[Bug c++/13342] New: insufficient memory is fetched from the inferior for partially destroyed C++ objects

[Bug c++/13342] New: insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

             Bug #: 13342
           Summary: insufficient memory is fetched from the inferior for
                    partially destroyed C++ objects
           Product: gdb
           Version: 7.2
            Status: NEW
          Severity: normal
          Priority: P2
         Component: c++
        AssignedTo: unassigned@sourceware.org
        ReportedBy: eric+sourceware@vangyzen.net
    Classification: Unclassified


Created attachment 6033
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6033
proposed patch

When GDB prints the contents of a C++ object during that object's destructor
call-chain, GDB does not fetch enough memory from the inferior, so it shows
uninitialized data for some members (those added by the class(es) whose
destructors have already run).

For example, consider the destruction of an Apple, which is a subclass of
Fruit.  When the Apple destructor completes, the Fruit destructor is called. 
During the Fruit destructor, we ask GDB to "print *this".  The object's RTTI
data say it's a Fruit (no longer an Apple).  In valops.c:value_full_object(),
GDB takes the "if (full)" path and sets the value's enclosing type to Fruit. 
Thus, GDB later fetches only sizeof(Fruit) bytes from the inferior, although it
should fetch sizeof(Apple).  This, "print" shows uninitialized data for the
members of "this" that were added in the Apple class.

Changing the value's enclosing type is helpful when the enclosing type is
larger, such as during an operation on a Fruit pointer that is really pointing
to an Apple.  However, it's harmful in the opposite case of an Apple pointer
pointing to [that which is currently] a Fruit.  Perhaps we should change the
enclosing type iff the real (RTTI) type is no smaller than the current
enclosing type?  I am no GDB expert, so there is probably a more correct fix.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #1 from Eric van Gyzen <eric+sourceware at vangyzen dot net> 2011-10-25 15:15:31 UTC ---
Created attachment 6034
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6034
test case

The attached test case reliably demonstrates the bug on my system:

$ uname -srm
FreeBSD 8.2-RELEASE amd64

$ c++ -v
Using built-in specs.
Target: amd64-undermydesk-freebsd
Configured with: FreeBSD/amd64 system compiler
Thread model: posix
gcc version 4.2.1 20070719  [FreeBSD]

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

Eric van Gyzen <eric+sourceware at vangyzen dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6034|application/octet-stream    |text/plain
          mime type|                            |

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

Eric van Gyzen <eric+sourceware at vangyzen dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6033|0                           |1
           is patch|                            |
   Attachment #6033|application/octet-stream    |text/plain
          mime type|                            |

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[tromey at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

Tom Tromey <tromey at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tromey at redhat dot com

--- Comment #2 from Tom Tromey <tromey at redhat dot com> 2011-11-02 14:52:11 UTC ---
I couldn't reproduce this.
Could you post exactly what commands you used?

I tried putting a breakpoint in ~Apple and printing *this.
I also stepped into ~Fruit, then went "up" and printed *this.
It all looked sane to me:

Starting program: /home/tromey/gnu/PRS/gdb13342/pr 

Breakpoint 1, Apple::~Apple (this=0x7fffffffe450, 
    __in_chrg=<value optimized out>) at pr.cc:34
34        ~Apple(void) { }
(gdb) p *this
$5 = (Apple) {
  <Fruit> = {
    _vptr.Fruit = 0x4008f0, 
    fruit1 = 1, 
    fruit2 = 2, 
    fruit3 = 3, 
    fruit4 = 4
  }, 
  members of Apple: 
  apple1 = 1, 
  apple2 = 2, 
  apple3 = 3, 
  apple4 = 4
}
(gdb) s
Fruit::~Fruit (this=0x7fffffffe450, __in_chrg=<value optimized out>)
    at pr.cc:17
17        virtual ~Fruit(void) {
(gdb) s
18            abort();
(gdb) p *this
$6 = (Fruit) {
  _vptr.Fruit = 0x400910, 
  fruit1 = 1, 
  fruit2 = 2, 
  fruit3 = 3, 
  fruit4 = 4
}
(gdb) up
#1  0x000000000040078d in Apple::~Apple (this=0x7fffffffe450, 
    __in_chrg=<value optimized out>) at pr.cc:34
34        ~Apple(void) { }
(gdb) p *this
$7 = (Fruit) {
  _vptr.Fruit = 0x400910, 
  fruit1 = 1, 
  fruit2 = 2, 
  fruit3 = 3, 
  fruit4 = 4
}

At the end here I think the dynamic type has changed to Fruit, so this
is still correct.

Your patch seems reasonable, I just would like to be able to reproduce the bug.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #3 from Eric van Gyzen <eric+sourceware at vangyzen dot net> 2011-11-02 15:22:31 UTC ---
Thanks for looking into this, Tom.

(In reply to comment #2)
> (gdb) up
> #1  0x000000000040078d in Apple::~Apple (this=0x7fffffffe450, 
>     __in_chrg=<value optimized out>) at pr.cc:34
> 34        ~Apple(void) { }
> (gdb) p *this
> $7 = (Fruit) {
>   _vptr.Fruit = 0x400910, 
>   fruit1 = 1, 
>   fruit2 = 2, 
>   fruit3 = 3, 
>   fruit4 = 4
> }

I did exactly what you did.  However, when I did it, $7 was an Apple:

(gdb) p *this
$3 = {
  <Fruit> = {
    _vptr$Fruit = 0x400a10, 
    fruit1 = 1, 
    fruit2 = 2, 
    fruit3 = 3, 
    fruit4 = 4
  }, 
  members of Apple: 
  apple1 = 0, 
  apple2 = 0, 
  apple3 = 0, 
  apple4 = 0
}

(gdb) ptype *this
type = struct Apple : public Fruit {
[snip]

> At the end here I think the dynamic type has changed to Fruit, so this
> is still correct.

True, but the compile-time type in ~Apple is Apple, so I would expect gdb to
show me the whole Apple.  It does this in my case (v7.2), and it shows
incorrect data for the appleN members.

I wonder why it only shows you the Fruit.  Is this a difference between 7.2 and
HEAD?  What happens when you "p *(class Apple *)this" in ~Apple?

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[tromey at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #4 from Tom Tromey <tromey at redhat dot com> 2011-11-03 16:56:50 UTC ---
(In reply to comment #3)
> Thanks for looking into this, Tom.

No problem.

What is odd is that my 7.2 does exactly what my later builds do.
Does your build have local patches that might affect this?
Could you possibly try 7.3.1 or CVS HEAD?
Otherwise I am wondering whether it is somehow a compiler difference.

> I wonder why it only shows you the Fruit.  Is this a difference between 7.2 and
> HEAD?  What happens when you "p *(class Apple *)this" in ~Apple?

The same:

(gdb) p *(class Apple *) this
$5 = (Fruit) {
  _vptr.Fruit = 0x400910, 
  fruit1 = 1, 
  fruit2 = 2, 
  fruit3 = 3, 
  fruit4 = 4
}

I tend to agree with you that gdb should show an Apple here, not a Fruit.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #5 from Eric van Gyzen <eric+sourceware at vangyzen dot net> 2011-11-03 19:17:00 UTC ---
(In reply to comment #4)
> What is odd is that my 7.2 does exactly what my later builds do.

Woah.

> Does your build have local patches that might affect this?

I built via the FreeBSD ports collection, so it has local patches, but they're
mostly for FreeBSD threading.  I don't think any of the patches would affect
this, but I'm not a GDB expert (nor do I play one on TV).  You can see the
patches here:

    http://www.freebsd.org/cgi/cvsweb.cgi/ports/devel/gdb/files/

> Could you possibly try 7.3.1 or CVS HEAD?

I get the same behavior with 7.3.1, also built via the FreeBSD port.

CVS HEAD (as of five minutes ago) won't compile; it breaks in amd64-tdep.c. 
The FreeBSD port includes a patch for this file, but I didn't try applying it.

> Otherwise I am wondering whether it is somehow a compiler difference.

I get the same behavior with:
 - GCC 4.2.1 in the FreeBSD base system
 - GCC 4.5.3 from FreeBSD ports
 - LLVM/Clang 2.9 from FreeBSD ports

In all cases, I'm using GNU libstdc++ from GCC 4.2.1 (in the FreeBSD base
system).

I also get the same behavior on two other systems:
 - Ubuntu 10.04.2  x86_64  GCC 4.4.3  GDB 7.1
 - CentOS 5.3      x86_64  GCC 4.1.2  GDB 6.8

I get the same behavior whether I run with a live inferior with a breakpoint on
the abort(), or I run on an "Apple core" (nyuk nyuk).

Curiouser and curiouser.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[peter.schauer at mytum dot de]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

Peter Schauer <peter.schauer at mytum dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |peter.schauer at mytum dot
                   |                            |de

--- Comment #6 from Peter Schauer <peter.schauer at mytum dot de> 2011-11-08 14:16:36 UTC ---
Perhaps you are using different `set print object' settings ?

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[tromey at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #7 from Tom Tromey <tromey at redhat dot com> 2011-11-08 15:50:58 UTC ---
(In reply to comment #6)
> Perhaps you are using different `set print object' settings ?

Yes, oops.  I somehow never remember this :-(
I can reproduce it now.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #8 from Eric van Gyzen <eric+sourceware at vangyzen dot net> 2011-11-08 16:38:40 UTC ---
(In reply to comment #7)
> (In reply to comment #6)
> > Perhaps you are using different `set print object' settings ?
> 
> Yes, oops.  I somehow never remember this :-(

No worries.  At least I learned about something:  I had never twiddled "set
print object".

> I can reproduce it now.

Thanks for the good news!

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[tromey at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

Tom Tromey <tromey at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at sourceware    |tromey at redhat dot com
                   |dot org                     |

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> 2011-11-09 19:50:21 UTC ---
CVSROOT:    /cvs/src
Module name:    src
Changes by:    tromey@sourceware.org    2011-11-09 19:50:15

Modified files:
    gdb            : ChangeLog valops.c 
    gdb/testsuite  : ChangeLog 
Added files:
    gdb/testsuite/gdb.cp: destrprint.cc destrprint.exp 

Log message:
    gdb
    PR c++/13342:
    * valops.c (value_full_object): Return early if real type is
    smaller than the enclosing type.
    gdb/testsuite
    * gdb.cp/destrprint.exp: New file.
    * gdb.cp/destrprint.cc: New file.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/ChangeLog.diff?cvsroot=src&r1=1.13495&r2=1.13496
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/valops.c.diff?cvsroot=src&r1=1.289&r2=1.290
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/testsuite/ChangeLog.diff?cvsroot=src&r1=1.2928&r2=1.2929
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/testsuite/gdb.cp/destrprint.cc.diff?cvsroot=src&r1=NONE&r2=1.1
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/testsuite/gdb.cp/destrprint.exp.diff?cvsroot=src&r1=NONE&r2=1.1

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[tromey at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

Tom Tromey <tromey at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |7.4

--- Comment #10 from Tom Tromey <tromey at redhat dot com> 2011-11-09 19:52:59 UTC ---
I checked in a slight variant on the patch, plus a test case.
Thanks for persevering with this.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug c++/13342] insufficient memory is fetched from the inferior for partially destroyed C++ objects

[eric+sourceware at vangyzen dot net]

http://sourceware.org/bugzilla/show_bug.cgi?id=13342

--- Comment #11 from Eric van Gyzen <eric+sourceware at vangyzen dot net> 2011-11-09 20:37:24 UTC ---
> I checked in a slight variant on the patch, plus a test case.

Excellent!  Thank you especially for writing the testcase.

> Thanks for persevering with this.

The same to you.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.