[Bug server/17302] New: gdbserver function call + detach crashes inferior process

[Bug server/17302] New: gdbserver function call + detach crashes inferior process

[simon.marchi at ericsson dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17302

            Bug ID: 17302
           Summary: gdbserver function call + detach crashes inferior
                    process
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: server
          Assignee: unassigned at sourceware dot org
          Reporter: simon.marchi at ericsson dot com

Created attachment 7754
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7754&action=edit
Test program

Steps:

1- Build test.c (attached to this post)
    $ gcc -O0 -g3 test.c
2- Start gdbserver (in terminal #1)
    $ gdbserver --multi :1234
3- Start the process (in terminal #2)
    $ ./a.out
    pid = 4397
    ...
4- Start gdb (in terminal #3)
    $ gdb -nx a.out
5- Connect to gdbserver
    (gdb) tar ext :1234
6- Attach the process
    (gdb) attach 4397
7- Call a function
    (gdb) call another_function()
8- Detach the process
    (gdb) detach

The process segfaults when trying to continue its execution.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug server/17302] gdbserver function call + detach crashes inferior process

[simon.marchi at ericsson dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17302

--- Comment #1 from Simon Marchi <simon.marchi at ericsson dot com> ---
Note: this only happens if the function call is the last thing you do before
detaching. It seems to leave something wrong in the state of the inferior. If
you do a "next" just before detaching, for example, the process will continue
executing fine.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug server/17302] gdbserver function call + detach crashes inferior process

[simon.marchi at ericsson dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17302

Simon Marchi <simon.marchi at ericsson dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andreas.from at ericsson dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug server/17302] gdbserver function call + detach crashes inferior process

[simon.marchi at ericsson dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17302

--- Comment #2 from Simon Marchi <simon.marchi at ericsson dot com> ---
I found that during the manual call to a function by gdbserver, a segmentation
fault/SIGSEGV is generated. When detaching, gdbserver delivers the pending
SIGSEGV, causing the crash of the detached process.

When preparing the inferior call, gdb starts by expanding a stack a bit. It
then places a breakpoint instruction (0xCC) somewhere in that area. It then
prepares the dummy frame, including writing the return address, which is the
address where the 0xCC is. So when the function ends, execution should go where
the breakpoint and it should stop. However, since stack is generally not
executable, when the processor tries to "execute" the breakpoint instruction, a
segmentation fault/SIGSEGV is generated instead of the normal SIGTRAP.

When making the stack executable, the problem disappears, so I am quite
confident that this is the reason. In order to make the stack executable, I use
execstack (it modifies a flag in the binary):

$ execstack -s binary

I have no idea why this only happens in gdbserver, and not in gdb.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug server/17302] gdbserver function call + detach crashes inferior process

[simon.marchi at ericsson dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17302

--- Comment #3 from Simon Marchi <simon.marchi at ericsson dot com> ---
Ah, this is what gdb is doing when executing natively:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob;f=gdb/infrun.c;h=c18267f779dcbf523d3a01a422d154faae55183b;hb=HEAD#l3321

It considers the segfault as a sigtrap, exactly for this reason.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug server/17302] gdbserver function call + detach crashes inferior process

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17302

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  fc1269757f5614cd893c36120f61a5014a45fe37 (commit)
      from  0a46d518c7565be02e544ab508f8b5a99b1b5192 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fc1269757f5614cd893c36120f61a5014a45fe37

commit fc1269757f5614cd893c36120f61a5014a45fe37
Author: Simon Marchi <simon.marchi@ericsson.com>
Date:   Wed Dec 10 16:10:05 2014 -0500

    Only leave dprintf inserted if it is marked as persistent (PR
breakpoints/17012)

    On Linux native, if dprintfs are inserted when detaching, they are left
    in the inferior which causes it to crash from a SIGTRAP. It also happens
    with dprintfs on remote targets, when set disconnected-dprintf is off.

    The rationale of the line modified by the patch was to leave dprintfs
    inserted in order to support disconnected dprintfs. However, not all
    dprintfs are persistent. Also, there's no reason other kinds of
    breakpoints can't be persistent either. So this replaces the bp_dprintf
    check with a check on whether the location is persistent.

    bl->target_info.persist will be 1 only if disconnected-dprintf is on and
    we are debugging a remote target. On native, it will always be 0,
    regardless of the value of disconnected-dprintf. This makes sense, since
    disconnected dprintfs are not supported by the native target.

    One issue about the test is that it does not pass when using
    --target_board=native-extended-gdbserver, partly due to bug 17302 [1].

    One quick hack I tried for this was to add a useless "next" between the
    call to getpid() and detach, which avoids the bug. There is still one
    case where the test fails, and that is with:

    - breakpoint always-inserted on
    - dprintf-style agent
    - disconnected-dprintf on

    What happens is that my detach does not actually detach the process,
    because some persistent commands (the disconnected dprintf) is present.
    However since gdbserver is ran with --once, when gdb disconnects,
    gdbserver goes down and takes with it all the processes it spawned and
    that are still under its control (which includes my test process).
    When the test checks if the test process is still alive, it obvisouly
    fails. Investigating about that led me to ask a question on the ML [2]
    about the behavior of detach.

    Until the remote case is sorted out, the problematic test is marked as
    KFAIL.

    [1] https://sourceware.org/bugzilla/show_bug.cgi?id=17302
    [2] https://sourceware.org/ml/gdb/2014-08/msg00115.html

    gdb/Changelog:

        PR breakpoints/17012
        * breakpoint.c (remove_breakpoints_pid): Skip removing
        breakpoint if it is marked as persistent.

    gdb/testsuite/ChangeLog:

        PR breakpoints/17012
        * gdb.base/dprintf-detach.c: New file.
        * gdb.base/dprintf-detach.exp: New file.

-----------------------------------------------------------------------

Summary of changes:
 gdb/ChangeLog                             |    6 ++
 gdb/breakpoint.c                          |    5 +-
 gdb/testsuite/ChangeLog                   |    6 ++
 gdb/testsuite/gdb.base/dprintf-detach.c   |   33 ++++++++++
 gdb/testsuite/gdb.base/dprintf-detach.exp |   95 +++++++++++++++++++++++++++++
 5 files changed, 141 insertions(+), 4 deletions(-)
 create mode 100644 gdb/testsuite/gdb.base/dprintf-detach.c
 create mode 100644 gdb/testsuite/gdb.base/dprintf-detach.exp

-- 
You are receiving this mail because:
You are on the CC list for the bug.