public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug breakpoints/14901] New: Breakpoints can end up in the middle of an instruction, causing corruption
@ 2012-11-30 21:24 gdb at dima dot secretsauce.net
2024-01-22 17:17 ` [Bug breakpoints/14901] " ssbssa at sourceware dot org
0 siblings, 1 reply; 2+ messages in thread
From: gdb at dima dot secretsauce.net @ 2012-11-30 21:24 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=14901
Bug #: 14901
Summary: Breakpoints can end up in the middle of an
instruction, causing corruption
Product: gdb
Version: 7.5
Status: NEW
Severity: normal
Priority: P2
Component: breakpoints
AssignedTo: unassigned@sourceware.org
ReportedBy: gdb@dima.secretsauce.net
Classification: Unclassified
I'm using gdb 7.5.1, on a more-or-less vanilla amd64 box. I'm seeing that it is
possible to
1. set a breakpoint somewhere
2. load a new version of the executable being debugged
3. observe the breakpoint 0xCC byte end up in the middle of an instruction,
causing havoc
The 0xCC byte corrupts the instruction it ends up in. Furthermore, unless one
knows that a breakpoint is involved, the observed behavior is extremely
mysterious. The output of "disass /r" doesn't display the 0xCC, so the user
thinks they're stepping through one instruction, while gdb is executing a
completely different one.
To reproduce, I have the following source I named tst.c:
==============================
#include <stdio.h>
#include <stdlib.h>
static void f(void)
{
#ifdef PAD
char c = 3;
#endif
int a = 5;
printf("0x%x\n", a);
}
int main(void)
{
f();
return 0;
}
==============================
I compile this with and without defining PAD:
gcc-4.7 -DPAD -g -o tst_pad tst.c; gcc-4.7 -g -o tst tst.c
I then load "tst_pad", set the breakpoint on the "a=5" line, then load "tst".
The old breakpoint stays at the same exact address, corrupting the a=5
statement.
This can be shown by running "gdb -x gdb.cmd" with gdb.cmd as
==============================
file /tmp/tst_pad
b main
r
s
n
b
info b
c
file /tmp/tst
r
info b
disass /r f
c
q
==============================
The output I see from this is
==============================
GNU gdb (GDB) 7.5.1
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Breakpoint 1 at 0x400539: file tst.c, line 16.
Breakpoint 1, main () at tst.c:16
16 f();
f () at tst.c:7
7 char c = 3;
9 int a = 5;
Breakpoint 2 at 0x400518: file tst.c, line 9.
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000400539 in main at tst.c:16
breakpoint already hit 1 time
2 breakpoint keep y 0x0000000000400518 in f at tst.c:9
0x5
[Inferior 1 (process 17031) exited normally]
Breakpoint 1, main () at tst.c:16
16 f();
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000400535 in main at tst.c:16
breakpoint already hit 1 time
2 breakpoint keep y 0x0000000000400518 in f at tst.c:9
Dump of assembler code for function f:
0x000000000040050c <+0>: 55 push rbp
0x000000000040050d <+1>: 48 89 e5 mov rbp,rsp
0x0000000000400510 <+4>: 48 83 ec 10 sub rsp,0x10
0x0000000000400514 <+8>: c7 45 fc 05 00 00 00 mov DWORD PTR
[rbp-0x4],0x5
0x000000000040051b <+15>: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
0x000000000040051e <+18>: 89 c6 mov esi,eax
0x0000000000400520 <+20>: bf fc 05 40 00 mov edi,0x4005fc
0x0000000000400525 <+25>: b8 00 00 00 00 mov eax,0x0
0x000000000040052a <+30>: e8 b1 fe ff ff call 0x4003e0 <printf@plt>
0x000000000040052f <+35>: c9 leave
0x0000000000400530 <+36>: c3 ret
End of assembler dump.
0xcc05
[Inferior 1 (process 17039) exited normally]
==============================
Note that the breakpoint is at 0x400518 in BOTH executables, and the "a"
variable ends up being 0xCC05 instead of 5. This is extremely perplexing to the
unsuspecting user, since the output of "disass /r" doesn't show the 0xCC. So
the
user steps through the instruction "mov DWORD PTR [rbp-0x4],0x5", but observes
something completely different happening!
gdb appears to have some safeguards against this. In the above script the
breakpoint was set with a simple "b" command when gdb was stopped at the
particular location. If it was set with "b 9" instead (breaking on line 9,
which
should be the same) then when loading the new executable, the breakpoint is
moved to 0x400514, which is at the start of an instruction, and produces more
predictable behavior.
I think it would be great if the breakpoint reinterpretation was either fixed,
or documented more clearly to indicate when the breakpoint should be moved and
when not. "help b" doesn't make clear that "b" and "b 9" produce very different
behaviors. Also, it would be great if "disass /r" had some sort of indication
that a particular instruction has been overwritten by a breakpoint; this would
make the observed failure much less baffling.
Thanks
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug breakpoints/14901] Breakpoints can end up in the middle of an instruction, causing corruption
2012-11-30 21:24 [Bug breakpoints/14901] New: Breakpoints can end up in the middle of an instruction, causing corruption gdb at dima dot secretsauce.net
@ 2024-01-22 17:17 ` ssbssa at sourceware dot org
0 siblings, 0 replies; 2+ messages in thread
From: ssbssa at sourceware dot org @ 2024-01-22 17:17 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=14901
Hannes Domani <ssbssa at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ssbssa at sourceware dot org
--- Comment #1 from Hannes Domani <ssbssa at sourceware dot org> ---
This is a similar issue to PR11273, since 'b' without arguments is used here,
which sets the breakpoint on the current address, no matter what.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-01-22 17:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-11-30 21:24 [Bug breakpoints/14901] New: Breakpoints can end up in the middle of an instruction, causing corruption gdb at dima dot secretsauce.net
2024-01-22 17:17 ` [Bug breakpoints/14901] " ssbssa at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).