[Bug server/13392] New: JMP insn in jump pad is not correct when offset exceeds integer limit

[Bug server/13392] New: JMP insn in jump pad is not correct when offset exceeds integer limit

[qiyao at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13392

             Bug #: 13392
           Summary: JMP insn in jump pad is not correct when offset
                    exceeds integer limit
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: server
        AssignedTo: unassigned@sourceware.org
        ReportedBy: qiyao@gcc.gnu.org
    Classification: Unclassified


In current gdbserver code,
linux-x86-low.c:amd64_install_fas_tracepoint_jump_pad, 

  /* The jump pad is now built.  Wire in a jump to our jump pad.  This
     is always done last (by our caller actually), so that we can
     install fast tracepoints with threads running.  This relies on
     the agent's atomic write support.  */
  offset = *jump_entry - (tpaddr + sizeof (jump_insn));
  memcpy (buf, jump_insn, sizeof (jump_insn));
  memcpy (buf + 1, &offset, 4);
  memcpy (jjump_pad_insn, buf, sizeof (jump_insn));
  *jjump_pad_insn_size = sizeof (jump_insn);


static unsigned char jump_insn[] = { 0xe9, 0, 0, 0, 0 };

  We are using relative jump and assume that 32-bit displacement is large
enough, however, it is not correct in some cases.  In my case below, jump pad
is quite far, and unable to jump via relative jump insn that we are using.  We
compose a wrong jmp insn, write back to original insn place, and cause a
SIGSEGV.

(gdb) ftrace set_tracepoint 
Fast tracepoint 2 at 0x400756: file
../../../gdb/gdb/testsuite/gdb.trace/change-loc.h, line 35. (2 locations)
(gdb) tstart 
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
func4 () at ../../../gdb/gdb/testsuite/gdb.trace/change-loc.h:35
35      asm ("    .global " SYMBOL(set_tracepoint) "\n"
(gdb) p/x $pc
$1 = 0x7ffff79d556e
(gdb) disassemble 
Dump of assembler code for function func4:
   0x00007ffff79d556a <+0>:    push   %rbp
   0x00007ffff79d556b <+1>:    mov    %rsp,%rbp
=> 0x00007ffff79d556e <+4>:    callq  0x7ffff79d5564 <func5>
   0x00007ffff79d5573 <+9>:    leaveq 
   0x00007ffff79d5574 <+10>:    retq   
End of assembler dump.
(gdb) info tracepoints 
Num     Type            Disp Enb Address            What
2       fast tracepoint keep y   <MULTIPLE>         
2.1                          y     0x0000000000400756 in func4 at
../../../gdb/gdb/testsuite/gdb.trace/change-loc.h:35
2.2                          y     0x00007ffff79d556e in func4 at
../../../gdb/gdb/testsuite/gdb.trace/change-loc.h:35

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug server/13392] JMP insn in jump pad is not correct when offset exceeds integer limit

[qiyao at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13392

--- Comment #1 from Yao Qi <qiyao at gcc dot gnu.org> 2011-11-08 04:09:17 UTC ---
I tried to fix this problem in different ways,

 #1.  Choose absolute indirect jump along with a trampoline, however, absolute
indirect jump is 6-byte long, so that means the insn set that we can use fast
tracepoint is smaller.
 #2.  Return 1 (error) if offset exceeds the 4-byte limit.  This makes
inconsistency of gdb and gdbserver when error happens, because gdb does not
know this error.  So far, the offset from original insn to jump pad is got
during installing tracepoint rather than downloading tracepoint, so it is too
late when gdbserver finds that offset is too long.  We can call qRelocInsn when
dowloading tracepoint, check offset, if offset is OK, cache result of
qRelocInsn, otherwise reply error.  This requires more changes, I'll revisit
this later.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug server/13392] JMP insn in jump pad is not correct when offset exceeds integer limit

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13392

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> 2012-03-09 03:47:18 UTC ---
CVSROOT:    /cvs/src
Module name:    src
Changes by:    qiyao@sourceware.org    2012-03-09 03:47:15

Modified files:
    gdb/gdbserver  : ChangeLog linux-x86-low.c tracepoint.c 
    gdb/testsuite  : ChangeLog 
    gdb/testsuite/gdb.trace: change-loc.exp pending.exp 

Log message:
    2012-03-08  Yao Qi  <yao@codesourcery.com>
    Pedro Alves  <palves@redhat.com>

    Fix PR server/13392.
    * linux-x86-low.c (amd64_install_fast_tracepoint_jump_pad): Check
    offset of JMP insn.
    * tracepoint.c (remove_tracepoint): New.
    (cmd_qtdp): Call remove_tracepoint when failed to install.

    2012-03-08  Yao Qi  <yao@codesourcery.com>
    Pedro Alves  <palves@redhat.com>

    Fix PR server/13392.
    * gdb.trace/change-loc.exp (tracepoint_change_loc_1): Remove kfail.
    (tracepoint_change_loc_2): Remove kfail.  Return if failed to
    download tracepoints.
    * gdb.trace/pending.exp (pending_tracepoint_works): Likewise.
    (pending_tracepoint_resolved_during_trace): Likewise.
    (pending_tracepoint_installed_during_trace): Likewise.
    (pending_tracepoint_with_action_resolved): Likewise.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/ChangeLog.diff?cvsroot=src&r1=1.570&r2=1.571
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/linux-x86-low.c.diff?cvsroot=src&r1=1.36&r2=1.37
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/tracepoint.c.diff?cvsroot=src&r1=1.53&r2=1.54
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/testsuite/ChangeLog.diff?cvsroot=src&r1=1.3130&r2=1.3131
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/testsuite/gdb.trace/change-loc.exp.diff?cvsroot=src&r1=1.6&r2=1.7
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/testsuite/gdb.trace/pending.exp.diff?cvsroot=src&r1=1.5&r2=1.6

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug server/13392] JMP insn in jump pad is not correct when offset exceeds integer limit

[qiyao at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13392

Yao Qi <qiyao at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |7.5

--- Comment #3 from Yao Qi <qiyao at gcc dot gnu.org> 2012-03-09 03:56:34 UTC ---
Patch is committed.  Fixed.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.