From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id AE2C63987C1A; Fri, 21 May 2021 00:14:13 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org AE2C63987C1A From: "vries at gcc dot gnu.org" To: gdb-prs@sourceware.org Subject: [Bug symtab/27893] [fission] segfault in dw2_expand_symtabs_matching_one Date: Fri, 21 May 2021 00:14:13 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: symtab X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vries at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gdb-prs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-prs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2021 00:14:13 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D27893 --- Comment #4 from Tom de Vries --- With address sanitizer we get a heap-use-after-free: ... =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D7743=3D=3DERROR: AddressSanitizer: heap-use-after-free on address 0x6= 0300024b930 at pc 0x000000f955a0 bp 0x7fffb3ba4c40 sp 0x7fffb3ba4c38 READ of size 8 at 0x60300024b930 thread T0 #0 0xf9559f in std::__uniq_ptr_impl::_M_ptr() const /usr/include/c++/7/bits/unique_ptr.h:147 #1 0xf920b7 in std::unique_ptr::get() const /usr/include/c++/7/bits/unique_ptr.h:332 #2 0xff36eb in dwarf2_gdb_index::expand_symtabs_matching(objfile*, gdb::function_view, lookup_name_info const*, gdb::function_view, gdb::function_view, enum_flags, domain_enum_tag, search_domain) /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:4337 #3 0x18b82a1 in objfile::map_symtabs_matching_filename(char const*, char const*, gdb::function_view) /home/vries/gdb_versions/devel/src/gdb/symfile-debug.c:182 #4 0x18f891a in iterate_over_symtabs(char const*, gdb::function_view) /home/vries/gdb_versions/devel/src/gdb/symtab.c:558 #5 0x135d1e2 in collect_symtabs_from_filename /home/vries/gdb_versions/devel/src/gdb/linespec.c:3809 #6 0x135d4b6 in symtabs_from_filename /home/vries/gdb_versions/devel/src/gdb/linespec.c:3829 #7 0x13549cf in parse_linespec /home/vries/gdb_versions/devel/src/gdb/linespec.c:2637 #8 0x13585e0 in event_location_to_sals /home/vries/gdb_versions/devel/src/gdb/linespec.c:3174 #9 0x1358de6 in decode_line_full(event_location*, int, program_space*, symtab*, int, linespec_result*, char const*, char const*) /home/vries/gdb_versions/devel/src/gdb/linespec.c:3254 #10 0xcc2745 in parse_breakpoint_sals /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9217 #11 0xce1a0f in create_sals_from_location_default /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:13940 #12 0xcda23a in bkpt_create_sals_from_location /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:12743 #13 0xcc49c1 in create_breakpoint(gdbarch*, event_location*, char const= *, int, char const*, bool, int, int, bptype, int, auto_boolean, breakpoint_ops const*, int, int, int, unsigned int) /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9493 #14 0xcc5eda in break_command_1 /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9673 #15 0xcc672d in break_command(char const*, int) /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9743 #16 0xded99c in do_const_cfunc /home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:102 #17 0xdf8363 in cmd_func(cmd_list_element*, char const*, int) /home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:2188 #18 0x19d6edd in execute_command(char const*, int) /home/vries/gdb_versions/devel/src/gdb/top.c:674 #19 0x11093cf in command_handler(char const*) /home/vries/gdb_versions/devel/src/gdb/event-top.c:588 #20 0x19d5b15 in read_command_file(_IO_FILE*) /home/vries/gdb_versions/devel/src/gdb/top.c:443 #21 0xe21e91 in script_from_file(_IO_FILE*, char const*) /home/vries/gdb_versions/devel/src/gdb/cli/cli-script.c:1642 #22 0xdd9b78 in source_script_from_stream /home/vries/gdb_versions/devel/src/gdb/cli/cli-cmds.c:705 #23 0xdd9e8c in source_script_with_search /home/vries/gdb_versions/devel/src/gdb/cli/cli-cmds.c:750 #24 0xdd9fb4 in source_script(char const*, int) /home/vries/gdb_versions/devel/src/gdb/cli/cli-cmds.c:759 #25 0x14032f5 in catch_command_errors /home/vries/gdb_versions/devel/src/gdb/main.c:523 #26 0x1403808 in execute_cmdargs /home/vries/gdb_versions/devel/src/gdb/main.c:615 #27 0x14069e6 in captured_main_1 /home/vries/gdb_versions/devel/src/gdb/main.c:1322 #28 0x1406f6e in captured_main /home/vries/gdb_versions/devel/src/gdb/main.c:1343 #29 0x1407003 in gdb_main(captured_main_args*) /home/vries/gdb_versions/devel/src/gdb/main.c:1368 #30 0xa9d13a in main /home/vries/gdb_versions/devel/src/gdb/gdb.c:32 #31 0x7fba4bd85349 in __libc_start_main (/lib64/libc.so.6+0x24349) #32 0xa9cf49 in _start (/home/vries/gdb_versions/devel/build/gdb/gdb+0xa9cf49) 0x60300024b930 is located 16 bytes inside of 32-byte region [0x60300024b920,0x60300024b940) freed by thread T0 here: #0 0x7fba4ee28920 in operator delete(void*) (/usr/lib64/libasan.so.4+0xde920) #1 0x10c3b0d in __gnu_cxx::new_allocator >::deallocate(std::unique_ptr*, unsigned long) (/home/vries/gdb_versions/devel/build/gdb/gdb+0x10c3b0d) #2 0x10b4a30 in std::allocator_traits > >::deallocate(std::allocator >&, std::unique_ptr*, unsigned long) (/home/vries/gdb_versions/devel/build/gdb/gdb+0x10b4a30) #3 0x10a2a35 in std::_Vector_base, std::allocator > >::_M_deallocate(std::unique_ptr*, unsigned long) /usr/include/c++/7/bits/stl_vector.h:180 #4 0x10a2ed1 in void std::vector, std::allocator > >::_M_realloc_insert(__gnu_cxx::__normal_iterator*, std::vector, std::allocator > > >, signatured_type*&&) /usr/include/c++/7/bits/vector.tcc:448 #5 0x10961d8 in void std::vector, std::allocator > >::emplace_back(signatured_type*&&) /usr/include/c++/7/bits/vector.tcc:105 #6 0xffd15c in add_type_unit /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:5899 #7 0xffe0da in lookup_dwo_signatured_type /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:6020 #8 0x102ac08 in queue_and_load_dwo_tu /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:12723 #9 0x22c6ee1 in htab_traverse_noresize /home/vries/gdb_versions/devel/src/libiberty/hashtab.c:775 #10 0x102af68 in queue_and_load_all_dwo_tus /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:12759 #11 0xfe4611 in dw2_do_instantiate_symtab /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2252 #12 0xfe48a8 in dw2_instantiate_symtab /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2279 #13 0xff20e1 in dw2_expand_symtabs_matching_one /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:4124 #14 0xff371b in dwarf2_gdb_index::expand_symtabs_matching(objfile*, gdb::function_view, lookup_name_info const*, gdb::function_view, gdb::function_view, enum_flags, domain_enum_tag, search_domain) /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:4337 #15 0x18b82a1 in objfile::map_symtabs_matching_filename(char const*, ch= ar const*, gdb::function_view) /home/vries/gdb_versions/devel/src/gdb/symfile-debug.c:182 #16 0x18f891a in iterate_over_symtabs(char const*, gdb::function_view) /home/vries/gdb_versions/devel/src/gdb/symtab.c:558 #17 0x135d1e2 in collect_symtabs_from_filename /home/vries/gdb_versions/devel/src/gdb/linespec.c:3809 #18 0x135d4b6 in symtabs_from_filename /home/vries/gdb_versions/devel/src/gdb/linespec.c:3829 #19 0x13549cf in parse_linespec /home/vries/gdb_versions/devel/src/gdb/linespec.c:2637 #20 0x13585e0 in event_location_to_sals /home/vries/gdb_versions/devel/src/gdb/linespec.c:3174 #21 0x1358de6 in decode_line_full(event_location*, int, program_space*, symtab*, int, linespec_result*, char const*, char const*) /home/vries/gdb_versions/devel/src/gdb/linespec.c:3254 #22 0xcc2745 in parse_breakpoint_sals /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9217 #23 0xce1a0f in create_sals_from_location_default /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:13940 #24 0xcda23a in bkpt_create_sals_from_location /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:12743 #25 0xcc49c1 in create_breakpoint(gdbarch*, event_location*, char const= *, int, char const*, bool, int, int, bptype, int, auto_boolean, breakpoint_ops const*, int, int, int, unsigned int) /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9493 #26 0xcc5eda in break_command_1 /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9673 #27 0xcc672d in break_command(char const*, int) /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:9743 #28 0xded99c in do_const_cfunc /home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:102 #29 0xdf8363 in cmd_func(cmd_list_element*, char const*, int) /home/vries/gdb_versions/devel/src/gdb/cli/cli-decode.c:2188 previously allocated by thread T0 here: #0 0x7fba4ee27c20 in operator new(unsigned long) (/usr/lib64/libasan.so.4+0xddc20) #1 0x10cf036 in __gnu_cxx::new_allocator >::allocate(unsigned long, void const*) (/home/vries/gdb_versions/devel/build/gdb/gdb+0x10cf036) #2 0x10c3ab9 in std::allocator_traits > >::allocate(std::allocator >&, unsigned long) (/home/vries/gdb_versions/devel/build/gdb/gdb+0x10c3ab9) #3 0x10b49cb in std::_Vector_base, std::allocator > >::_M_allocate(unsigned long) (/home/vries/gdb_versions/devel/build/gdb/gdb+0x10b49cb) #4 0x10a2991 in std::unique_ptr* std::vector, std::allocator > >::_M_allocate_and_copy*> >(unsigned long, std::move_iterator*>, std::move_iterator*>) /usr/include/c++/7/bits/stl_vector.h:1260 #5 0x1095e2f in std::vector, std::allocator > >::reserve(unsigned long) /usr/include/c++/7/bits/vector.tcc:73 #6 0xfe50cc in create_cus_from_index /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2362 #7 0xfe89fc in dwarf2_read_gdb_index /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:2869 #8 0xffaf98 in dwarf2_initialize_objfile(objfile*) /home/vries/gdb_versions/devel/src/gdb/dwarf2/read.c:5479 #9 0x10eec6c in elf_symfile_read /home/vries/gdb_versions/devel/src/gdb/elfread.c:1258 #10 0x18c4c84 in read_symbols /home/vries/gdb_versions/devel/src/gdb/symfile.c:771 #11 0x18c5ce9 in syms_from_objfile_1 /home/vries/gdb_versions/devel/src/gdb/symfile.c:967 #12 0x18c5eca in syms_from_objfile /home/vries/gdb_versions/devel/src/gdb/symfile.c:984 #13 0x18c6dac in symbol_file_add_with_addrs /home/vries/gdb_versions/devel/src/gdb/symfile.c:1087 #14 0x18c7991 in symbol_file_add_from_bfd(bfd*, char const*, enum_flags, std::vector >*, enum_flags, objfile*) /home/vries/gdb_versions/devel/src/gdb/symfile.c:1168 #15 0x184c978 in solib_read_symbols(so_list*, enum_flags) /home/vries/gdb_versions/devel/src/gdb/solib.c:681 #16 0x184e2bd in solib_add(char const*, int, int) /home/vries/gdb_versions/devel/src/gdb/solib.c:987 #17 0x1850580 in handle_solib_event() /home/vries/gdb_versions/devel/src/gdb/solib.c:1261 #18 0xca976f in bpstat_stop_status(address_space const*, unsigned long, thread_info*, target_waitstatus const*, bpstats*) /home/vries/gdb_versions/devel/src/gdb/breakpoint.c:5546 #19 0x12fce24 in handle_signal_stop /home/vries/gdb_versions/devel/src/gdb/infrun.c:6243 #20 0x12f950c in handle_inferior_event /home/vries/gdb_versions/devel/src/gdb/infrun.c:5729 #21 0x12ee33f in fetch_inferior_event() /home/vries/gdb_versions/devel/src/gdb/infrun.c:4108 #22 0x12a6536 in inferior_event_handler(inferior_event_type) /home/vries/gdb_versions/devel/src/gdb/inf-loop.c:41 #23 0x1396c85 in handle_target_event /home/vries/gdb_versions/devel/src/gdb/linux-nat.c:4056 #24 0x224c460 in handle_file_event /home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:575 #25 0x224cc7d in gdb_wait_for_event /home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:701 #26 0x224ab6d in gdb_do_one_event() /home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:212 #27 0x19d5e9a in wait_sync_command_done() /home/vries/gdb_versions/devel/src/gdb/top.c:528 #28 0x19d6055 in maybe_wait_sync_command_done(int) /home/vries/gdb_versions/devel/src/gdb/top.c:545 #29 0x19d6eea in execute_command(char const*, int) /home/vries/gdb_versions/devel/src/gdb/top.c:676 SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/7/bits/unique_ptr.h:147 in std::__uniq_ptr_impl::_M_pt= r() const Shadow bytes around the buggy address: 0x0c06800416d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c06800416e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c06800416f0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c0680041700: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c0680041710: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd =3D>0x0c0680041720: fd fd fa fa fd fd[fd]fd fa fa fd fd fd fd fa fa 0x0c0680041730: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fd 0x0c0680041740: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd 0x0c0680041750: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c0680041760: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c0680041770: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D7743=3D=3DABORTING ... --=20 You are receiving this mail because: You are on the CC list for the bug.=