[Bug python/10344] Pretty printers that call into inferior could crash GDB

[Bug python/10344] Pretty printers that call into inferior could crash GDB

[kdudka at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=10344

Kamil Dudka <kdudka at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kdudka at redhat dot com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug python/10344] Pretty printers that call into inferior could crash GDB

[pmuldoon at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=10344

Phil Muldoon <pmuldoon at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
         AssignedTo|unassigned at sourceware    |pmuldoon at redhat dot com
                   |dot org                     |
   Target Milestone|6.8                         |7.7

--- Comment #5 from Phil Muldoon <pmuldoon at redhat dot com> 2013-05-22 12:39:28 UTC ---
By serendipity this bug was also fixed by a patch I checked in today.  The fix
was to remove the fixed instantiation of an array with MAX_UI_OUT_LEVELS, and
instead utilize a vector (and allocating ui_levels as needed).

2013-05-22  Phil Muldoon  <pmuldoon@redhat.com>

    * ui-out.c: Create typedef ui_out_level_p and define vector
    operations for that type.
    (struct ui_out): Use a vector instead of an array.
    (current_level): Return level from a vector.
    (push_level): Create a level in a vector.
    (pop_level): Delete a level in a vector.
    (ui_out_new): Create initial level zero level, and store in a
    vector.
    (ui_out_destroy): Add vector cleanup.


http://sourceware.org/ml/gdb-cvs/2013-05/msg00211.html

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug python/10344] Pretty printers that call into inferior could crash GDB

[pmuldoon at redhat dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|pmuldoon at redhat dot com  |unassigned at sourceware dot
                   |                            |org
             Status|ASSIGNED                    |NEW


http://sourceware.org/bugzilla/show_bug.cgi?id=10344

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug python/10344] Pretty printers that call into inferior could crash GDB

[pmuldoon at redhat dot com]

------- Additional Comments From pmuldoon at redhat dot com  2009-09-24 16:15 -------
Increasing the MAX_UI_OUT_LEVELS will fix the bug as reported, but it will not
help when a situation occurs where the the printers can end up recursing (and
gobbling up the ui levels). Example.

--- cut --- t2.cc ---

#include <stdio.h>

struct Foo;
struct Recurse;

struct Foo {
  Foo() : p(0) { }
  const char *print(Recurse b) const;
  char **p;
};

struct Recurse {
  Recurse (): p (0) { }
  const char *crash(Foo f) const;
  char **p;
};

const char *Recurse::crash(Foo f) const
{
  return *p; // crash as well
}

const char *Foo::print(Recurse b) const
{
  return *p; // crash!
}

char **bar(Foo f)
{
  return f.p;
}

int main()
{
   Foo f;
   Recurse b;
   bar(f);
   return 0;
}

--- cut --- t2.py ---
# Pretty printer for Foo, which calls into inferior

import gdb

class FooPrinter:

  def __init__(self, val):
    self.val = val

  def to_string(self):
    x = self.val.address
    return gdb.parse_and_eval('Foo::print(%s,f)' % str(x))

class RecursePrinter:
  def __init__(self, val):
    self.val = val

  def to_string(self):
    x = self.val.address
    return gdb.parse_and_eval('Recurse::crash(%s,b)' % str(x))


def lookup(val):
  if str(val.type) == "Foo":
    return FooPrinter(val)
  else:
    if str(val.type) == "Recurse":
      return RecursePrinter(val)
    else:
      return None

gdb.pretty_printers = [ lookup ]


I also increased the max MAX_UI_OUT_LEVELS to 15. But it does not matter, it can
be 1000, the result is the same.

-- Test case

./gdb -ex 'source /home/pmuldoon/pp/t.py' -ex 'break bar' -ex 'run'
/home/pmuldoon/pp/t2

Output
Breakpoint 1, bar (f=
Program received signal SIGSEGV, Segmentation fault.
0x000000000040057f in Foo::print (this=0x7fffffffe170, b=
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400567 in Recurse::crash (this=0x7fffffffe0e0, f=
Program received signal SIGSEGV, Segmentation fault.
0x000000000040057f in Foo::print (this=0x7fffffffe050, b=
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400567 in Recurse::crash (
../../archer/gdb/ui-out.c:129: internal-error: push_level: Assertion
`uiout->level >= 0 && uiout->level < MAX_UI_OUT_LEVELS' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) q




-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10344

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug python/10344] Pretty printers that call into inferior could crash GDB

[pmuldoon at redhat dot com]

------- Additional Comments From pmuldoon at redhat dot com  2009-09-22 19:47 -------
I looked at this today, and this is what I believe is occurring. The test
environment:

gdb -q -ex 'set prompt (top) ' -ex run  --args archer-new/build/gdb/gdb -ex
'source t.py' -ex 'break bar' -ex run ./a.out

This stops GDB at the bar () function. When GDB  stops at a breakpoint, as part
of the breakpoint descriptive text it attempts to print out the function name
and arguments via: print_frame_info in stack.c. As part of this function and the
child functions that it calls,  the uiout->level is incremented three times (via
successive calls to make_cleanup_ui_out_tuple_begin_end which calls
ui_out_begin, which among other things calls push_level). At this point the
uiout->level is now 3.

Because arguments are values, each argument is run by the pretty printer code.
As Foo (the argument to bar) has a pretty-printer registered to it, that python
pretty printer is called. This call to a pretty printer additionally consumes
two more uiout->levels. The level is now 5.

Normally all of these levels are properly cleaned up and released. But we are
still progressing through the original call. Anyway ....

It just so happens that the pretty printer via parse_and_evals calls a function
that results in sigsegv. GDB tries to report this via error() but as that
consumes yet another level, (now 6) it triggers the overflow assert as detailed
in the previous comment.

Some thoughts on fixes:

1) Increase the uiout levels maximum. I've looked at the code and it seems to be
an arbitrary amount of levels. Why 6? It seems quite low, especially in
recursive situations like this. The problem with this is, how do we guarantee
that a more intensive recursive test case would not trigger it?

2) Rewrite uiout to really function like a stack (That grows and shrinks as
demands indicate), that the comments in the uiout seems to think it should?

3) Add a reserved channel for error streams that will always guarantee an error
is printed. This would seem ok, except it won't actually solve the issue (but
will guarantee that GDB can tell us

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10344

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug python/10344] Pretty printers that call into inferior could crash GDB

[pmuldoon at redhat dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at sourceware dot|pmuldoon at redhat dot com
                   |org                         |
             Status|UNCONFIRMED                 |ASSIGNED
          Component|c++                         |python
     Ever Confirmed|                            |1


http://sourceware.org/bugzilla/show_bug.cgi?id=10344

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.