public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/27683] New: Crash when calling function in interior
@ 2021-04-01 16:26 davidwelch158 at hotmail dot com
2021-04-01 16:28 ` [Bug gdb/27683] Crash when calling function in inferior davidwelch158 at hotmail dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: davidwelch158 at hotmail dot com @ 2021-04-01 16:26 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27683
Bug ID: 27683
Summary: Crash when calling function in interior
Product: gdb
Version: HEAD
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: davidwelch158 at hotmail dot com
Target Milestone: ---
I found it easier to reproduce this bug under valgrind but it does happen less
repeatably in normal execution.
$ cat f.c
#include <math.h>
int main()
{
float fi;
float out = floor(fi);
}
$ gcc -g -O0 f.c -o f -lm
$ valgrind --num-callers=100 --log-file='valgrind-log'
/home/dw/devel/gdb/install/bin/gdb ./f
(gdb) start
(gdb) call (float)floor(fi)
Aborted (core dumped)
valgrind-log contains:-
Invalid read of size 8
at 0x4D3AC2: get_frame_arch(frame_info*) (frame.c:2939)
by 0x4D3D26: get_frame_sp(frame_info*) (frame.c:3029)
by 0x5334E3: call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:845)
by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>)
(infcall.c:743)
by 0x4A1C42: evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*) (eval.c:674)
by 0x4A1EB3: expr::operation::evaluate_funcall(type*, expression*, noside,
char const*, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (eval.c:703)
by 0x24CA88: expr::var_msym_value_operation::evaluate_funcall(type*,
expression*, noside, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (expop.h:722)
by 0x30A72C: expr::funcall_operation::evaluate(type*, expression*, noside)
(expop.h:2162)
by 0x4A752F: expr::operation::evaluate_for_cast(type*, expression*, noside)
(eval.c:2499)
by 0x296A53: expr::unop_cast_type_operation::evaluate(type*, expression*,
noside) (expop.h:1996)
by 0x4A0976: expression::evaluate(type*, noside) (eval.c:101)
by 0x4A0A37: evaluate_expression(expression*, type*) (eval.c:115)
by 0x644F1F: process_print_command_args(char const*, value_print_options*,
bool) (printcmd.c:1305)
by 0x644FC7: print_command_1(char const*, int) (printcmd.c:1318)
by 0x645417: call_command(char const*, int) (printcmd.c:1442)
by 0x341C99: do_const_cfunc(cmd_list_element*, char const*, int)
(cli-decode.c:101)
by 0x345FAA: cmd_func(cmd_list_element*, char const*, int)
(cli-decode.c:2181)
by 0x7DE955: execute_command(char const*, int) (top.c:670)
by 0x4AAD9E: command_handler(char const*) (event-top.c:589)
by 0x4AB216: command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (event-top.c:774)
by 0x80A48F: tui_command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (tui-interp.c:268)
by 0x4AA489: gdb_rl_callback_handler(char*) (event-top.c:219)
by 0x4E6AF9D: rl_callback_read_char (in
/lib/x86_64-linux-gnu/libreadline.so.7.0)
by 0x4AA2B1: gdb_rl_callback_read_char_wrapper_noexcept() (event-top.c:177)
by 0x4AA35B: gdb_rl_callback_read_char_wrapper(void*) (event-top.c:194)
by 0x4AABB6: stdin_event_handler(int, void*) (event-top.c:516)
by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575)
by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701)
by 0x9C9DFE: gdb_do_one_event() (event-loop.cc:237)
by 0x5BDCBD: start_event_loop() (main.c:348)
by 0x5BDDF8: captured_command_loop() (main.c:408)
by 0x5BF6CD: captured_main(void*) (main.c:1242)
by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257)
by 0x207052: main (gdb.c:32)
Address 0x1283e8f0 is 368 bytes inside a block of size 4,064 free'd
at 0x4C32D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0xA17B97: rpl_free (free.c:40)
by 0x4D4452: void xfree<void>(void*) (common-utils.h:66)
by 0x9FCE15: call_freefun (obstack.c:103)
by 0x9FD288: _obstack_free (obstack.c:280)
by 0x4D2084: reinit_frame_cache() (frame.c:2054)
by 0x6C8F9C: regcache_write_pc(regcache*, unsigned long) (regcache.c:1342)
by 0x54B383: proceed(unsigned long, gdb_signal) (infrun.c:3112)
by 0x532E25: run_inferior_call(call_thread_fsm*, thread_info*, unsigned
long) (infcall.c:611)
by 0x534657: call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:1277)
by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>)
(infcall.c:743)
by 0x49D212: elf_gnu_ifunc_resolve_addr(gdbarch*, unsigned long)
(elfread.c:917)
by 0x53253E: find_function_addr(value*, type**, type**) (infcall.c:284)
by 0x5333E5: call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:814)
by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>)
(infcall.c:743)
by 0x4A1C42: evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*) (eval.c:674)
by 0x4A1EB3: expr::operation::evaluate_funcall(type*, expression*, noside,
char const*, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (eval.c:703)
by 0x24CA88: expr::var_msym_value_operation::evaluate_funcall(type*,
expression*, noside, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (expop.h:722)
by 0x30A72C: expr::funcall_operation::evaluate(type*, expression*, noside)
(expop.h:2162)
by 0x4A752F: expr::operation::evaluate_for_cast(type*, expression*, noside)
(eval.c:2499)
by 0x296A53: expr::unop_cast_type_operation::evaluate(type*, expression*,
noside) (expop.h:1996)
by 0x4A0976: expression::evaluate(type*, noside) (eval.c:101)
by 0x4A0A37: evaluate_expression(expression*, type*) (eval.c:115)
by 0x644F1F: process_print_command_args(char const*, value_print_options*,
bool) (printcmd.c:1305)
by 0x644FC7: print_command_1(char const*, int) (printcmd.c:1318)
by 0x645417: call_command(char const*, int) (printcmd.c:1442)
by 0x341C99: do_const_cfunc(cmd_list_element*, char const*, int)
(cli-decode.c:101)
by 0x345FAA: cmd_func(cmd_list_element*, char const*, int)
(cli-decode.c:2181)
by 0x7DE955: execute_command(char const*, int) (top.c:670)
by 0x4AAD9E: command_handler(char const*) (event-top.c:589)
by 0x4AB216: command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (event-top.c:774)
by 0x80A48F: tui_command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (tui-interp.c:268)
by 0x4AA489: gdb_rl_callback_handler(char*) (event-top.c:219)
by 0x4E6AF9D: rl_callback_read_char (in
/lib/x86_64-linux-gnu/libreadline.so.7.0)
by 0x4AA2B1: gdb_rl_callback_read_char_wrapper_noexcept() (event-top.c:177)
by 0x4AA35B: gdb_rl_callback_read_char_wrapper(void*) (event-top.c:194)
by 0x4AABB6: stdin_event_handler(int, void*) (event-top.c:516)
by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575)
by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701)
by 0x9C9DFE: gdb_do_one_event() (event-loop.cc:237)
by 0x5BDCBD: start_event_loop() (main.c:348)
by 0x5BDDF8: captured_command_loop() (main.c:408)
by 0x5BF6CD: captured_main(void*) (main.c:1242)
by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257)
by 0x207052: main (gdb.c:32)
Block was alloc'd at
at 0x4C31B0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x26ACFC: xmalloc (alloc.c:60)
by 0x9FCDC5: call_chunkfun (obstack.c:94)
by 0x9FCE88: _obstack_begin_worker (obstack.c:141)
by 0x9FCF8F: _obstack_begin (obstack.c:164)
by 0x4D20AB: reinit_frame_cache() (frame.c:2055)
by 0x7D61B0: switch_to_thread(thread_info*) (thread.c:1353)
by 0x7D6255: scoped_restore_current_thread::restore() (thread.c:1379)
by 0x7D632D:
scoped_restore_current_thread::~scoped_restore_current_thread() (thread.c:1399)
by 0x550D5E: stop_all_threads() (infrun.c:4964)
by 0x557857: stop_waiting(execution_control_state*) (infrun.c:8006)
by 0x554591: process_event_stop_test(execution_control_state*)
(infrun.c:6667)
by 0x553F1C: handle_signal_stop(execution_control_state*) (infrun.c:6470)
by 0x552245: handle_inferior_event(execution_control_state*)
(infrun.c:5727)
by 0x54E155: fetch_inferior_event() (infrun.c:4105)
by 0x530B9B: inferior_event_handler(inferior_event_type) (inf-loop.c:42)
by 0x591D91: handle_target_event(int, void*) (linux-nat.c:4060)
by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575)
by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701)
by 0x9C9D86: gdb_do_one_event() (event-loop.cc:212)
by 0x5BDCBD: start_event_loop() (main.c:348)
by 0x5BDDF8: captured_command_loop() (main.c:408)
by 0x5BF6CD: captured_main(void*) (main.c:1242)
by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257)
by 0x207052: main (gdb.c:32)
I believe this happens because
infcall.c:805 does frame = get_current_frame ();
then
infcall.c:814 CORE_ADDR funaddr = find_function_addr (function,
&values_type, &ftype);
then
infcall.c:845 CORE_ADDR old_sp = get_frame_sp (frame);
The call to find_function_addr may call reinit_frame_cache which invalidates
the frame pointed to by 'frame'.
Adding a repeat call to get_current_frame just before get_frame_sp seemed to
fix it for me.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug gdb/27683] Crash when calling function in inferior
2021-04-01 16:26 [Bug gdb/27683] New: Crash when calling function in interior davidwelch158 at hotmail dot com
@ 2021-04-01 16:28 ` davidwelch158 at hotmail dot com
2021-04-01 16:32 ` davidwelch158 at hotmail dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: davidwelch158 at hotmail dot com @ 2021-04-01 16:28 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27683
David Welch <davidwelch158 at hotmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Crash when calling function |Crash when calling function
|in interior |in inferior
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug gdb/27683] Crash when calling function in inferior
2021-04-01 16:26 [Bug gdb/27683] New: Crash when calling function in interior davidwelch158 at hotmail dot com
2021-04-01 16:28 ` [Bug gdb/27683] Crash when calling function in inferior davidwelch158 at hotmail dot com
@ 2021-04-01 16:32 ` davidwelch158 at hotmail dot com
2021-04-01 16:37 ` davidwelch158 at hotmail dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: davidwelch158 at hotmail dot com @ 2021-04-01 16:32 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27683
--- Comment #1 from David Welch <davidwelch158 at hotmail dot com> ---
gdb version is 11.0.50.20210401-git commit
e9b095a538c189369b4792662ea455d2314b0492
../configure --prefix=/home/dw/devel/gdb/install
--disable-gdbtk
--disable-readline
--with-system-readline
--with-expat
--with-system-zlib
--without-guile
--without-babeltrace
--with-debuginfod
--enable-tui
--with-lzma
--with-python=python3
--with-xxhash
--with-mpf
OS is Linux on x86-64.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug gdb/27683] Crash when calling function in inferior
2021-04-01 16:26 [Bug gdb/27683] New: Crash when calling function in interior davidwelch158 at hotmail dot com
2021-04-01 16:28 ` [Bug gdb/27683] Crash when calling function in inferior davidwelch158 at hotmail dot com
2021-04-01 16:32 ` davidwelch158 at hotmail dot com
@ 2021-04-01 16:37 ` davidwelch158 at hotmail dot com
2022-05-07 23:59 ` simark at simark dot ca
2022-05-08 17:12 ` simark at simark dot ca
4 siblings, 0 replies; 6+ messages in thread
From: davidwelch158 at hotmail dot com @ 2021-04-01 16:37 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27683
David Welch <davidwelch158 at hotmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |davidwelch158 at hotmail dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug gdb/27683] Crash when calling function in inferior
2021-04-01 16:26 [Bug gdb/27683] New: Crash when calling function in interior davidwelch158 at hotmail dot com
` (2 preceding siblings ...)
2021-04-01 16:37 ` davidwelch158 at hotmail dot com
@ 2022-05-07 23:59 ` simark at simark dot ca
2022-05-08 17:12 ` simark at simark dot ca
4 siblings, 0 replies; 6+ messages in thread
From: simark at simark dot ca @ 2022-05-07 23:59 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27683
Simon Marchi <simark at simark dot ca> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simark at simark dot ca
--- Comment #2 from Simon Marchi <simark at simark dot ca> ---
Another reproducer was given, which gives the same error backtrace, I think
it's the same root cause.
---
/* Set a breakpoint within the loop
* and print the values of buf and secret.
* Then, use
*
* p buf="god"
*
* and continue the program with `c` to
* finish the program.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void) {
char buf[BUFSIZ];
char secret[] = "god";
size_t len;
puts("What's the password?");
while(fgets(buf, sizeof buf, stdin)) {
len = strlen(buf);
if(len && buf[len-1] == '\n')
buf[len-1] = 0;
if(strcmp(buf, secret) == 0)
break;
puts("Wrong! Try again!");
}
return 0;
}
---
$ gcc test.c -g3 -O0
$ ./gdb -nx --data-directory=data-directory -q a.out -ex 'dprintf
24,"strcmp(%s, %s) == %d\n",buf,secret,(int)strcmp(buf,secret)' -ex r -batch
Type "hello" or whatever when the program asks "What's the password?".
ASan report:
=================================================================
==2085316==ERROR: AddressSanitizer: heap-use-after-free on address
0x621000335670 at pc 0x557fd0882c46 bp 0x7ffc9964a3b0 sp 0x7ffc9964a3a0
READ of size 8 at 0x621000335670 thread T0
#0 0x557fd0882c45 in get_frame_arch(frame_info*)
/home/simark/src/binutils-gdb/gdb/frame.c:2886
#1 0x557fd0883527 in get_frame_sp(frame_info*)
/home/simark/src/binutils-gdb/gdb/frame.c:2974
#2 0x557fd0aab2a9 in call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*)
/home/simark/src/binutils-gdb/gdb/infcall.c:858
#3 0x557fd0aaa906 in call_function_by_hand(value*, type*,
gdb::array_view<value*>) /home/simark/src/binutils-gdb/gdb/infcall.c:742
#4 0x557fd075e17b in evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:674
#5 0x557fd075eee8 in expr::operation::evaluate_funcall(type*, expression*,
noside, char const*, std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/eval.c:702
#6 0x557fcf69275c in
expr::var_msym_value_operation::evaluate_funcall(type*, expression*, noside,
std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/expop.h:731
#7 0x557fcfcbd9a9 in expr::funcall_operation::evaluate(type*, expression*,
noside) /home/simark/src/binutils-gdb/gdb/expop.h:2202
#8 0x557fd0776894 in expr::operation::evaluate_for_cast(type*, expression*,
noside) /home/simark/src/binutils-gdb/gdb/eval.c:2600
#9 0x557fcf90e6d5 in expr::unop_cast_type_operation::evaluate(type*,
expression*, noside) /home/simark/src/binutils-gdb/gdb/expop.h:2036
#10 0x557fd07595ad in expression::evaluate(type*, noside)
/home/simark/src/binutils-gdb/gdb/eval.c:101
#11 0x557fd0759712 in evaluate_expression(expression*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:115
#12 0x557fd0758f90 in parse_to_comma_and_eval(char const**)
/home/simark/src/binutils-gdb/gdb/eval.c:86
#13 0x557fd1208ee6 in ui_printf
/home/simark/src/binutils-gdb/gdb/printcmd.c:2750
#14 0x557fd120a7fc in printf_command
/home/simark/src/binutils-gdb/gdb/printcmd.c:2890
#15 0x557fcfe04564 in do_simple_func
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:95
#16 0x557fcfe19e66 in cmd_func(cmd_list_element*, char const*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:2514
#17 0x557fd1c802a5 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:699
#18 0x557fcfe99fb5 in execute_control_command_1
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:530
#19 0x557fcfe9b67e in execute_control_command(command_line*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:700
#20 0x557fcfe990e1 in execute_control_commands(command_line*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:410
#21 0x557fcfa8f94a in dprintf_breakpoint::after_condition_true(bpstat*)
/home/simark/src/binutils-gdb/gdb/breakpoint.c:12099
#22 0x557fcfa0b9e9 in bpstat_stop_status(address_space const*, unsigned
long, thread_info*, target_waitstatus const&, bpstat*)
/home/simark/src/binutils-gdb/gdb/breakpoint.c:5601
#23 0x557fd0b6e0dc in handle_signal_stop
/home/simark/src/binutils-gdb/gdb/infrun.c:6376
#24 0x557fd0b676b8 in handle_inferior_event
/home/simark/src/binutils-gdb/gdb/infrun.c:5855
#25 0x557fd0b53855 in fetch_inferior_event()
/home/simark/src/binutils-gdb/gdb/infrun.c:4221
#26 0x557fd0a9f02d in inferior_event_handler(inferior_event_type)
/home/simark/src/binutils-gdb/gdb/inf-loop.c:41
#27 0x557fd0d6b48e in handle_target_event
/home/simark/src/binutils-gdb/gdb/linux-nat.c:4136
#28 0x557fd251367a in handle_file_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:574
#29 0x557fd2513fb5 in gdb_wait_for_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:700
#30 0x557fd2511cf4 in gdb_do_one_event()
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:212
#31 0x557fd1c7ebc6 in wait_sync_command_done()
/home/simark/src/binutils-gdb/gdb/top.c:553
#32 0x557fd1c7edde in maybe_wait_sync_command_done(int)
/home/simark/src/binutils-gdb/gdb/top.c:570
#33 0x557fd1c802b2 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:701
#34 0x557fd0e6ac66 in catch_command_errors
/home/simark/src/binutils-gdb/gdb/main.c:515
#35 0x557fd0e6b503 in execute_cmdargs
/home/simark/src/binutils-gdb/gdb/main.c:610
#36 0x557fd0e6f6f5 in captured_main_1
/home/simark/src/binutils-gdb/gdb/main.c:1304
#37 0x557fd0e6fd01 in captured_main
/home/simark/src/binutils-gdb/gdb/main.c:1325
#38 0x557fd0e6fde3 in gdb_main(captured_main_args*)
/home/simark/src/binutils-gdb/gdb/main.c:1350
#39 0x557fcf53f698 in main /home/simark/src/binutils-gdb/gdb/gdb.c:32
#40 0x7f152f51130f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
#41 0x7f152f5113c0 in __libc_start_main@GLIBC_2.2.5
(/usr/lib/libc.so.6+0x2d3c0)
#42 0x557fcf53f464 in _start
(/home/simark/build/binutils-gdb-one-target/gdb/gdb+0xa010464)
0x621000335670 is located 368 bytes inside of 4064-byte region
[0x621000335500,0x6210003364e0)
freed by thread T0 here:
#0 0x7f1530ecaa79 in __interceptor_free
/usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x557fd08846e8 in xfree<void>
/home/simark/src/binutils-gdb/gdb/../gdbsupport/gdb-xfree.h:37
#2 0x557fd25a0938 in call_freefun
/home/simark/src/binutils-gdb/libiberty/obstack.c:103
#3 0x557fd25a1377 in _obstack_free
/home/simark/src/binutils-gdb/libiberty/obstack.c:280
#4 0x557fd087bd28 in reinit_frame_cache()
/home/simark/src/binutils-gdb/gdb/frame.c:2000
#5 0x557fd1552543 in regcache_write_pc(regcache*, unsigned long)
/home/simark/src/binutils-gdb/gdb/regcache.c:1372
#6 0x557fd0b47fd0 in proceed(unsigned long, gdb_signal)
/home/simark/src/binutils-gdb/gdb/infrun.c:3228
#7 0x557fd0aa954d in run_inferior_call
/home/simark/src/binutils-gdb/gdb/infcall.c:610
#8 0x557fd0aaf439 in call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*)
/home/simark/src/binutils-gdb/gdb/infcall.c:1288
#9 0x557fd0aaa906 in call_function_by_hand(value*, type*,
gdb::array_view<value*>) /home/simark/src/binutils-gdb/gdb/infcall.c:742
#10 0x557fd0743276 in elf_gnu_ifunc_resolve_addr
/home/simark/src/binutils-gdb/gdb/elfread.c:915
#11 0x557fd0aa6208 in find_function_addr(value*, type**, type**)
/home/simark/src/binutils-gdb/gdb/infcall.c:284
#12 0x557fd0aaaffb in call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*)
/home/simark/src/binutils-gdb/gdb/infcall.c:822
#13 0x557fd0aaa906 in call_function_by_hand(value*, type*,
gdb::array_view<value*>) /home/simark/src/binutils-gdb/gdb/infcall.c:742
#14 0x557fd075e17b in evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:674
#15 0x557fd075eee8 in expr::operation::evaluate_funcall(type*, expression*,
noside, char const*, std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/eval.c:702
#16 0x557fcf69275c in
expr::var_msym_value_operation::evaluate_funcall(type*, expression*, noside,
std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/expop.h:731
#17 0x557fcfcbd9a9 in expr::funcall_operation::evaluate(type*, expression*,
noside) /home/simark/src/binutils-gdb/gdb/expop.h:2202
#18 0x557fd0776894 in expr::operation::evaluate_for_cast(type*,
expression*, noside) /home/simark/src/binutils-gdb/gdb/eval.c:2600
#19 0x557fcf90e6d5 in expr::unop_cast_type_operation::evaluate(type*,
expression*, noside) /home/simark/src/binutils-gdb/gdb/expop.h:2036
#20 0x557fd07595ad in expression::evaluate(type*, noside)
/home/simark/src/binutils-gdb/gdb/eval.c:101
#21 0x557fd0759712 in evaluate_expression(expression*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:115
#22 0x557fd0758f90 in parse_to_comma_and_eval(char const**)
/home/simark/src/binutils-gdb/gdb/eval.c:86
#23 0x557fd1208ee6 in ui_printf
/home/simark/src/binutils-gdb/gdb/printcmd.c:2750
#24 0x557fd120a7fc in printf_command
/home/simark/src/binutils-gdb/gdb/printcmd.c:2890
#25 0x557fcfe04564 in do_simple_func
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:95
#26 0x557fcfe19e66 in cmd_func(cmd_list_element*, char const*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:2514
#27 0x557fd1c802a5 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:699
#28 0x557fcfe99fb5 in execute_control_command_1
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:530
#29 0x557fcfe9b67e in execute_control_command(command_line*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:700
previously allocated by thread T0 here:
#0 0x7f1530ecadd9 in __interceptor_malloc
/usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x557fcf7cc4fe in xmalloc /home/simark/src/binutils-gdb/gdb/alloc.c:60
#2 0x557fd25a0842 in call_chunkfun
/home/simark/src/binutils-gdb/libiberty/obstack.c:94
#3 0x557fd25a09f5 in _obstack_begin_worker
/home/simark/src/binutils-gdb/libiberty/obstack.c:141
#4 0x557fd25a0cac in _obstack_begin
/home/simark/src/binutils-gdb/libiberty/obstack.c:164
#5 0x557fd087bd52 in reinit_frame_cache()
/home/simark/src/binutils-gdb/gdb/frame.c:2001
#6 0x557fd1c30506 in switch_to_thread(thread_info*)
/home/simark/src/binutils-gdb/gdb/thread.c:1335
#7 0x557fd0b565d3 in context_switch
/home/simark/src/binutils-gdb/gdb/infrun.c:4397
#8 0x557fd0b6b01d in handle_signal_stop
/home/simark/src/binutils-gdb/gdb/infrun.c:6133
#9 0x557fd0b676b8 in handle_inferior_event
/home/simark/src/binutils-gdb/gdb/infrun.c:5855
#10 0x557fd0b53855 in fetch_inferior_event()
/home/simark/src/binutils-gdb/gdb/infrun.c:4221
#11 0x557fd0a9f02d in inferior_event_handler(inferior_event_type)
/home/simark/src/binutils-gdb/gdb/inf-loop.c:41
#12 0x557fd0d6b48e in handle_target_event
/home/simark/src/binutils-gdb/gdb/linux-nat.c:4136
#13 0x557fd251367a in handle_file_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:574
#14 0x557fd2513fb5 in gdb_wait_for_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:700
#15 0x557fd2511cf4 in gdb_do_one_event()
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:212
#16 0x557fd1c7ebc6 in wait_sync_command_done()
/home/simark/src/binutils-gdb/gdb/top.c:553
#17 0x557fd1c7edde in maybe_wait_sync_command_done(int)
/home/simark/src/binutils-gdb/gdb/top.c:570
#18 0x557fd1c802b2 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:701
#19 0x557fd0e6ac66 in catch_command_errors
/home/simark/src/binutils-gdb/gdb/main.c:515
#20 0x557fd0e6b503 in execute_cmdargs
/home/simark/src/binutils-gdb/gdb/main.c:610
#21 0x557fd0e6f6f5 in captured_main_1
/home/simark/src/binutils-gdb/gdb/main.c:1304
#22 0x557fd0e6fd01 in captured_main
/home/simark/src/binutils-gdb/gdb/main.c:1325
#23 0x557fd0e6fde3 in gdb_main(captured_main_args*)
/home/simark/src/binutils-gdb/gdb/main.c:1350
#24 0x557fcf53f698 in main /home/simark/src/binutils-gdb/gdb/gdb.c:32
#25 0x7f152f51130f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/simark/src/binutils-gdb/gdb/frame.c:2886 in get_frame_arch(frame_info*)
Shadow bytes around the buggy address:
0x0c428005ea70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428005ea80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428005ea90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428005eaa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c428005eab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c428005eac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c428005ead0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c428005eae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c428005eaf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c428005eb00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c428005eb10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2085316==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug gdb/27683] Crash when calling function in inferior
2021-04-01 16:26 [Bug gdb/27683] New: Crash when calling function in interior davidwelch158 at hotmail dot com
` (3 preceding siblings ...)
2022-05-07 23:59 ` simark at simark dot ca
@ 2022-05-08 17:12 ` simark at simark dot ca
4 siblings, 0 replies; 6+ messages in thread
From: simark at simark dot ca @ 2022-05-08 17:12 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=27683
Simon Marchi <simark at simark dot ca> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|UNCONFIRMED |RESOLVED
--- Comment #3 from Simon Marchi <simark at simark dot ca> ---
Marking as a duplicate of #28224, since that one has a bit more analysis.
*** This bug has been marked as a duplicate of bug 28224 ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-05-08 17:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-01 16:26 [Bug gdb/27683] New: Crash when calling function in interior davidwelch158 at hotmail dot com
2021-04-01 16:28 ` [Bug gdb/27683] Crash when calling function in inferior davidwelch158 at hotmail dot com
2021-04-01 16:32 ` davidwelch158 at hotmail dot com
2021-04-01 16:37 ` davidwelch158 at hotmail dot com
2022-05-07 23:59 ` simark at simark dot ca
2022-05-08 17:12 ` simark at simark dot ca
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).