public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "davidwelch158 at hotmail dot com" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug gdb/27683] New: Crash when calling function in interior Date: Thu, 01 Apr 2021 16:26:27 +0000 [thread overview] Message-ID: <bug-27683-4717@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=27683 Bug ID: 27683 Summary: Crash when calling function in interior Product: gdb Version: HEAD Status: UNCONFIRMED Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: davidwelch158 at hotmail dot com Target Milestone: --- I found it easier to reproduce this bug under valgrind but it does happen less repeatably in normal execution. $ cat f.c #include <math.h> int main() { float fi; float out = floor(fi); } $ gcc -g -O0 f.c -o f -lm $ valgrind --num-callers=100 --log-file='valgrind-log' /home/dw/devel/gdb/install/bin/gdb ./f (gdb) start (gdb) call (float)floor(fi) Aborted (core dumped) valgrind-log contains:- Invalid read of size 8 at 0x4D3AC2: get_frame_arch(frame_info*) (frame.c:2939) by 0x4D3D26: get_frame_sp(frame_info*) (frame.c:3029) by 0x5334E3: call_function_by_hand_dummy(value*, type*, gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:845) by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>) (infcall.c:743) by 0x4A1C42: evaluate_subexp_do_call(expression*, noside, value*, gdb::array_view<value*>, char const*, type*) (eval.c:674) by 0x4A1EB3: expr::operation::evaluate_funcall(type*, expression*, noside, char const*, std::vector<std::unique_ptr<expr::operation, std::default_delete<expr::operation> >, std::allocator<std::unique_ptr<expr::operation, std::default_delete<expr::operation> > > > const&) (eval.c:703) by 0x24CA88: expr::var_msym_value_operation::evaluate_funcall(type*, expression*, noside, std::vector<std::unique_ptr<expr::operation, std::default_delete<expr::operation> >, std::allocator<std::unique_ptr<expr::operation, std::default_delete<expr::operation> > > > const&) (expop.h:722) by 0x30A72C: expr::funcall_operation::evaluate(type*, expression*, noside) (expop.h:2162) by 0x4A752F: expr::operation::evaluate_for_cast(type*, expression*, noside) (eval.c:2499) by 0x296A53: expr::unop_cast_type_operation::evaluate(type*, expression*, noside) (expop.h:1996) by 0x4A0976: expression::evaluate(type*, noside) (eval.c:101) by 0x4A0A37: evaluate_expression(expression*, type*) (eval.c:115) by 0x644F1F: process_print_command_args(char const*, value_print_options*, bool) (printcmd.c:1305) by 0x644FC7: print_command_1(char const*, int) (printcmd.c:1318) by 0x645417: call_command(char const*, int) (printcmd.c:1442) by 0x341C99: do_const_cfunc(cmd_list_element*, char const*, int) (cli-decode.c:101) by 0x345FAA: cmd_func(cmd_list_element*, char const*, int) (cli-decode.c:2181) by 0x7DE955: execute_command(char const*, int) (top.c:670) by 0x4AAD9E: command_handler(char const*) (event-top.c:589) by 0x4AB216: command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) (event-top.c:774) by 0x80A48F: tui_command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) (tui-interp.c:268) by 0x4AA489: gdb_rl_callback_handler(char*) (event-top.c:219) by 0x4E6AF9D: rl_callback_read_char (in /lib/x86_64-linux-gnu/libreadline.so.7.0) by 0x4AA2B1: gdb_rl_callback_read_char_wrapper_noexcept() (event-top.c:177) by 0x4AA35B: gdb_rl_callback_read_char_wrapper(void*) (event-top.c:194) by 0x4AABB6: stdin_event_handler(int, void*) (event-top.c:516) by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575) by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701) by 0x9C9DFE: gdb_do_one_event() (event-loop.cc:237) by 0x5BDCBD: start_event_loop() (main.c:348) by 0x5BDDF8: captured_command_loop() (main.c:408) by 0x5BF6CD: captured_main(void*) (main.c:1242) by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257) by 0x207052: main (gdb.c:32) Address 0x1283e8f0 is 368 bytes inside a block of size 4,064 free'd at 0x4C32D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0xA17B97: rpl_free (free.c:40) by 0x4D4452: void xfree<void>(void*) (common-utils.h:66) by 0x9FCE15: call_freefun (obstack.c:103) by 0x9FD288: _obstack_free (obstack.c:280) by 0x4D2084: reinit_frame_cache() (frame.c:2054) by 0x6C8F9C: regcache_write_pc(regcache*, unsigned long) (regcache.c:1342) by 0x54B383: proceed(unsigned long, gdb_signal) (infrun.c:3112) by 0x532E25: run_inferior_call(call_thread_fsm*, thread_info*, unsigned long) (infcall.c:611) by 0x534657: call_function_by_hand_dummy(value*, type*, gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:1277) by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>) (infcall.c:743) by 0x49D212: elf_gnu_ifunc_resolve_addr(gdbarch*, unsigned long) (elfread.c:917) by 0x53253E: find_function_addr(value*, type**, type**) (infcall.c:284) by 0x5333E5: call_function_by_hand_dummy(value*, type*, gdb::array_view<value*>, void (*)(void*, int), void*) (infcall.c:814) by 0x533201: call_function_by_hand(value*, type*, gdb::array_view<value*>) (infcall.c:743) by 0x4A1C42: evaluate_subexp_do_call(expression*, noside, value*, gdb::array_view<value*>, char const*, type*) (eval.c:674) by 0x4A1EB3: expr::operation::evaluate_funcall(type*, expression*, noside, char const*, std::vector<std::unique_ptr<expr::operation, std::default_delete<expr::operation> >, std::allocator<std::unique_ptr<expr::operation, std::default_delete<expr::operation> > > > const&) (eval.c:703) by 0x24CA88: expr::var_msym_value_operation::evaluate_funcall(type*, expression*, noside, std::vector<std::unique_ptr<expr::operation, std::default_delete<expr::operation> >, std::allocator<std::unique_ptr<expr::operation, std::default_delete<expr::operation> > > > const&) (expop.h:722) by 0x30A72C: expr::funcall_operation::evaluate(type*, expression*, noside) (expop.h:2162) by 0x4A752F: expr::operation::evaluate_for_cast(type*, expression*, noside) (eval.c:2499) by 0x296A53: expr::unop_cast_type_operation::evaluate(type*, expression*, noside) (expop.h:1996) by 0x4A0976: expression::evaluate(type*, noside) (eval.c:101) by 0x4A0A37: evaluate_expression(expression*, type*) (eval.c:115) by 0x644F1F: process_print_command_args(char const*, value_print_options*, bool) (printcmd.c:1305) by 0x644FC7: print_command_1(char const*, int) (printcmd.c:1318) by 0x645417: call_command(char const*, int) (printcmd.c:1442) by 0x341C99: do_const_cfunc(cmd_list_element*, char const*, int) (cli-decode.c:101) by 0x345FAA: cmd_func(cmd_list_element*, char const*, int) (cli-decode.c:2181) by 0x7DE955: execute_command(char const*, int) (top.c:670) by 0x4AAD9E: command_handler(char const*) (event-top.c:589) by 0x4AB216: command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) (event-top.c:774) by 0x80A48F: tui_command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) (tui-interp.c:268) by 0x4AA489: gdb_rl_callback_handler(char*) (event-top.c:219) by 0x4E6AF9D: rl_callback_read_char (in /lib/x86_64-linux-gnu/libreadline.so.7.0) by 0x4AA2B1: gdb_rl_callback_read_char_wrapper_noexcept() (event-top.c:177) by 0x4AA35B: gdb_rl_callback_read_char_wrapper(void*) (event-top.c:194) by 0x4AABB6: stdin_event_handler(int, void*) (event-top.c:516) by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575) by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701) by 0x9C9DFE: gdb_do_one_event() (event-loop.cc:237) by 0x5BDCBD: start_event_loop() (main.c:348) by 0x5BDDF8: captured_command_loop() (main.c:408) by 0x5BF6CD: captured_main(void*) (main.c:1242) by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257) by 0x207052: main (gdb.c:32) Block was alloc'd at at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x26ACFC: xmalloc (alloc.c:60) by 0x9FCDC5: call_chunkfun (obstack.c:94) by 0x9FCE88: _obstack_begin_worker (obstack.c:141) by 0x9FCF8F: _obstack_begin (obstack.c:164) by 0x4D20AB: reinit_frame_cache() (frame.c:2055) by 0x7D61B0: switch_to_thread(thread_info*) (thread.c:1353) by 0x7D6255: scoped_restore_current_thread::restore() (thread.c:1379) by 0x7D632D: scoped_restore_current_thread::~scoped_restore_current_thread() (thread.c:1399) by 0x550D5E: stop_all_threads() (infrun.c:4964) by 0x557857: stop_waiting(execution_control_state*) (infrun.c:8006) by 0x554591: process_event_stop_test(execution_control_state*) (infrun.c:6667) by 0x553F1C: handle_signal_stop(execution_control_state*) (infrun.c:6470) by 0x552245: handle_inferior_event(execution_control_state*) (infrun.c:5727) by 0x54E155: fetch_inferior_event() (infrun.c:4105) by 0x530B9B: inferior_event_handler(inferior_event_type) (inf-loop.c:42) by 0x591D91: handle_target_event(int, void*) (linux-nat.c:4060) by 0x9CAA95: handle_file_event(file_handler*, int) (event-loop.cc:575) by 0x9CB043: gdb_wait_for_event(int) (event-loop.cc:701) by 0x9C9D86: gdb_do_one_event() (event-loop.cc:212) by 0x5BDCBD: start_event_loop() (main.c:348) by 0x5BDDF8: captured_command_loop() (main.c:408) by 0x5BF6CD: captured_main(void*) (main.c:1242) by 0x5BF733: gdb_main(captured_main_args*) (main.c:1257) by 0x207052: main (gdb.c:32) I believe this happens because infcall.c:805 does frame = get_current_frame (); then infcall.c:814 CORE_ADDR funaddr = find_function_addr (function, &values_type, &ftype); then infcall.c:845 CORE_ADDR old_sp = get_frame_sp (frame); The call to find_function_addr may call reinit_frame_cache which invalidates the frame pointed to by 'frame'. Adding a repeat call to get_current_frame just before get_frame_sp seemed to fix it for me. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2021-04-01 16:26 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-04-01 16:26 davidwelch158 at hotmail dot com [this message] 2021-04-01 16:28 ` [Bug gdb/27683] Crash when calling function in inferior davidwelch158 at hotmail dot com 2021-04-01 16:32 ` davidwelch158 at hotmail dot com 2021-04-01 16:37 ` davidwelch158 at hotmail dot com 2022-05-07 23:59 ` simark at simark dot ca 2022-05-08 17:12 ` simark at simark dot ca
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-27683-4717@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).