From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id A6F333858D35; Thu, 3 Feb 2022 19:01:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A6F333858D35 From: "ssbssa at sourceware dot org" To: gdb-prs@sourceware.org Subject: [Bug python/28856] Python pretty printer causes stack overflow when printing frame arguments Date: Thu, 03 Feb 2022 19:01:52 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: python X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ssbssa at sourceware dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gdb-prs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-prs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2022 19:01:52 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28856 Hannes Domani changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ssbssa at sourceware dot o= rg --- Comment #1 from Hannes Domani --- On Windows I get a use-after-free of a frame_info pointer. It happens because the target function call gdb.parse_and_eval('$__cat->name()') leads to reinit_frame_cache(), and print_frame_info() continues on with that now stale 'frame' pointer. Full stack traces: > unhandled exception code: 0xC0000005 (ACCESS_VIOLATION) > exception on: '1 [4648]' > 0x000000013F350000 C:\gdb\build64\gdb-git-python\gdb\gdb.exe > 0x000000013F4A5687 C:\src\repos\binutils-gdb.git\gdb\frame.c:2545= :3 [get_frame_pc_if_available(frame_info*, unsigned long long*)] > 0x000000013F5F7E57 C:\src\repos\binutils-gdb.git\gdb\stack.c:1201= :37 [print_frame_info(frame_print_options const&, frame_info*, int, print_w= hat, int, int)] > 0x000000013F5F887F C:\src\repos\binutils-gdb.git\gdb\stack.c:366:= 24 [print_stack_frame(frame_info*, int, print_what, int)] > 0x000000013F4F5A97 C:\src\repos\binutils-gdb.git\gdb\infrun.c:842= 0:23 [print_stop_location] > C:\src\repos\binutils-gdb.git\gdb\infrun.c:843= 6:25 [print_stop_event(ui_out*, bool)] > 0x000000013F6630BD C:\src\repos\binutils-gdb.git\gdb\tui\tui-inte= rp.c:99:19 [tui_on_normal_stop] > 0x000000013F4F6F4F c:\msys64\mingw64\x86_64-w64-mingw32\include\c= ++\11.2.0\bits\std_function.h:560:9 [std::function::o= perator()(bpstats*, int) const] > c:\src\repos\binutils-gdb.git\gdbsupport\obser= vable.h:150:9 [gdb::observers::observable::notify(bpstats*, = int) const] > C:\src\repos\binutils-gdb.git\gdb\infrun.c:870= 5:40 [normal_stop()] > 0x000000013F502B42 C:\src\repos\binutils-gdb.git\gdb\infrun.c:415= 7:29 [fetch_inferior_event()] > 0x000000013F3885FA C:\src\repos\binutils-gdb.git\gdb\async-event.= c:335:31 [check_async_event_handlers()] > 0x000000013F795901 C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:216:37 [gdb_do_one_event()] > 0x000000013F64CD5B C:\src\repos\binutils-gdb.git\gdb\top.c:529:27= [wait_sync_command_done()] > 0x000000013F64D650 C:\src\repos\binutils-gdb.git\gdb\top.c:546:28= [maybe_wait_sync_command_done(int)] > C:\src\repos\binutils-gdb.git\gdb\top.c:687:36= [execute_command(char const*, int)] > 0x000000013F5213BB C:\src\repos\binutils-gdb.git\gdb\main.c:523:1= 5 [catch_command_errors] > 0x000000013F5214E5 C:\src\repos\binutils-gdb.git\gdb\main.c:618:3= 0 [execute_cmdargs] > 0x000000013F524693 C:\src\repos\binutils-gdb.git\gdb\main.c:1322:= 19 [captured_main_1] > 0x000000013F5250FC C:\src\repos\binutils-gdb.git\gdb\main.c:1343:= 19 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1368:= 21 [gdb_main(captured_main_args*)] > 0x000000013FA3C146 C:\src\repos\binutils-gdb.git\gdb\gdb.c:32:19 = [main] > 0x000000013F351430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:345:15 [__tmainCRTStartup] > 0x000000013F3515B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:220:9 [mainCRTStartup] > read access violation at 0x000000039C0B0190 > freed block 0x000000039C0B0020 (size 4064, offset +368) > allocated on: (#180516) '1 [4648]' > [malloc] > 0x000000013F350000 C:\gdb\build64\gdb-git-python\gdb\gdb.exe > 0x000000013F37AEFB C:\src\repos\binutils-gdb.git\gdb\alloc.c:60:1= 6 [xmalloc] > 0x000000013F7B8E34 C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:94:12 [call_chunkfun] > C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:141:37 [_obstack_begin_worker] > 0x000000013F4A504B C:\src\repos\binutils-gdb.git\gdb\frame.c:2000= :3 [reinit_frame_cache()] > 0x000000013F4FF614 C:\src\repos\binutils-gdb.git\gdb\infrun.c:602= 1:18 [handle_signal_stop] > 0x000000013F5012A0 C:\src\repos\binutils-gdb.git\gdb\infrun.c:450= 0:26 [handle_stop_requested] > C:\src\repos\binutils-gdb.git\gdb\infrun.c:449= 4:1 [handle_stop_requested] > C:\src\repos\binutils-gdb.git\gdb\infrun.c:576= 5:33 [handle_inferior_event] > 0x000000013F502A44 C:\src\repos\binutils-gdb.git\gdb\infrun.c:412= 1:27 [fetch_inferior_event()] > 0x000000013F3885FA C:\src\repos\binutils-gdb.git\gdb\async-event.= c:335:31 [check_async_event_handlers()] > 0x000000013F795901 C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:216:37 [gdb_do_one_event()] > 0x000000013F64CD5B C:\src\repos\binutils-gdb.git\gdb\top.c:529:27= [wait_sync_command_done()] > 0x000000013F64D650 C:\src\repos\binutils-gdb.git\gdb\top.c:546:28= [maybe_wait_sync_command_done(int)] > C:\src\repos\binutils-gdb.git\gdb\top.c:687:36= [execute_command(char const*, int)] > 0x000000013F5213BB C:\src\repos\binutils-gdb.git\gdb\main.c:523:1= 5 [catch_command_errors] > 0x000000013F5214E5 C:\src\repos\binutils-gdb.git\gdb\main.c:618:3= 0 [execute_cmdargs] > 0x000000013F524693 C:\src\repos\binutils-gdb.git\gdb\main.c:1322:= 19 [captured_main_1] > 0x000000013F5250FC C:\src\repos\binutils-gdb.git\gdb\main.c:1343:= 19 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1368:= 21 [gdb_main(captured_main_args*)] > 0x000000013FA3C146 C:\src\repos\binutils-gdb.git\gdb\gdb.c:32:19 = [main] > 0x000000013F351430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:345:15 [__tmainCRTStartup] > 0x000000013F3515B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:220:9 [mainCRTStartup] > freed on: '1 [4648]' > [free] > 0x000000013F350000 C:\gdb\build64\gdb-git-python\gdb\gdb.exe > 0x000000013F7B9051 C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:103:5 [call_freefun] > C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:280:7 [_obstack_free] > 0x000000013F4A502B C:\src\repos\binutils-gdb.git\gdb\frame.c:1999= :3 [reinit_frame_cache()] > 0x000000013F4FAE4A C:\src\repos\binutils-gdb.git\gdb\infrun.c:313= 0:25 [proceed(unsigned long long, gdb_signal)] > 0x000000013F4E4C9B C:\src\repos\binutils-gdb.git\gdb\infcall.c:61= 1:15 [run_inferior_call] > C:\src\repos\binutils-gdb.git\gdb\infcall.c:12= 77:27 [call_function_by_hand_dummy(value*, type*, gdb::array_view, = void (*)(void*, int), void*)] > 0x000000013F4E606A C:\src\repos\binutils-gdb.git\gdb\infcall.c:74= 2:38 [call_function_by_hand(value*, type*, gdb::array_view)] > 0x000000013F489AE9 C:\src\repos\binutils-gdb.git\gdb\eval.c:674:3= 6 [evaluate_subexp_do_call(expression*, noside, value*, gdb::array_view, char const*, type*)] > 0x000000013F48CEFA C:\src\repos\binutils-gdb.git\gdb\eval.c:966:3= 4 [expr::structop_base_operation::evaluate_funcall(type*, expression*, nosi= de, std::vector >, std::allocator > > > const&)] > 0x000000013F920A29 C:\src\repos\binutils-gdb.git\gdb\expop.h:2178= :54 [expr::funcall_operation::evaluate(type*, expression*, noside)] > 0x000000013F48891B C:\src\repos\binutils-gdb.git\gdb\eval.c:101:3= 9 [expression::evaluate(type*, noside)] > 0x000000013F488BB9 C:\src\repos\binutils-gdb.git\gdb\eval.c:115:2= 4 [evaluate_expression(expression*, type*)] > C:\src\repos\binutils-gdb.git\gdb\eval.c:74:30= [parse_and_eval(char const*)] > 0x000000013F59B899 C:\src\repos\binutils-gdb.git\gdb\python\pytho= n.c:945:31 [gdbpy_parse_and_eval] > 0x0000000069E90000 c:\gdb\gdb-libs64\Python27\python27.dll > 0x0000000069F88EA8 [PyCFunction_Call] > 0x0000000069FEDFA7 [PyEval_GetFuncDesc] > 0x0000000069FEB49A [PyEval_EvalFrameEx] > 0x0000000069FEE177 [PyEval_GetFuncDesc] > 0x0000000069FEE02E [PyEval_GetFuncDesc] > 0x0000000069FEB49A [PyEval_EvalFrameEx] > 0x0000000069FECA10 [PyEval_EvalCodeEx] > 0x0000000069F77037 [PyFunction_SetClosure] > 0x0000000069F42D22 [PyObject_Call] > 0x0000000069F575D8 [PyMethod_New] > 0x0000000069F42D22 [PyObject_Call] > 0x0000000069F4359B [PyObject_CallMethodObjArgs] > 0x000000013F350000 C:\gdb\build64\gdb-git-python\gdb\gdb.exe > 0x000000013F589B6E C:\src\repos\binutils-gdb.git\gdb\python\py-pr= ettyprint.c:200:17 [pretty_print_one_value] > 0x000000013F589CB5 C:\src\repos\binutils-gdb.git\gdb\python\py-pr= ettyprint.c:286:69 [print_string_repr] > C:\src\repos\binutils-gdb.git\gdb\python\py-pr= ettyprint.c:636:36 [gdbpy_apply_pretty_printer] > 0x000000013F58A934 C:\src\repos\binutils-gdb.git\gdb\python\py-pr= ettyprint.c:620:36 [gdbpy_apply_val_pretty_printer(extension_language_defn = const*, value*, ui_file*, int, value_print_options const*, language_defn co= nst*)] > 0x000000013F493319 C:\src\repos\binutils-gdb.git\gdb\extension.c:= 488:51 [apply_ext_lang_val_pretty_printer(value*, ui_file*, int, value_prin= t_options const*, language_defn const*)] > 0x000000013F68B755 C:\src\repos\binutils-gdb.git\gdb\valprint.c:1= 028:47 [do_val_print] > 0x000000013F5F5A06 C:\src\repos\binutils-gdb.git\gdb\stack.c:489:= 33 [print_frame_arg] > 0x000000013F5F680C C:\src\repos\binutils-gdb.git\gdb\stack.c:893:= 22 [print_frame_args] > 0x000000013F5F82E0 C:\src\repos\binutils-gdb.git\gdb\stack.c:1407= :25 [print_frame] > C:\src\repos\binutils-gdb.git\gdb\stack.c:1124= :17 [print_frame_info(frame_print_options const&, frame_info*, int, print_w= hat, int, int)] > 0x000000013F5F887F C:\src\repos\binutils-gdb.git\gdb\stack.c:366:= 24 [print_stack_frame(frame_info*, int, print_what, int)] > 0x000000013F4F5A97 C:\src\repos\binutils-gdb.git\gdb\infrun.c:842= 0:23 [print_stop_location] > C:\src\repos\binutils-gdb.git\gdb\infrun.c:843= 6:25 [print_stop_event(ui_out*, bool)] > 0x000000013F6630BD C:\src\repos\binutils-gdb.git\gdb\tui\tui-inte= rp.c:99:19 [tui_on_normal_stop] > 0x000000013F4F6F4F c:\msys64\mingw64\x86_64-w64-mingw32\include\c= ++\11.2.0\bits\std_function.h:560:9 [std::function::o= perator()(bpstats*, int) const] > c:\src\repos\binutils-gdb.git\gdbsupport\obser= vable.h:150:9 [gdb::observers::observable::notify(bpstats*, = int) const] > C:\src\repos\binutils-gdb.git\gdb\infrun.c:870= 5:40 [normal_stop()] > 0x000000013F502B42 C:\src\repos\binutils-gdb.git\gdb\infrun.c:415= 7:29 [fetch_inferior_event()] > 0x000000013F3885FA C:\src\repos\binutils-gdb.git\gdb\async-event.= c:335:31 [check_async_event_handlers()] > 0x000000013F795901 C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:216:37 [gdb_do_one_event()] > 0x000000013F64CD5B C:\src\repos\binutils-gdb.git\gdb\top.c:529:27= [wait_sync_command_done()] > 0x000000013F64D650 C:\src\repos\binutils-gdb.git\gdb\top.c:546:28= [maybe_wait_sync_command_done(int)] > C:\src\repos\binutils-gdb.git\gdb\top.c:687:36= [execute_command(char const*, int)] > 0x000000013F5213BB C:\src\repos\binutils-gdb.git\gdb\main.c:523:1= 5 [catch_command_errors] > 0x000000013F5214E5 C:\src\repos\binutils-gdb.git\gdb\main.c:618:3= 0 [execute_cmdargs] > 0x000000013F524693 C:\src\repos\binutils-gdb.git\gdb\main.c:1322:= 19 [captured_main_1] > 0x000000013F5250FC C:\src\repos\binutils-gdb.git\gdb\main.c:1343:= 19 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1368:= 21 [gdb_main(captured_main_args*)] > 0x000000013FA3C146 C:\src\repos\binutils-gdb.git\gdb\gdb.c:32:19 = [main] > 0x000000013F351430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:345:15 [__tmainCRTStartup] > 0x000000013F3515B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:220:9 [mainCRTStartup] --=20 You are receiving this mail because: You are on the CC list for the bug.=