From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30237 invoked by alias); 22 Jan 2018 17:42:12 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 30222 invoked by uid 89); 22 Jan 2018 17:42:10 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.1 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_ASCII_DIVIDERS,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=strips, one's X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 22 Jan 2018 17:42:08 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5B9BCC070E08; Mon, 22 Jan 2018 17:42:07 +0000 (UTC) Received: from [127.0.0.1] (ovpn04.gateway.prod.ext.ams2.redhat.com [10.39.146.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id 419C85C258; Mon, 22 Jan 2018 17:42:02 +0000 (UTC) Subject: [PATCH v2] Fix segfault when using 'set print object on' + whatis (Re: [PATCH] Fix segfault when using 'set print object on' + whatis ) To: Sergio Durigan Junior , GDB Patches References: <20180116203239.27787-1-sergiodj@redhat.com> <20180120010334.7694-1-sergiodj@redhat.com> Cc: Eli Zaretskii From: Pedro Alves Message-ID: Date: Mon, 22 Jan 2018 17:42:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20180120010334.7694-1-sergiodj@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-SW-Source: 2018-01/txt/msg00447.txt.bz2 Hi Sergio, On 01/20/2018 01:03 AM, Sergio Durigan Junior wrote: > This problem was hidden behind a "maybe-uninitialized" warning > generated when compiling GDB with a recent GCC. The warning is: > > ../../gdb/typeprint.c: In function 'void whatis_exp(const char*, int)': > ../../gdb/typeprint.c:515:12: warning: 'val' may be used uninitialized in this function [-Wmaybe-uninitialized] > real_type = value_rtti_type (val, &full, &top, &using_enc); > ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > I submitted a patch fixing this by initializing "val" to NULL, but it > was the wrong fix, as Pedro pointed out on > : IMHO, adding such history to the commit log directly doesn't really add much here. It's better IMO to leave that to "what changed in v2" comments (that don't go in the commit log), and instead update the commit log to go straight to the point. (please keep reading.) > > (gdb) set print object on > (gdb) whatis some_structure_type > > Thread 1 "gdb" received signal SIGSEGV, Segmentation fault. > 0x00000000005dda90 in check_typedef (type=0x6120736573756170) at src/gdb/gdbtypes.c:2388 > 2388 int instance_flags = TYPE_INSTANCE_FLAGS (type); > ... > > So I set off to find the cause of the problem. It turns out that a > recent-ish refactoring of the code on 'whatis_exp', introduced by: > > commit c973d0aa4a2c737ab527ae44a617f1c357e07364 > Date: Mon Aug 21 11:34:32 2017 +0100 > > Fix type casts losing typedefs and reimplement "whatis" typedef stripping > > was the reason of the failure. After investigating what 'set print > object on' was supposed to do to the output of 'whatis', if made sense > initialize "val = evaluate_type (expr.get ());" all the time, not only > when we're dealing with the 'ptype' command. The point of the c973d0aa4a2c change was to bypass evaluating the expression if the opcode is OP_TYPE. The proposed patch adds back the evaluation, while the OP_TYPE shortcut is left in there too. I think calling allocate_value instead in the path that misses initializing 'val' would make more sense, to end up with a dummy not_lval value, like expression evaluation does when evaluating EVAL_AVOID_SIDE_EFFECTS. But even better still is to set VAL to NULL in this case (only), and skip the "real type" printing. It doesn't make any sense to try to fetch the dynamic type of a type that didn't come from an actual program value in the first place. There's nothing dynamic about a statically named type. > > I've regtested this on the BuildBot, without seeing any regressions. > I've also extended 'gdb.base/whatis.exp' to check if the segfault is > not there anymore. The "whatis struct" case was an example, but there's another similar path in the code that also lead to a crash that is not covered by the testcase. The value_rtti_indirect_type path here: if (opts.objectprint) { if (((TYPE_CODE (type) == TYPE_CODE_PTR) || TYPE_IS_REFERENCE (type)) && (TYPE_CODE (TYPE_TARGET_TYPE (type)) == TYPE_CODE_STRUCT)) real_type = value_rtti_indirect_type (val, &full, &top, &using_enc); else if (TYPE_CODE (type) == TYPE_CODE_STRUCT) real_type = value_rtti_type (val, &full, &top, &using_enc); } > --- a/gdb/testsuite/gdb.base/whatis.exp > +++ b/gdb/testsuite/gdb.base/whatis.exp > @@ -566,3 +566,10 @@ gdb_test "whatis int (*)(void, int, int)" \ > gdb_test "whatis int (*)(int, void, int)" \ > "'void' invalid as parameter type" \ > "whatis applied to function with 'void' parameter type" > + > +# Test that 'set print object on' + whatis doesn't segfault. > +clean_restart $binfile > +gdb_test_no_output "set print object on" > +gdb_test "whatis v_struct1" \ > + "type = struct t_struct" \ > + "whatis + set print object on doesn't segfault" At some point later on someone is going to read this test name/message and wonder why is it talking about a segfault. All the other 50k+ tests in the testsuite are indirectly checking that gdb doesn't segfault either. This one's not that special in that regard. Instead, we're testing that the "set print object on" + "whatis " combination _works_ as expected, which among other things obviously includes not segfaulting, but also includes checking that the output is reasonable. As I was writing/experimenting the above, I ended up addressing my own comments. What do you think of this patch instead? New in v2: - set val to NULL and skip dynamic type printing in the "whatis " case. - rewrite the new tests to reuse preexisting tests, and add new tests for whatis with pointers and references to structs coupled with "set print object on". Try both "set print object on/off". >From f86b4087d23be4cf20bf3dc2f8407cef3f28830d Mon Sep 17 00:00:00 2001 From: Sergio Durigan Junior Date: Mon, 22 Jan 2018 17:33:13 +0000 Subject: [PATCH] Fix segfault when using 'set print object on' + whatis Compiling GDB with a recent GCC exposes a problem: ../../gdb/typeprint.c: In function 'void whatis_exp(const char*, int)': ../../gdb/typeprint.c:515:12: warning: 'val' may be used uninitialized in this function [-Wmaybe-uninitialized] real_type = value_rtti_type (val, &full, &top, &using_enc); ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The warning is correct. There are indeed code paths that use uninitialized 'val', leading to crashes. Inside the value_rtti_indirect_type/value_rtti_type calls here in whatis_exp: if (opts.objectprint) { if (((TYPE_CODE (type) == TYPE_CODE_PTR) || TYPE_IS_REFERENCE (type)) && (TYPE_CODE (TYPE_TARGET_TYPE (type)) == TYPE_CODE_STRUCT)) real_type = value_rtti_indirect_type (val, &full, &top, &using_enc); else if (TYPE_CODE (type) == TYPE_CODE_STRUCT) real_type = value_rtti_type (val, &full, &top, &using_enc); } We reach those calls above with "set print object on", and then with any of: (gdb) whatis struct some_structure_type (gdb) whatis struct some_structure_type * (gdb) whatis struct some_structure_type & because "whatis" with a type argument enters this branch: /* The behavior of "whatis" depends on whether the user expression names a type directly, or a language expression (including variable names). If the former, then "whatis" strips one level of typedefs, only. If an expression, "whatis" prints the type of the expression without stripping any typedef level. "ptype" always strips all levels of typedefs. */ if (show == -1 && expr->elts[0].opcode == OP_TYPE) { which does not initialize VAL. Trying the above lead to crashes like this: (gdb) set print object on (gdb) whatis some_structure_type Thread 1 "gdb" received signal SIGSEGV, Segmentation fault. 0x00000000005dda90 in check_typedef (type=0x6120736573756170) at src/gdb/gdbtypes.c:2388 2388 int instance_flags = TYPE_INSTANCE_FLAGS (type); ... This is a regression caused by a recent-ish refactoring of the code on 'whatis_exp', introduced by: commit c973d0aa4a2c737ab527ae44a617f1c357e07364 Date: Mon Aug 21 11:34:32 2017 +0100 Fix type casts losing typedefs and reimplement "whatis" typedef stripping Fix this by setting VAL to NULL in the "whatis TYPE" case, and skipping fetching the dynamic type if there's no value to fetch it from. New tests included. gdb/ChangeLog: yyyy-mm-dd Sergio Durigan Junior Pedro Alves * typeprint.c (whatis_exp): Initialize "val" in the "whatis type" case. gdb/testsuite/ChangeLog: yyyy-mm-dd Sergio Durigan Junior Pedro Alves * gdb.base/whatis.exp: Add tests for 'set print object on' + 'whatis ' 'whatis *' and 'whatis &'. --- gdb/testsuite/gdb.base/whatis.exp | 25 +++++++++++++++++++++---- gdb/typeprint.c | 6 +++++- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/gdb/testsuite/gdb.base/whatis.exp b/gdb/testsuite/gdb.base/whatis.exp index dd6aeb02f91..509183e2ea4 100644 --- a/gdb/testsuite/gdb.base/whatis.exp +++ b/gdb/testsuite/gdb.base/whatis.exp @@ -282,14 +282,31 @@ gdb_test "whatis v_double_pointer" \ # test whatis command with structure types + +# First with a type argument, with both "set print object" set to "on" +# and "off", ending with "off" for the following tests. +foreach_with_prefix print_object {"on" "off"} { + gdb_test_no_output "set print object $print_object" + + gdb_test "whatis struct t_struct" \ + "type = struct t_struct" \ + "whatis named structure using type name" + + gdb_test "whatis struct t_struct *" \ + "type = struct t_struct \\*" \ + "whatis named structure using type name and pointer" + + gdb_test "whatis struct t_struct &" \ + "type = struct t_struct &" \ + "whatis named structure using type name and reference" +} + +# Now with an expression argument. + gdb_test "whatis v_struct1" \ "type = struct t_struct" \ "whatis named structure" -gdb_test "whatis struct t_struct" \ - "type = struct t_struct" \ - "whatis named structure using type name" - gdb_test "whatis v_struct2" \ "type = struct \{\.\.\.\}" \ "whatis unnamed structure" diff --git a/gdb/typeprint.c b/gdb/typeprint.c index 9a125076a1b..c098a3f4261 100644 --- a/gdb/typeprint.c +++ b/gdb/typeprint.c @@ -489,6 +489,10 @@ whatis_exp (const char *exp, int show) check_typedef (type); if (TYPE_CODE (type) == TYPE_CODE_TYPEDEF) type = TYPE_TARGET_TYPE (type); + + /* If the expression is actually a type, then there's no + value to fetch the dynamic type from. */ + val = NULL; } else { @@ -506,7 +510,7 @@ whatis_exp (const char *exp, int show) } get_user_print_options (&opts); - if (opts.objectprint) + if (val != NULL && opts.objectprint) { if (((TYPE_CODE (type) == TYPE_CODE_PTR) || TYPE_IS_REFERENCE (type)) && (TYPE_CODE (TYPE_TARGET_TYPE (type)) == TYPE_CODE_STRUCT)) -- 2.14.3