[Bug gdb/27683] New: Crash when calling function in interior

[Bug gdb/27683] New: Crash when calling function in interior

[davidwelch158 at hotmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27683

            Bug ID: 27683
           Summary: Crash when calling function in interior
           Product: gdb
           Version: HEAD
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: davidwelch158 at hotmail dot com
  Target Milestone: ---

I found it easier to reproduce this bug under valgrind but it does happen less
repeatably in normal execution.

$ cat f.c
#include <math.h>

int main()
{
  float fi;
  float out = floor(fi);
}
$ gcc -g -O0 f.c -o f -lm
$ valgrind --num-callers=100 --log-file='valgrind-log'
/home/dw/devel/gdb/install/bin/gdb ./f
(gdb) start
(gdb) call (float)floor(fi)
Aborted (core dumped)

valgrind-log contains:-
Invalid read of size 8
    at 0x4D3AC2: get_frame_arch(frame_info*) (frame.c:2939)
    by 0x4D3D26: get_frame_sp(frame_info*) (frame.c:3029)
    by 0x5334E3: call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:845)
    by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>)
(infcall.c:743)
    by 0x4A1C42: evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*) (eval.c:674)
    by 0x4A1EB3: expr::operation::evaluate_funcall(type*, expression*, noside,
char const*, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (eval.c:703)
    by 0x24CA88: expr::var_msym_value_operation::evaluate_funcall(type*,
expression*, noside, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (expop.h:722)
    by 0x30A72C: expr::funcall_operation::evaluate(type*, expression*, noside)
(expop.h:2162)
    by 0x4A752F: expr::operation::evaluate_for_cast(type*, expression*, noside)
(eval.c:2499)
    by 0x296A53: expr::unop_cast_type_operation::evaluate(type*, expression*,
noside) (expop.h:1996)
    by 0x4A0976: expression::evaluate(type*, noside) (eval.c:101)
    by 0x4A0A37: evaluate_expression(expression*, type*) (eval.c:115)
    by 0x644F1F: process_print_command_args(char const*, value_print_options*,
bool) (printcmd.c:1305)
    by 0x644FC7: print_command_1(char const*, int) (printcmd.c:1318)
    by 0x645417: call_command(char const*, int) (printcmd.c:1442)
    by 0x341C99: do_const_cfunc(cmd_list_element*, char const*, int)
(cli-decode.c:101)
    by 0x345FAA: cmd_func(cmd_list_element*, char const*, int)
(cli-decode.c:2181)
    by 0x7DE955: execute_command(char const*, int) (top.c:670)
    by 0x4AAD9E: command_handler(char const*) (event-top.c:589)
    by 0x4AB216: command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (event-top.c:774)
    by 0x80A48F: tui_command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (tui-interp.c:268)
    by 0x4AA489: gdb_rl_callback_handler(char*) (event-top.c:219)
    by 0x4E6AF9D: rl_callback_read_char (in
/lib/x86_64-linux-gnu/libreadline.so.7.0)
    by 0x4AA2B1: gdb_rl_callback_read_char_wrapper_noexcept() (event-top.c:177)
    by 0x4AA35B: gdb_rl_callback_read_char_wrapper(void*) (event-top.c:194)
    by 0x4AABB6: stdin_event_handler(int, void*) (event-top.c:516)
    by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575)
    by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701)
    by 0x9C9DFE: gdb_do_one_event() (event-loop.cc:237)
    by 0x5BDCBD: start_event_loop() (main.c:348)
    by 0x5BDDF8: captured_command_loop() (main.c:408)
    by 0x5BF6CD: captured_main(void*) (main.c:1242)
    by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257)
    by 0x207052: main (gdb.c:32)
  Address 0x1283e8f0 is 368 bytes inside a block of size 4,064 free'd
    at 0x4C32D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0xA17B97: rpl_free (free.c:40)
    by 0x4D4452: void xfree<void>(void*) (common-utils.h:66)
    by 0x9FCE15: call_freefun (obstack.c:103)
    by 0x9FD288: _obstack_free (obstack.c:280)
    by 0x4D2084: reinit_frame_cache() (frame.c:2054)
    by 0x6C8F9C: regcache_write_pc(regcache*, unsigned long) (regcache.c:1342)
    by 0x54B383: proceed(unsigned long, gdb_signal) (infrun.c:3112)
    by 0x532E25: run_inferior_call(call_thread_fsm*, thread_info*, unsigned
long) (infcall.c:611)
    by 0x534657: call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:1277)
    by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>)
(infcall.c:743)
    by 0x49D212: elf_gnu_ifunc_resolve_addr(gdbarch*, unsigned long)
(elfread.c:917)
    by 0x53253E: find_function_addr(value*, type**, type**) (infcall.c:284)
    by 0x5333E5: call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:814)
    by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>)
(infcall.c:743)
    by 0x4A1C42: evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*) (eval.c:674)
    by 0x4A1EB3: expr::operation::evaluate_funcall(type*, expression*, noside,
char const*, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (eval.c:703)
    by 0x24CA88: expr::var_msym_value_operation::evaluate_funcall(type*,
expression*, noside, std::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&) (expop.h:722)
    by 0x30A72C: expr::funcall_operation::evaluate(type*, expression*, noside)
(expop.h:2162)
    by 0x4A752F: expr::operation::evaluate_for_cast(type*, expression*, noside)
(eval.c:2499)
    by 0x296A53: expr::unop_cast_type_operation::evaluate(type*, expression*,
noside) (expop.h:1996)
    by 0x4A0976: expression::evaluate(type*, noside) (eval.c:101)
    by 0x4A0A37: evaluate_expression(expression*, type*) (eval.c:115)
    by 0x644F1F: process_print_command_args(char const*, value_print_options*,
bool) (printcmd.c:1305)
    by 0x644FC7: print_command_1(char const*, int) (printcmd.c:1318)
    by 0x645417: call_command(char const*, int) (printcmd.c:1442)
    by 0x341C99: do_const_cfunc(cmd_list_element*, char const*, int)
(cli-decode.c:101)
    by 0x345FAA: cmd_func(cmd_list_element*, char const*, int)
(cli-decode.c:2181)
    by 0x7DE955: execute_command(char const*, int) (top.c:670)
    by 0x4AAD9E: command_handler(char const*) (event-top.c:589)
    by 0x4AB216: command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (event-top.c:774)
    by 0x80A48F: tui_command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) (tui-interp.c:268)
    by 0x4AA489: gdb_rl_callback_handler(char*) (event-top.c:219)
    by 0x4E6AF9D: rl_callback_read_char (in
/lib/x86_64-linux-gnu/libreadline.so.7.0)
    by 0x4AA2B1: gdb_rl_callback_read_char_wrapper_noexcept() (event-top.c:177)
    by 0x4AA35B: gdb_rl_callback_read_char_wrapper(void*) (event-top.c:194)
    by 0x4AABB6: stdin_event_handler(int, void*) (event-top.c:516)
    by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575)
    by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701)
    by 0x9C9DFE: gdb_do_one_event() (event-loop.cc:237)
    by 0x5BDCBD: start_event_loop() (main.c:348)
    by 0x5BDDF8: captured_command_loop() (main.c:408)
    by 0x5BF6CD: captured_main(void*) (main.c:1242)
    by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257)
    by 0x207052: main (gdb.c:32)
  Block was alloc'd at
    at 0x4C31B0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x26ACFC: xmalloc (alloc.c:60)
    by 0x9FCDC5: call_chunkfun (obstack.c:94)
    by 0x9FCE88: _obstack_begin_worker (obstack.c:141)
    by 0x9FCF8F: _obstack_begin (obstack.c:164)
    by 0x4D20AB: reinit_frame_cache() (frame.c:2055)
    by 0x7D61B0: switch_to_thread(thread_info*) (thread.c:1353)
    by 0x7D6255: scoped_restore_current_thread::restore() (thread.c:1379)
    by 0x7D632D:
scoped_restore_current_thread::~scoped_restore_current_thread() (thread.c:1399)
    by 0x550D5E: stop_all_threads() (infrun.c:4964)
    by 0x557857: stop_waiting(execution_control_state*) (infrun.c:8006)
    by 0x554591: process_event_stop_test(execution_control_state*)
(infrun.c:6667)
    by 0x553F1C: handle_signal_stop(execution_control_state*) (infrun.c:6470)
    by 0x552245: handle_inferior_event(execution_control_state*)
(infrun.c:5727)
    by 0x54E155: fetch_inferior_event() (infrun.c:4105)
    by 0x530B9B: inferior_event_handler(inferior_event_type) (inf-loop.c:42)
    by 0x591D91: handle_target_event(int, void*) (linux-nat.c:4060)
    by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575)
    by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701)
    by 0x9C9D86: gdb_do_one_event() (event-loop.cc:212)
    by 0x5BDCBD: start_event_loop() (main.c:348)
    by 0x5BDDF8: captured_command_loop() (main.c:408)
    by 0x5BF6CD: captured_main(void*) (main.c:1242)
    by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257)
    by 0x207052: main (gdb.c:32)

I believe this happens because 

    infcall.c:805 does frame = get_current_frame ();
then
    infcall.c:814 CORE_ADDR funaddr = find_function_addr (function,
&values_type, &ftype);
then 
    infcall.c:845 CORE_ADDR old_sp = get_frame_sp (frame);

The call to find_function_addr may call reinit_frame_cache which invalidates
the frame pointed to by 'frame'.

Adding a repeat call to get_current_frame just before get_frame_sp seemed to
fix it for me.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/27683] Crash when calling function in inferior

[davidwelch158 at hotmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27683

David Welch <davidwelch158 at hotmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Crash when calling function |Crash when calling function
                   |in interior                 |in inferior

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/27683] Crash when calling function in inferior

[davidwelch158 at hotmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27683

--- Comment #1 from David Welch <davidwelch158 at hotmail dot com> ---
gdb version is 11.0.50.20210401-git commit
e9b095a538c189369b4792662ea455d2314b0492

../configure --prefix=/home/dw/devel/gdb/install 
--disable-gdbtk 
--disable-readline 
--with-system-readline 
--with-expat 
--with-system-zlib 
--without-guile 
--without-babeltrace 
--with-debuginfod 
--enable-tui 
--with-lzma 
--with-python=python3 
--with-xxhash 
--with-mpf

OS is Linux on x86-64.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/27683] Crash when calling function in inferior

[davidwelch158 at hotmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27683

David Welch <davidwelch158 at hotmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |davidwelch158 at hotmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/27683] Crash when calling function in inferior

[simark at simark dot ca]

https://sourceware.org/bugzilla/show_bug.cgi?id=27683

Simon Marchi <simark at simark dot ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simark at simark dot ca

--- Comment #2 from Simon Marchi <simark at simark dot ca> ---
Another reproducer was given, which gives the same error backtrace, I think
it's the same root cause.

---
/* Set a breakpoint within the loop
 * and print the values of buf and secret.
 * Then, use
 *
 *    p buf="god"
 *
 * and continue the program with `c` to
 * finish the program.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
        char buf[BUFSIZ];
        char secret[] = "god";
        size_t len;
        puts("What's the password?");
        while(fgets(buf, sizeof buf, stdin)) {
                len = strlen(buf);
                if(len && buf[len-1] == '\n')
                        buf[len-1] = 0;
                if(strcmp(buf, secret) == 0)
                        break;
                puts("Wrong! Try again!");
        }
        return 0;
}
---

$ gcc test.c -g3 -O0
$ ./gdb -nx --data-directory=data-directory -q a.out -ex 'dprintf
24,"strcmp(%s, %s) == %d\n",buf,secret,(int)strcmp(buf,secret)' -ex r -batch

Type "hello" or whatever when the program asks "What's the password?".

ASan report:

=================================================================
==2085316==ERROR: AddressSanitizer: heap-use-after-free on address
0x621000335670 at pc 0x557fd0882c46 bp 0x7ffc9964a3b0 sp 0x7ffc9964a3a0
READ of size 8 at 0x621000335670 thread T0
    #0 0x557fd0882c45 in get_frame_arch(frame_info*)
/home/simark/src/binutils-gdb/gdb/frame.c:2886
    #1 0x557fd0883527 in get_frame_sp(frame_info*)
/home/simark/src/binutils-gdb/gdb/frame.c:2974
    #2 0x557fd0aab2a9 in call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*)
/home/simark/src/binutils-gdb/gdb/infcall.c:858
    #3 0x557fd0aaa906 in call_function_by_hand(value*, type*,
gdb::array_view<value*>) /home/simark/src/binutils-gdb/gdb/infcall.c:742
    #4 0x557fd075e17b in evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:674
    #5 0x557fd075eee8 in expr::operation::evaluate_funcall(type*, expression*,
noside, char const*, std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/eval.c:702
    #6 0x557fcf69275c in
expr::var_msym_value_operation::evaluate_funcall(type*, expression*, noside,
std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/expop.h:731
    #7 0x557fcfcbd9a9 in expr::funcall_operation::evaluate(type*, expression*,
noside) /home/simark/src/binutils-gdb/gdb/expop.h:2202
    #8 0x557fd0776894 in expr::operation::evaluate_for_cast(type*, expression*,
noside) /home/simark/src/binutils-gdb/gdb/eval.c:2600
    #9 0x557fcf90e6d5 in expr::unop_cast_type_operation::evaluate(type*,
expression*, noside) /home/simark/src/binutils-gdb/gdb/expop.h:2036
    #10 0x557fd07595ad in expression::evaluate(type*, noside)
/home/simark/src/binutils-gdb/gdb/eval.c:101
    #11 0x557fd0759712 in evaluate_expression(expression*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:115
    #12 0x557fd0758f90 in parse_to_comma_and_eval(char const**)
/home/simark/src/binutils-gdb/gdb/eval.c:86
    #13 0x557fd1208ee6 in ui_printf
/home/simark/src/binutils-gdb/gdb/printcmd.c:2750
    #14 0x557fd120a7fc in printf_command
/home/simark/src/binutils-gdb/gdb/printcmd.c:2890
    #15 0x557fcfe04564 in do_simple_func
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:95
    #16 0x557fcfe19e66 in cmd_func(cmd_list_element*, char const*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:2514
    #17 0x557fd1c802a5 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:699
    #18 0x557fcfe99fb5 in execute_control_command_1
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:530
    #19 0x557fcfe9b67e in execute_control_command(command_line*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:700
    #20 0x557fcfe990e1 in execute_control_commands(command_line*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:410
    #21 0x557fcfa8f94a in dprintf_breakpoint::after_condition_true(bpstat*)
/home/simark/src/binutils-gdb/gdb/breakpoint.c:12099
    #22 0x557fcfa0b9e9 in bpstat_stop_status(address_space const*, unsigned
long, thread_info*, target_waitstatus const&, bpstat*)
/home/simark/src/binutils-gdb/gdb/breakpoint.c:5601
    #23 0x557fd0b6e0dc in handle_signal_stop
/home/simark/src/binutils-gdb/gdb/infrun.c:6376
    #24 0x557fd0b676b8 in handle_inferior_event
/home/simark/src/binutils-gdb/gdb/infrun.c:5855
    #25 0x557fd0b53855 in fetch_inferior_event()
/home/simark/src/binutils-gdb/gdb/infrun.c:4221
    #26 0x557fd0a9f02d in inferior_event_handler(inferior_event_type)
/home/simark/src/binutils-gdb/gdb/inf-loop.c:41
    #27 0x557fd0d6b48e in handle_target_event
/home/simark/src/binutils-gdb/gdb/linux-nat.c:4136
    #28 0x557fd251367a in handle_file_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:574
    #29 0x557fd2513fb5 in gdb_wait_for_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:700
    #30 0x557fd2511cf4 in gdb_do_one_event()
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:212
    #31 0x557fd1c7ebc6 in wait_sync_command_done()
/home/simark/src/binutils-gdb/gdb/top.c:553
    #32 0x557fd1c7edde in maybe_wait_sync_command_done(int)
/home/simark/src/binutils-gdb/gdb/top.c:570
    #33 0x557fd1c802b2 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:701
    #34 0x557fd0e6ac66 in catch_command_errors
/home/simark/src/binutils-gdb/gdb/main.c:515
    #35 0x557fd0e6b503 in execute_cmdargs
/home/simark/src/binutils-gdb/gdb/main.c:610
    #36 0x557fd0e6f6f5 in captured_main_1
/home/simark/src/binutils-gdb/gdb/main.c:1304
    #37 0x557fd0e6fd01 in captured_main
/home/simark/src/binutils-gdb/gdb/main.c:1325
    #38 0x557fd0e6fde3 in gdb_main(captured_main_args*)
/home/simark/src/binutils-gdb/gdb/main.c:1350
    #39 0x557fcf53f698 in main /home/simark/src/binutils-gdb/gdb/gdb.c:32
    #40 0x7f152f51130f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
    #41 0x7f152f5113c0 in __libc_start_main@GLIBC_2.2.5
(/usr/lib/libc.so.6+0x2d3c0)
    #42 0x557fcf53f464 in _start
(/home/simark/build/binutils-gdb-one-target/gdb/gdb+0xa010464)

0x621000335670 is located 368 bytes inside of 4064-byte region
[0x621000335500,0x6210003364e0)
freed by thread T0 here:
    #0 0x7f1530ecaa79 in __interceptor_free
/usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x557fd08846e8 in xfree<void>
/home/simark/src/binutils-gdb/gdb/../gdbsupport/gdb-xfree.h:37
    #2 0x557fd25a0938 in call_freefun
/home/simark/src/binutils-gdb/libiberty/obstack.c:103
    #3 0x557fd25a1377 in _obstack_free
/home/simark/src/binutils-gdb/libiberty/obstack.c:280
    #4 0x557fd087bd28 in reinit_frame_cache()
/home/simark/src/binutils-gdb/gdb/frame.c:2000
    #5 0x557fd1552543 in regcache_write_pc(regcache*, unsigned long)
/home/simark/src/binutils-gdb/gdb/regcache.c:1372
    #6 0x557fd0b47fd0 in proceed(unsigned long, gdb_signal)
/home/simark/src/binutils-gdb/gdb/infrun.c:3228
    #7 0x557fd0aa954d in run_inferior_call
/home/simark/src/binutils-gdb/gdb/infcall.c:610
    #8 0x557fd0aaf439 in call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*)
/home/simark/src/binutils-gdb/gdb/infcall.c:1288
    #9 0x557fd0aaa906 in call_function_by_hand(value*, type*,
gdb::array_view<value*>) /home/simark/src/binutils-gdb/gdb/infcall.c:742
    #10 0x557fd0743276 in elf_gnu_ifunc_resolve_addr
/home/simark/src/binutils-gdb/gdb/elfread.c:915
    #11 0x557fd0aa6208 in find_function_addr(value*, type**, type**)
/home/simark/src/binutils-gdb/gdb/infcall.c:284
    #12 0x557fd0aaaffb in call_function_by_hand_dummy(value*, type*,
gdb::array_view<value*>, void (*)(void*, int), void*)
/home/simark/src/binutils-gdb/gdb/infcall.c:822
    #13 0x557fd0aaa906 in call_function_by_hand(value*, type*,
gdb::array_view<value*>) /home/simark/src/binutils-gdb/gdb/infcall.c:742
    #14 0x557fd075e17b in evaluate_subexp_do_call(expression*, noside, value*,
gdb::array_view<value*>, char const*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:674
    #15 0x557fd075eee8 in expr::operation::evaluate_funcall(type*, expression*,
noside, char const*, std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/eval.c:702
    #16 0x557fcf69275c in
expr::var_msym_value_operation::evaluate_funcall(type*, expression*, noside,
std::__debug::vector<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> >,
std::allocator<std::unique_ptr<expr::operation,
std::default_delete<expr::operation> > > > const&)
/home/simark/src/binutils-gdb/gdb/expop.h:731
    #17 0x557fcfcbd9a9 in expr::funcall_operation::evaluate(type*, expression*,
noside) /home/simark/src/binutils-gdb/gdb/expop.h:2202
    #18 0x557fd0776894 in expr::operation::evaluate_for_cast(type*,
expression*, noside) /home/simark/src/binutils-gdb/gdb/eval.c:2600
    #19 0x557fcf90e6d5 in expr::unop_cast_type_operation::evaluate(type*,
expression*, noside) /home/simark/src/binutils-gdb/gdb/expop.h:2036
    #20 0x557fd07595ad in expression::evaluate(type*, noside)
/home/simark/src/binutils-gdb/gdb/eval.c:101
    #21 0x557fd0759712 in evaluate_expression(expression*, type*)
/home/simark/src/binutils-gdb/gdb/eval.c:115
    #22 0x557fd0758f90 in parse_to_comma_and_eval(char const**)
/home/simark/src/binutils-gdb/gdb/eval.c:86
    #23 0x557fd1208ee6 in ui_printf
/home/simark/src/binutils-gdb/gdb/printcmd.c:2750
    #24 0x557fd120a7fc in printf_command
/home/simark/src/binutils-gdb/gdb/printcmd.c:2890
    #25 0x557fcfe04564 in do_simple_func
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:95
    #26 0x557fcfe19e66 in cmd_func(cmd_list_element*, char const*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-decode.c:2514
    #27 0x557fd1c802a5 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:699
    #28 0x557fcfe99fb5 in execute_control_command_1
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:530
    #29 0x557fcfe9b67e in execute_control_command(command_line*, int)
/home/simark/src/binutils-gdb/gdb/cli/cli-script.c:700

previously allocated by thread T0 here:
    #0 0x7f1530ecadd9 in __interceptor_malloc
/usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x557fcf7cc4fe in xmalloc /home/simark/src/binutils-gdb/gdb/alloc.c:60
    #2 0x557fd25a0842 in call_chunkfun
/home/simark/src/binutils-gdb/libiberty/obstack.c:94
    #3 0x557fd25a09f5 in _obstack_begin_worker
/home/simark/src/binutils-gdb/libiberty/obstack.c:141
    #4 0x557fd25a0cac in _obstack_begin
/home/simark/src/binutils-gdb/libiberty/obstack.c:164
    #5 0x557fd087bd52 in reinit_frame_cache()
/home/simark/src/binutils-gdb/gdb/frame.c:2001
    #6 0x557fd1c30506 in switch_to_thread(thread_info*)
/home/simark/src/binutils-gdb/gdb/thread.c:1335
    #7 0x557fd0b565d3 in context_switch
/home/simark/src/binutils-gdb/gdb/infrun.c:4397
    #8 0x557fd0b6b01d in handle_signal_stop
/home/simark/src/binutils-gdb/gdb/infrun.c:6133
    #9 0x557fd0b676b8 in handle_inferior_event
/home/simark/src/binutils-gdb/gdb/infrun.c:5855
    #10 0x557fd0b53855 in fetch_inferior_event()
/home/simark/src/binutils-gdb/gdb/infrun.c:4221
    #11 0x557fd0a9f02d in inferior_event_handler(inferior_event_type)
/home/simark/src/binutils-gdb/gdb/inf-loop.c:41
    #12 0x557fd0d6b48e in handle_target_event
/home/simark/src/binutils-gdb/gdb/linux-nat.c:4136
    #13 0x557fd251367a in handle_file_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:574
    #14 0x557fd2513fb5 in gdb_wait_for_event
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:700
    #15 0x557fd2511cf4 in gdb_do_one_event()
/home/simark/src/binutils-gdb/gdbsupport/event-loop.cc:212
    #16 0x557fd1c7ebc6 in wait_sync_command_done()
/home/simark/src/binutils-gdb/gdb/top.c:553
    #17 0x557fd1c7edde in maybe_wait_sync_command_done(int)
/home/simark/src/binutils-gdb/gdb/top.c:570
    #18 0x557fd1c802b2 in execute_command(char const*, int)
/home/simark/src/binutils-gdb/gdb/top.c:701
    #19 0x557fd0e6ac66 in catch_command_errors
/home/simark/src/binutils-gdb/gdb/main.c:515
    #20 0x557fd0e6b503 in execute_cmdargs
/home/simark/src/binutils-gdb/gdb/main.c:610
    #21 0x557fd0e6f6f5 in captured_main_1
/home/simark/src/binutils-gdb/gdb/main.c:1304
    #22 0x557fd0e6fd01 in captured_main
/home/simark/src/binutils-gdb/gdb/main.c:1325
    #23 0x557fd0e6fde3 in gdb_main(captured_main_args*)
/home/simark/src/binutils-gdb/gdb/main.c:1350
    #24 0x557fcf53f698 in main /home/simark/src/binutils-gdb/gdb/gdb.c:32
    #25 0x7f152f51130f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)

SUMMARY: AddressSanitizer: heap-use-after-free
/home/simark/src/binutils-gdb/gdb/frame.c:2886 in get_frame_arch(frame_info*)
Shadow bytes around the buggy address:
  0x0c428005ea70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c428005ea80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c428005ea90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c428005eaa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c428005eab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c428005eac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c428005ead0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c428005eae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c428005eaf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c428005eb00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c428005eb10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2085316==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug gdb/27683] Crash when calling function in inferior

[simark at simark dot ca]

https://sourceware.org/bugzilla/show_bug.cgi?id=27683

Simon Marchi <simark at simark dot ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #3 from Simon Marchi <simark at simark dot ca> ---
Marking as a duplicate of #28224, since that one has a bit more analysis.

*** This bug has been marked as a duplicate of bug 28224 ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.