[Bug symtab/27893] [fission] segfault in dw2_expand_symtabs_matching_one

public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed

From: "vries at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug symtab/27893] [fission] segfault in dw2_expand_symtabs_matching_one
Date: Fri, 21 May 2021 00:14:13 +0000	[thread overview]
Message-ID: <bug-27893-4717-B0f677pDTC@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-27893-4717@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=27893

--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
With address sanitizer we get a heap-use-after-free:
...
=================================================================
==7743==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300024b930
at pc 0x000000f955a0 bp 0x7fffb3ba4c40 sp 0x7fffb3ba4c38
READ of size 8 at 0x60300024b930 thread T0
    #0 0xf9559f in std::__uniq_ptr_impl<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>::_M_ptr() const
/usr/include/c++/7/bits/unique_ptr.h:147
    #1 0xf920b7 in std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>::get() const
/usr/include/c++/7/bits/unique_ptr.h:332
    #2 0xff36eb in dwarf2_gdb_index::expand_symtabs_matching(objfile*,
gdb::function_view<bool (char const*, bool)>, lookup_name_info const*,
gdb::function_view<bool (char const*)>, gdb::function_view<bool
(compunit_symtab*)>, enum_flags<block_search_flag_values>, domain_enum_tag,
search_domain) /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:4337
    #3 0x18b82a1 in objfile::map_symtabs_matching_filename(char const*, char
const*, gdb::function_view<bool (symtab*)>)
/home/vries/gdb_versions/devel/src/gdb/symfile-debug.c:182
    #4 0x18f891a in iterate_over_symtabs(char const*, gdb::function_view<bool
(symtab*)>) /home/vries/gdb_versions/devel/src/gdb/symtab.c:558
    #5 0x135d1e2 in collect_symtabs_from_filename
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3809
    #6 0x135d4b6 in symtabs_from_filename
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3829
    #7 0x13549cf in parse_linespec
/home/vries/gdb_versions/devel/src/gdb/linespec.c:2637
    #8 0x13585e0 in event_location_to_sals
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3174
    #9 0x1358de6 in decode_line_full(event_location*, int, program_space*,
symtab*, int, linespec_result*, char const*, char const*)
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3254
    #10 0xcc2745 in parse_breakpoint_sals
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9217
    #11 0xce1a0f in create_sals_from_location_default
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:13940
    #12 0xcda23a in bkpt_create_sals_from_location
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:12743
    #13 0xcc49c1 in create_breakpoint(gdbarch*, event_location*, char const*,
int, char const*, bool, int, int, bptype, int, auto_boolean, breakpoint_ops
const*, int, int, int, unsigned int)
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9493
    #14 0xcc5eda in break_command_1
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9673
    #15 0xcc672d in break_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9743
    #16 0xded99c in do_const_cfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:102
    #17 0xdf8363 in cmd_func(cmd_list_element*, char const*, int)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:2188
    #18 0x19d6edd in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:674
    #19 0x11093cf in command_handler(char const*)
/home/vries/gdb_versions/devel/src/gdb/event-top.c:588
    #20 0x19d5b15 in read_command_file(_IO_FILE*)
/home/vries/gdb_versions/devel/src/gdb/top.c:443
    #21 0xe21e91 in script_from_file(_IO_FILE*, char const*)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-script.c:1642
    #22 0xdd9b78 in source_script_from_stream
/home/vries/gdb_versions/devel/src/gdb/cli/cli-cmds.c:705
    #23 0xdd9e8c in source_script_with_search
/home/vries/gdb_versions/devel/src/gdb/cli/cli-cmds.c:750
    #24 0xdd9fb4 in source_script(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-cmds.c:759
    #25 0x14032f5 in catch_command_errors
/home/vries/gdb_versions/devel/src/gdb/main.c:523
    #26 0x1403808 in execute_cmdargs
/home/vries/gdb_versions/devel/src/gdb/main.c:615
    #27 0x14069e6 in captured_main_1
/home/vries/gdb_versions/devel/src/gdb/main.c:1322
    #28 0x1406f6e in captured_main
/home/vries/gdb_versions/devel/src/gdb/main.c:1343
    #29 0x1407003 in gdb_main(captured_main_args*)
/home/vries/gdb_versions/devel/src/gdb/main.c:1368
    #30 0xa9d13a in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32
    #31 0x7fba4bd85349 in __libc_start_main (/lib64/libc.so.6+0x24349)
    #32 0xa9cf49 in _start
(/home/vries/gdb_versions/devel/build/gdb/gdb+0xa9cf49)

0x60300024b930 is located 16 bytes inside of 32-byte region
[0x60300024b920,0x60300024b940)
freed by thread T0 here:
    #0 0x7fba4ee28920 in operator delete(void*)
(/usr/lib64/libasan.so.4+0xde920)
    #1 0x10c3b0d in
__gnu_cxx::new_allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >::deallocate(std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>*, unsigned long)
(/home/vries/gdb_versions/devel/build/gdb/gdb+0x10c3b0d)
    #2 0x10b4a30 in
std::allocator_traits<std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >
>::deallocate(std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >&, std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>*, unsigned long)
(/home/vries/gdb_versions/devel/build/gdb/gdb+0x10b4a30)
    #3 0x10a2a35 in std::_Vector_base<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>, std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >
>::_M_deallocate(std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>*, unsigned long)
/usr/include/c++/7/bits/stl_vector.h:180
    #4 0x10a2ed1 in void std::vector<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>, std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >
>::_M_realloc_insert<signatured_type*>(__gnu_cxx::__normal_iterator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>*, std::vector<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>, std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> > > >, signatured_type*&&)
/usr/include/c++/7/bits/vector.tcc:448
    #5 0x10961d8 in void std::vector<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>, std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >
>::emplace_back<signatured_type*>(signatured_type*&&)
/usr/include/c++/7/bits/vector.tcc:105
    #6 0xffd15c in add_type_unit
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:5899
    #7 0xffe0da in lookup_dwo_signatured_type
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:6020
    #8 0x102ac08 in queue_and_load_dwo_tu
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:12723
    #9 0x22c6ee1 in htab_traverse_noresize
/home/vries/gdb_versions/devel/src/libiberty/hashtab.c:775
    #10 0x102af68 in queue_and_load_all_dwo_tus
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:12759
    #11 0xfe4611 in dw2_do_instantiate_symtab
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2252
    #12 0xfe48a8 in dw2_instantiate_symtab
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2279
    #13 0xff20e1 in dw2_expand_symtabs_matching_one
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:4124
    #14 0xff371b in dwarf2_gdb_index::expand_symtabs_matching(objfile*,
gdb::function_view<bool (char const*, bool)>, lookup_name_info const*,
gdb::function_view<bool (char const*)>, gdb::function_view<bool
(compunit_symtab*)>, enum_flags<block_search_flag_values>, domain_enum_tag,
search_domain) /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:4337
    #15 0x18b82a1 in objfile::map_symtabs_matching_filename(char const*, char
const*, gdb::function_view<bool (symtab*)>)
/home/vries/gdb_versions/devel/src/gdb/symfile-debug.c:182
    #16 0x18f891a in iterate_over_symtabs(char const*, gdb::function_view<bool
(symtab*)>) /home/vries/gdb_versions/devel/src/gdb/symtab.c:558
    #17 0x135d1e2 in collect_symtabs_from_filename
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3809
    #18 0x135d4b6 in symtabs_from_filename
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3829
    #19 0x13549cf in parse_linespec
/home/vries/gdb_versions/devel/src/gdb/linespec.c:2637
    #20 0x13585e0 in event_location_to_sals
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3174
    #21 0x1358de6 in decode_line_full(event_location*, int, program_space*,
symtab*, int, linespec_result*, char const*, char const*)
/home/vries/gdb_versions/devel/src/gdb/linespec.c:3254
    #22 0xcc2745 in parse_breakpoint_sals
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9217
    #23 0xce1a0f in create_sals_from_location_default
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:13940
    #24 0xcda23a in bkpt_create_sals_from_location
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:12743
    #25 0xcc49c1 in create_breakpoint(gdbarch*, event_location*, char const*,
int, char const*, bool, int, int, bptype, int, auto_boolean, breakpoint_ops
const*, int, int, int, unsigned int)
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9493
    #26 0xcc5eda in break_command_1
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9673
    #27 0xcc672d in break_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9743
    #28 0xded99c in do_const_cfunc
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:102
    #29 0xdf8363 in cmd_func(cmd_list_element*, char const*, int)
/home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:2188

previously allocated by thread T0 here:
    #0 0x7fba4ee27c20 in operator new(unsigned long)
(/usr/lib64/libasan.so.4+0xddc20)
    #1 0x10cf036 in
__gnu_cxx::new_allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >::allocate(unsigned long, void const*)
(/home/vries/gdb_versions/devel/build/gdb/gdb+0x10cf036)
    #2 0x10c3ab9 in
std::allocator_traits<std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >
>::allocate(std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >&, unsigned long)
(/home/vries/gdb_versions/devel/build/gdb/gdb+0x10c3ab9)
    #3 0x10b49cb in std::_Vector_base<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>, std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> > >::_M_allocate(unsigned long)
(/home/vries/gdb_versions/devel/build/gdb/gdb+0x10b49cb)
    #4 0x10a2991 in std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>* std::vector<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>, std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> >
>::_M_allocate_and_copy<std::move_iterator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>*> >(unsigned long,
std::move_iterator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>*>,
std::move_iterator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>*>) /usr/include/c++/7/bits/stl_vector.h:1260
    #5 0x1095e2f in std::vector<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter>, std::allocator<std::unique_ptr<dwarf2_per_cu_data,
dwarf2_per_cu_data_deleter> > >::reserve(unsigned long)
/usr/include/c++/7/bits/vector.tcc:73
    #6 0xfe50cc in create_cus_from_index
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2362
    #7 0xfe89fc in dwarf2_read_gdb_index
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2869
    #8 0xffaf98 in dwarf2_initialize_objfile(objfile*)
/home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:5479
    #9 0x10eec6c in elf_symfile_read
/home/vries/gdb_versions/devel/src/gdb/elfread.c:1258
    #10 0x18c4c84 in read_symbols
/home/vries/gdb_versions/devel/src/gdb/symfile.c:771
    #11 0x18c5ce9 in syms_from_objfile_1
/home/vries/gdb_versions/devel/src/gdb/symfile.c:967
    #12 0x18c5eca in syms_from_objfile
/home/vries/gdb_versions/devel/src/gdb/symfile.c:984
    #13 0x18c6dac in symbol_file_add_with_addrs
/home/vries/gdb_versions/devel/src/gdb/symfile.c:1087
    #14 0x18c7991 in symbol_file_add_from_bfd(bfd*, char const*,
enum_flags<symfile_add_flag>, std::vector<other_sections,
std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)
/home/vries/gdb_versions/devel/src/gdb/symfile.c:1168
    #15 0x184c978 in solib_read_symbols(so_list*, enum_flags<symfile_add_flag>)
/home/vries/gdb_versions/devel/src/gdb/solib.c:681
    #16 0x184e2bd in solib_add(char const*, int, int)
/home/vries/gdb_versions/devel/src/gdb/solib.c:987
    #17 0x1850580 in handle_solib_event()
/home/vries/gdb_versions/devel/src/gdb/solib.c:1261
    #18 0xca976f in bpstat_stop_status(address_space const*, unsigned long,
thread_info*, target_waitstatus const*, bpstats*)
/home/vries/gdb_versions/devel/src/gdb/breakpoint.c:5546
    #19 0x12fce24 in handle_signal_stop
/home/vries/gdb_versions/devel/src/gdb/infrun.c:6243
    #20 0x12f950c in handle_inferior_event
/home/vries/gdb_versions/devel/src/gdb/infrun.c:5729
    #21 0x12ee33f in fetch_inferior_event()
/home/vries/gdb_versions/devel/src/gdb/infrun.c:4108
    #22 0x12a6536 in inferior_event_handler(inferior_event_type)
/home/vries/gdb_versions/devel/src/gdb/inf-loop.c:41
    #23 0x1396c85 in handle_target_event
/home/vries/gdb_versions/devel/src/gdb/linux-nat.c:4056
    #24 0x224c460 in handle_file_event
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:575
    #25 0x224cc7d in gdb_wait_for_event
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:701
    #26 0x224ab6d in gdb_do_one_event()
/home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:212
    #27 0x19d5e9a in wait_sync_command_done()
/home/vries/gdb_versions/devel/src/gdb/top.c:528
    #28 0x19d6055 in maybe_wait_sync_command_done(int)
/home/vries/gdb_versions/devel/src/gdb/top.c:545
    #29 0x19d6eea in execute_command(char const*, int)
/home/vries/gdb_versions/devel/src/gdb/top.c:676

SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/c++/7/bits/unique_ptr.h:147 in
std::__uniq_ptr_impl<dwarf2_per_cu_data, dwarf2_per_cu_data_deleter>::_M_ptr()
const
Shadow bytes around the buggy address:
  0x0c06800416d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06800416e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c06800416f0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680041700: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680041710: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
=>0x0c0680041720: fd fd fa fa fd fd[fd]fd fa fa fd fd fd fd fa fa
  0x0c0680041730: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680041740: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c0680041750: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680041760: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680041770: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7743==ABORTING
...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

next prev parent reply	other threads:[~2021-05-21  0:14 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-20 19:57 [Bug symtab/27893] New: " vries at gcc dot gnu.org
2021-05-20 23:03 ` [Bug symtab/27893] " vries at gcc dot gnu.org
2021-05-20 23:06 ` vries at gcc dot gnu.org
2021-05-20 23:29 ` vries at gcc dot gnu.org
2021-05-21  0:14 ` vries at gcc dot gnu.org [this message]
2021-05-21  0:45 ` vries at gcc dot gnu.org
2021-05-21  1:10 ` vries at gcc dot gnu.org
2021-07-30 20:10 ` tromey at sourceware dot org
2021-08-03 23:20 ` tromey at sourceware dot org
2021-08-15 19:38 ` tromey at sourceware dot org
2021-08-24 12:13 ` vries at gcc dot gnu.org
2021-08-24 14:03 ` cvs-commit at gcc dot gnu.org
2021-08-24 14:34 ` tromey at sourceware dot org
2021-09-08 21:04 ` cvs-commit at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-27893-4717-B0f677pDTC@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=gdb-prs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).