both good fixes.

Thanks for the review.

Added test-case and committed.

Thanks,
- Tom

[-- Attachment #2: 0001-readline-Fix-double-free-in-_rl_scxt_dispose.patch --]
[-- Type: text/x-patch, Size: 5716 bytes --]

From a06bc90120aff3c65fe0f276e64d430358928ef9 Mon Sep 17 00:00:00 2001
From: Tom de Vries <tdevries@suse.de>
Date: Tue, 23 May 2023 14:34:19 +0200
Subject: [PATCH] [readline] Fix double free in _rl_scxt_dispose

Consider the following scenario.  We start gdb in TUI mode:
...
$ gdb -q -tui
...
and type ^R which gives us the reverse-isearch prompt in the cmd window:
...
(reverse-i-search)`':
...
and then type "foo", right-arrow-key, and ^C.

In TUI mode, gdb uses a custom rl_getc_function tui_getc.

When pressing the right-arrow-key, tui_getc:
- attempts to scroll the TUI src window, without any effect, and
- returns 0.

The intention of returning 0 is mentioned here in tui_dispatch_ctrl_char:
...
  /* We intercepted the control character, so return 0 (which readline
     will interpret as a no-op).  */
  return 0;
...

However, after this 0 is returned by the rl_read_key () call in
_rl_search_getchar, _rl_read_mbstring is called, which incorrectly interprets
0 as the first part of an utf-8 multibyte char, and tries to read the next
char.

In this state, the ^C takes effect and we run into a double free because
_rl_isearch_cleanup is called twice.

Both these issues need fixing independently, though after fixing the first we
no longer trigger the second.

The first issue is caused by the subtle difference between:
- a char array containing 0 chars, which is zero-terminated, and
- a char array containing 1 char, which is zero.

In mbrtowc terms, this is the difference between:
...
  mbrtowc (&wc, "", 0, &ps);
...
which returns -2, and:
...
  mbrtowc (&wc, "", 1, &ps);
...
which returns 0.

Note that _rl_read_mbstring calls _rl_get_char_len without passing it an
explicit length parameter, and consequently it cannot distinguish between the
two, and defaults to the "0 chars" choice.

Note that the same problem doesn't exist in _rl_read_mbchar.

Fix this by defaulting to the "1 char" choice in _rl_get_char_len:
...
-  if (_rl_utf8locale && l > 0 && UTF8_SINGLEBYTE(*src))
+  if (_rl_utf8locale && l >= 0 && UTF8_SINGLEBYTE(*src))
...

The second problem happens when the call to _rl_search_getchar in
_rl_isearch_callback returns.  At that point _rl_isearch_cleanup has already
been called from the signal handler, but we proceed regardless, using a cxt
pointer that has been freed.

Fix this by checking for "RL_ISSTATE (RL_STATE_ISEARCH)" after the call to
_rl_search_getchar:
...
   c = _rl_search_getchar (cxt);
+  if (!RL_ISSTATE (RL_STATE_ISEARCH))
+    return 1;
...

Tested on x86_64-linux.

Approved-By: Chet Ramey <chet.ramey@case.edu>

PR tui/30056
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30056
---
 gdb/testsuite/gdb.tui/pr30056.exp | 52 +++++++++++++++++++++++++++++++
 readline/readline/isearch.c       |  3 ++
 readline/readline/mbutil.c        |  2 +-
 3 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 gdb/testsuite/gdb.tui/pr30056.exp

diff --git a/gdb/testsuite/gdb.tui/pr30056.exp b/gdb/testsuite/gdb.tui/pr30056.exp
new file mode 100644
index 00000000000..7a57a5627a8
--- /dev/null
+++ b/gdb/testsuite/gdb.tui/pr30056.exp
@@ -0,0 +1,52 @@
+# Copyright 2023 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Regression test for PR30056.
+
+tuiterm_env
+
+save_vars { env(LC_ALL) } {
+    setenv LC_ALL C.UTF-8
+
+    # Start terminal.
+    Term::clean_restart 24 80
+
+    # Start TUI.
+    if {![Term::enter_tui]} {
+	unsupported "TUI not supported"
+	return
+    }
+
+    # Send "^R", starting reverse-i-search.
+    send_gdb "\022"
+    Term::wait_for_region_contents 0 $Term::_cur_row $Term::_cols 1 \
+	[string_to_regexp "(reverse-i-search)`': "]
+
+    # Send "xyz".
+    send_gdb "xyz"
+    Term::wait_for_region_contents 0 $Term::_cur_row $Term::_cols 1 \
+	[string_to_regexp "(failed reverse-i-search)`xyz': "]
+
+    # Send arrow-right.
+    send_gdb "\033\[C"
+
+    # We need to the arrow-right to be processed by readline, before we
+    # send the following ^C.  Waiting 1 ms seems to do that.
+    after 1
+
+    # Send ^C.
+    send_gdb "\003"
+    gdb_assert { [Term::wait_for "Quit"] } "Control-C"
+}
diff --git a/readline/readline/isearch.c b/readline/readline/isearch.c
index 080ba3cbb9c..941078f790e 100644
--- a/readline/readline/isearch.c
+++ b/readline/readline/isearch.c
@@ -882,6 +882,9 @@ _rl_isearch_callback (_rl_search_cxt *cxt)
   int c, r;
 
   c = _rl_search_getchar (cxt);
+  if (!RL_ISSTATE (RL_STATE_ISEARCH))
+    return 1;
+
   /* We might want to handle EOF here */
   r = _rl_isearch_dispatch (cxt, cxt->lastc);
 
diff --git a/readline/readline/mbutil.c b/readline/readline/mbutil.c
index dc62b4cc24d..7da3ff17bb5 100644
--- a/readline/readline/mbutil.c
+++ b/readline/readline/mbutil.c
@@ -363,7 +363,7 @@ _rl_get_char_len (char *src, mbstate_t *ps)
 
   /* Look at no more than MB_CUR_MAX characters */
   l = (size_t)strlen (src);
-  if (_rl_utf8locale && l > 0 && UTF8_SINGLEBYTE(*src))
+  if (_rl_utf8locale && l >= 0 && UTF8_SINGLEBYTE(*src))
     tmp = (*src != 0) ? 1 : 0;
   else
     {

base-commit: 040f24e2eb2b9b46e7337e588244e9eb9a585550
-- 
2.35.3

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

[Simon Marchi]

On 5/28/23 04:20, Tom de Vries via Gdb-patches wrote:
> On 5/27/23 21:10, Chet Ramey wrote:
>> On 5/23/23 12:04 PM, Tom de Vries wrote:
>>
>>> Both these issues need fixing independently, though after fixing the first we
>>> no longer trigger the second.
>>
>> Thanks for the report. These are both good fixes.
> 
> Thanks for the review.
> 
> Added test-case and committed.
> 
> Thanks,
> - Tom

Hi Tom,

ASan sees a double-free in the test:

==144635==ERROR: AddressSanitizer: attempting double-free on 0x60200001ae90 in thread T0:
    #0 0x7f39ef4dfdc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #2 0x7f39ef3d0f5d in _rl_isearch_cleanup (/usr/lib/libreadline.so.8+0x27f5d) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #3 0x7f39ef3e42ec in rl_callback_read_char (/usr/lib/libreadline.so.8+0x3b2ec) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
    #4 0x5649f96ec632 in gdb_rl_callback_read_char_wrapper_noexcept /home/smarchi/src/binutils-gdb/gdb/event-top.c:192
    #5 0x5649f96ec88a in gdb_rl_callback_read_char_wrapper /home/smarchi/src/binutils-gdb/gdb/event-top.c:225
    #6 0x5649fafd3641 in stdin_event_handler /home/smarchi/src/binutils-gdb/gdb/ui.c:155
    #7 0x5649fb6dbe79 in handle_file_event /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:573
    #8 0x5649fb6dc80f in gdb_wait_for_event /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:694
    #9 0x5649fb6da468 in gdb_do_one_event(int) /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:264
    #10 0x5649f9e61094 in start_event_loop /home/smarchi/src/binutils-gdb/gdb/main.c:412
    #11 0x5649f9e615a6 in captured_command_loop /home/smarchi/src/binutils-gdb/gdb/main.c:476
    #12 0x5649f9e66b5c in captured_main /home/smarchi/src/binutils-gdb/gdb/main.c:1320
    #13 0x5649f9e66c99 in gdb_main(captured_main_args*) /home/smarchi/src/binutils-gdb/gdb/main.c:1339
    #14 0x5649f83b758d in main /home/smarchi/src/binutils-gdb/gdb/gdb.c:32
    #15 0x7f39eda3984f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #16 0x7f39eda39909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #17 0x5649f83b7354 in _start (/home/smarchi/build/binutils-gdb/gdb/gdb+0xb0f0354) (BuildId: 2bb3933a88a2426705e531a680e7075402ea19f8)

0x60200001ae90 is located 0 bytes inside of 1-byte region [0x60200001ae90,0x60200001ae91)
freed by thread T0 here:
    #0 0x7f39ef4dfdc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)

previously allocated by thread T0 here:
    #0 0x7f39ef4e1369 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x5649f865bca2 in xmalloc /home/smarchi/src/binutils-gdb/gdb/alloc.c:57
    #2 0x7f39ef3eb6da  (/usr/lib/libreadline.so.8+0x426da) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)

SUMMARY: AddressSanitizer: double-free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free

Simon

Re: [PATCH] [readline] Fix double free in _rl_scxt_dispose

[Tom de Vries]

On 5/29/23 18:43, Simon Marchi wrote:
> On 5/28/23 04:20, Tom de Vries via Gdb-patches wrote:
>> On 5/27/23 21:10, Chet Ramey wrote:
>>> On 5/23/23 12:04 PM, Tom de Vries wrote:
>>>
>>>> Both these issues need fixing independently, though after fixing the first we
>>>> no longer trigger the second.
>>>
>>> Thanks for the report. These are both good fixes.
>>
>> Thanks for the review.
>>
>> Added test-case and committed.
>>
>> Thanks,
>> - Tom
> 
> Hi Tom,
> 
> ASan sees a double-free in the test:
> 
> ==144635==ERROR: AddressSanitizer: attempting double-free on 0x60200001ae90 in thread T0:
>      #0 0x7f39ef4dfdc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
>      #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
>      #2 0x7f39ef3d0f5d in _rl_isearch_cleanup (/usr/lib/libreadline.so.8+0x27f5d) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
>      #3 0x7f39ef3e42ec in rl_callback_read_char (/usr/lib/libreadline.so.8+0x3b2ec) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
>      #4 0x5649f96ec632 in gdb_rl_callback_read_char_wrapper_noexcept /home/smarchi/src/binutils-gdb/gdb/event-top.c:192
>      #5 0x5649f96ec88a in gdb_rl_callback_read_char_wrapper /home/smarchi/src/binutils-gdb/gdb/event-top.c:225
>      #6 0x5649fafd3641 in stdin_event_handler /home/smarchi/src/binutils-gdb/gdb/ui.c:155
>      #7 0x5649fb6dbe79 in handle_file_event /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:573
>      #8 0x5649fb6dc80f in gdb_wait_for_event /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:694
>      #9 0x5649fb6da468 in gdb_do_one_event(int) /home/smarchi/src/binutils-gdb/gdbsupport/event-loop.cc:264
>      #10 0x5649f9e61094 in start_event_loop /home/smarchi/src/binutils-gdb/gdb/main.c:412
>      #11 0x5649f9e615a6 in captured_command_loop /home/smarchi/src/binutils-gdb/gdb/main.c:476
>      #12 0x5649f9e66b5c in captured_main /home/smarchi/src/binutils-gdb/gdb/main.c:1320
>      #13 0x5649f9e66c99 in gdb_main(captured_main_args*) /home/smarchi/src/binutils-gdb/gdb/main.c:1339
>      #14 0x5649f83b758d in main /home/smarchi/src/binutils-gdb/gdb/gdb.c:32
>      #15 0x7f39eda3984f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
>      #16 0x7f39eda39909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
>      #17 0x5649f83b7354 in _start (/home/smarchi/build/binutils-gdb/gdb/gdb+0xb0f0354) (BuildId: 2bb3933a88a2426705e531a680e7075402ea19f8)
> 
> 0x60200001ae90 is located 0 bytes inside of 1-byte region [0x60200001ae90,0x60200001ae91)
> freed by thread T0 here:
>      #0 0x7f39ef4dfdc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
>      #1 0x7f39ef3cef65 in _rl_scxt_dispose (/usr/lib/libreadline.so.8+0x25f65) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
> 
> previously allocated by thread T0 here:
>      #0 0x7f39ef4e1369 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
>      #1 0x5649f865bca2 in xmalloc /home/smarchi/src/binutils-gdb/gdb/alloc.c:57
>      #2 0x7f39ef3eb6da  (/usr/lib/libreadline.so.8+0x426da) (BuildId: 092e91fc4361b0ef94561e3ae03a75f69398acbb)
> 
> SUMMARY: AddressSanitizer: double-free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free
> 

Hm, I guess the test-case detects the bug in system readline.

I suppose we can add a KFAIL or skip the test-case entirely when using 
system readline.

Thanks,
- Tom