* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
@ 2023-01-24 19:00 ` ssbssa at sourceware dot org
2023-01-24 19:01 ` ssbssa at sourceware dot org
` (14 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-24 19:00 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #1 from Hannes Domani <ssbssa at sourceware dot org> ---
Created attachment 14614
--> https://sourceware.org/bugzilla/attachment.cgi?id=14614&action=edit
reproducer C source
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
2023-01-24 19:00 ` [Bug python/30044] " ssbssa at sourceware dot org
@ 2023-01-24 19:01 ` ssbssa at sourceware dot org
2023-01-24 19:01 ` ssbssa at sourceware dot org
` (13 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-24 19:01 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #2 from Hannes Domani <ssbssa at sourceware dot org> ---
Created attachment 14615
--> https://sourceware.org/bugzilla/attachment.cgi?id=14615&action=edit
reproducer crash 1 python code
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
2023-01-24 19:00 ` [Bug python/30044] " ssbssa at sourceware dot org
2023-01-24 19:01 ` ssbssa at sourceware dot org
@ 2023-01-24 19:01 ` ssbssa at sourceware dot org
2023-01-24 19:02 ` ssbssa at sourceware dot org
` (12 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-24 19:01 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #3 from Hannes Domani <ssbssa at sourceware dot org> ---
Created attachment 14616
--> https://sourceware.org/bugzilla/attachment.cgi?id=14616&action=edit
reproducer crash 2 python code
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (2 preceding siblings ...)
2023-01-24 19:01 ` ssbssa at sourceware dot org
@ 2023-01-24 19:02 ` ssbssa at sourceware dot org
2023-01-24 19:02 ` ssbssa at sourceware dot org
` (11 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-24 19:02 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #4 from Hannes Domani <ssbssa at sourceware dot org> ---
Created attachment 14617
--> https://sourceware.org/bugzilla/attachment.cgi?id=14617&action=edit
crash 1 info
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (3 preceding siblings ...)
2023-01-24 19:02 ` ssbssa at sourceware dot org
@ 2023-01-24 19:02 ` ssbssa at sourceware dot org
2023-01-24 19:03 ` ssbssa at sourceware dot org
` (10 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-24 19:02 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #5 from Hannes Domani <ssbssa at sourceware dot org> ---
Created attachment 14618
--> https://sourceware.org/bugzilla/attachment.cgi?id=14618&action=edit
crash 2 info
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (4 preceding siblings ...)
2023-01-24 19:02 ` ssbssa at sourceware dot org
@ 2023-01-24 19:03 ` ssbssa at sourceware dot org
2023-01-24 19:04 ` ssbssa at sourceware dot org
` (9 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-24 19:03 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
Hannes Domani <ssbssa at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #14615|text/x-modelica |text/plain
mime type| |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (5 preceding siblings ...)
2023-01-24 19:03 ` ssbssa at sourceware dot org
@ 2023-01-24 19:04 ` ssbssa at sourceware dot org
2023-01-24 19:07 ` tromey at sourceware dot org
` (8 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-24 19:04 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
Hannes Domani <ssbssa at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ssbssa at sourceware dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (6 preceding siblings ...)
2023-01-24 19:04 ` ssbssa at sourceware dot org
@ 2023-01-24 19:07 ` tromey at sourceware dot org
2023-01-30 22:16 ` tromey at sourceware dot org
` (7 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: tromey at sourceware dot org @ 2023-01-24 19:07 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tromey at sourceware dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (7 preceding siblings ...)
2023-01-24 19:07 ` tromey at sourceware dot org
@ 2023-01-30 22:16 ` tromey at sourceware dot org
2023-01-30 23:22 ` tromey at sourceware dot org
` (6 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: tromey at sourceware dot org @ 2023-01-30 22:16 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #6 from Tom Tromey <tromey at sourceware dot org> ---
I apparently knew about this problem in the relatively recent past:
commit 42331a1ea2a13ce15ec202c5f0fbef3e5171253c
Author: Tom Tromey <tom@tromey.com>
Date: Fri Mar 13 17:39:52 2020 -0600
Change extension language pretty-printers to use value API
This changes the extension language pretty-printers to use the value
API.
Note that new functions were needed, for both Guile and Python.
Currently both languages always wrap values by removing the values
from the value chain. This makes sense to avoid strange behavior with
watchpoints, and to avoid excessive memory use. However, when
printing, it's important to leave the passed-in value untouched, in
case pretty-printing does nothing -- that way the caller can still
access it.
This was part of the val_print removal series.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (8 preceding siblings ...)
2023-01-30 22:16 ` tromey at sourceware dot org
@ 2023-01-30 23:22 ` tromey at sourceware dot org
2023-01-31 1:46 ` tromey at sourceware dot org
` (5 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: tromey at sourceware dot org @ 2023-01-30 23:22 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #7 from Tom Tromey <tromey at sourceware dot org> ---
It seems to me that there are two competing wishes here.
On the one hand, removing values from the chain was done to
avoid memory issues. Suppose you have a command written in
Python and it does a lot of value-based processing. Formerly,
nothing ever cleared these values from the chain until the command
returned. So, you could wind up allocating huge amounts of memory.
See bug #12533
On the other hand, code should not generally care if a value
API returns a new value or not. This came up for value_cast
but it could be anywhere.
Actually there's also a third issue, which is that the Python
layer can end up freeing values from the chain while they are
still in use.
For item 3 I suspect the best answer is to use value_ref_ptr
everywhere. That way code will generally have a strong reference
to any value it uses. This is pretty large.
For items 1 and 2 I wonder if it would work for each Python
Value API to do use scoped_value_mark at the start. The idea
here is that any new values created would be released from the
chain, but older ones would not be. In conjunction with this,
value_to_value_object would stop releasing values from the chain.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (9 preceding siblings ...)
2023-01-30 23:22 ` tromey at sourceware dot org
@ 2023-01-31 1:46 ` tromey at sourceware dot org
2023-01-31 2:04 ` tromey at sourceware dot org
` (4 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: tromey at sourceware dot org @ 2023-01-31 1:46 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #8 from Tom Tromey <tromey at sourceware dot org> ---
It looks like this transform was already done in a number of spots,
so I feel maybe this is the right track.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (10 preceding siblings ...)
2023-01-31 1:46 ` tromey at sourceware dot org
@ 2023-01-31 2:04 ` tromey at sourceware dot org
2023-01-31 18:29 ` ssbssa at sourceware dot org
` (3 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: tromey at sourceware dot org @ 2023-01-31 2:04 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #9 from Tom Tromey <tromey at sourceware dot org> ---
Created attachment 14643
--> https://sourceware.org/bugzilla/attachment.cgi?id=14643&action=edit
patch
I have a patch that seems to fix both of these.
Can you try this?
If it works I'll turn your crasher into a test case.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (11 preceding siblings ...)
2023-01-31 2:04 ` tromey at sourceware dot org
@ 2023-01-31 18:29 ` ssbssa at sourceware dot org
2023-02-11 1:13 ` tromey at sourceware dot org
` (2 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: ssbssa at sourceware dot org @ 2023-01-31 18:29 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #10 from Hannes Domani <ssbssa at sourceware dot org> ---
(In reply to Tom Tromey from comment #9)
> Created attachment 14643 [details]
> patch
>
> I have a patch that seems to fix both of these.
> Can you try this?
> If it works I'll turn your crasher into a test case.
Yes, with this applied there are no more crashes.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (12 preceding siblings ...)
2023-01-31 18:29 ` ssbssa at sourceware dot org
@ 2023-02-11 1:13 ` tromey at sourceware dot org
2023-02-27 22:56 ` cvs-commit at gcc dot gnu.org
2023-02-27 22:57 ` tromey at sourceware dot org
15 siblings, 0 replies; 17+ messages in thread
From: tromey at sourceware dot org @ 2023-02-11 1:13 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #11 from Tom Tromey <tromey at sourceware dot org> ---
https://sourceware.org/pipermail/gdb-patches/2023-February/196921.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (13 preceding siblings ...)
2023-02-11 1:13 ` tromey at sourceware dot org
@ 2023-02-27 22:56 ` cvs-commit at gcc dot gnu.org
2023-02-27 22:57 ` tromey at sourceware dot org
15 siblings, 0 replies; 17+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-02-27 22:56 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--- Comment #12 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tom Tromey <tromey@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f3d3bbbcdd8af6295458eee3b023447c13edabd3
commit f3d3bbbcdd8af6295458eee3b023447c13edabd3
Author: Tom Tromey <tom@tromey.com>
Date: Wed Feb 8 13:59:36 2023 -0700
Fix value chain use-after-free
Hannes filed a bug showing a crash, where a pretty-printer written in
Python could cause a use-after-free. He sent a patch, but I thought a
different approach was needed.
In a much earlier patch (see bug #12533), we changed the Python code
to release new values from the value chain when constructing a
gdb.Value. The rationale for this is that if you write a command that
does a lot of computations in a loop, all the values will be kept live
by the value chain, resulting in gdb using a large amount of memory.
However, suppose a value is passed to Python from some code in gdb
that needs to use the value after the call into Python. In this
scenario, value_to_value_object will still release the value -- and
because gdb code doesn't generally keep strong references to values (a
consequence of the ancient decision to use the value chain to avoid
memory management), this will result in a use-after-free.
This scenario can happen, as it turns out, when a value is passed to
Python for pretty-printing. Now, normally this route boxes the value
via value_to_value_object_no_release, avoiding the problematic release
from the value chain. However, if you then call Value.cast, the
underlying value API might return the same value, when is then
released from the chain.
This patch fixes the problem by changing how value boxing is done.
value_to_value_object no longer removes a value from the chain.
Instead, every spot in gdb that might construct new values uses a
scoped_value_mark to ensure that the requirements of bug #12533 are
met. And, because incoming values aren't ever released from the chain
(the Value.cast one comes earlier on the chain than the
scoped_value_mark), the bug can no longer occur. (Note that many
spots in the Python layer already take this approach, so not many
places needed to be touched.)
In the future I think we should replace the use of raw "value *" with
value_ref_ptr pretty much everywhere. This will ensure lifetime
safety throughout gdb.
The test case in this patch comes from Hannes' original patch. I only
made a trivial ("require") change to it. However, while this fails
for him, I can't make it fail on this machine; nevertheless, he tried
my patch and reported the bug as being fixed.
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30044
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug python/30044] Flawed logic when releasing values from all_values buffer
2023-01-24 18:59 [Bug python/30044] New: Flawed logic when releasing values from all_values buffer ssbssa at sourceware dot org
` (14 preceding siblings ...)
2023-02-27 22:56 ` cvs-commit at gcc dot gnu.org
@ 2023-02-27 22:57 ` tromey at sourceware dot org
15 siblings, 0 replies; 17+ messages in thread
From: tromey at sourceware dot org @ 2023-02-27 22:57 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=30044
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Target Milestone|--- |14.1
Status|NEW |RESOLVED
--- Comment #13 from Tom Tromey <tromey at sourceware dot org> ---
Fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread