From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 34B4F3858436; Thu, 26 Jan 2023 17:47:31 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 34B4F3858436 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1674755251; bh=kd0/91zc++kESY7v8T2P15OyY+pNN5gRR7cWNEgGZyA=; h=From:To:Subject:Date:From; b=wSSbvfEBXeW+Fl9qcL14gbNSZ2Q7WJhZ3tHVhYtfnBxVXSkCCd+nrDURczi+nSIy1 SMcV624Kd33O5sW/pp/9OAqISpXu9jH78xnipEolNxyG0fZhYqNVwBjG+m4722cvT9 VuKeMqNYEfWo5v6eW/ym/ekdyxNVdtg7IcJLB6kQ= From: "etesta at undo dot io" To: gdb-prs@sourceware.org Subject: [Bug tui/30056] New: double free when using reverse-search for a previous command and Ctrl-C Date: Thu, 26 Jan 2023 17:47:28 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: tui X-Bugzilla-Version: 12.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: etesta at undo dot io X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30056 Bug ID: 30056 Summary: double free when using reverse-search for a previous command and Ctrl-C Product: gdb Version: 12.1 Status: UNCONFIRMED Severity: normal Priority: P2 Component: tui Assignee: unassigned at sourceware dot org Reporter: etesta at undo dot io Target Milestone: --- The sequence of actions to load a program: "gdb my_file" and then 1) (gdb) start 2) (gdb) layout src 3) Ctrl-r - type anything 4) right arrow 5) Ctrl-C the following message appears on the screen (tested with 9.2, 10.2 and 12.1= ): (gdb) free(): double free detected in tcache 2 Fatal signal: Segmentation fa= ult (core dumped) A bit of analysis showed the following: Before the signal is delivered gdb is in __libc_read() as part of the isear= ch() stack: #0 __libc_read (nbytes=3D1, buf=3D0x7ffcca50d2f0, fd=3D0) at ../sysdeps/unix/sysv/linux/read.c:26 #1 __libc_read (fd=3D0, buf=3Dbuf@entry=3D0x7ffcca50d2f0, nbytes=3Dnbytes@= entry=3D1) at ../sysdeps/unix/sysv/linux/read.c:24 #2 0x00007f9a63a1fdf7 in fifo_push (sp=3D0xd5d5c00) at .././ncurses-6.3/ncurses/base/lib_getch.c:349 #3 kgetch (forever=3D, sp=3D0xd5d5c00) at .././ncurses-6.3/ncurses/base/lib_getch.c:733 #4 _nc_wgetch (win=3Dwin@entry=3D0xd36af90, result=3Dresult@entry=3D0x7ffc= ca50d3cc, use_meta=3D) at .././ncurses-6.3/ncurses/base/lib_getch.c:564 #5 0x00007f9a63a207d7 in wgetch (win=3Dwin@entry=3D0xd36af90) at .././ncurses-6.3/ncurses/base/lib_getch.c:694 #6 0x0000000000947735 in gdb_wgetch (win=3D0xd36af90) at .././gdb-10.2/gdb/tui/tui-io.c:681 #7 tui_getc_1 (fp=3D) at .././gdb-10.2/gdb/tui/tui-io.c:960 #8 tui_getc (fp=3D) at .././gdb-10.2/gdb/tui/tui-io.c:1039 #9 0x00000000009a3f45 in rl_read_key () at ../.././gdb-10.2/readline/readline/input.c:495 #10 rl_read_key () at ../.././gdb-10.2/readline/readline/input.c:455 #11 0x00000000009a408d in _rl_read_mbstring (first=3D, mb=3Dmb@entry=3D0x3f967b0 "", mlen=3Dmlen@entry=3D16) at ../.././gdb-10.2/readline/readline/input.c:686 #12 0x000000000099a259 in _rl_search_getchar (cxt=3D0x3f96740) at ../.././gdb-10.2/readline/readline/isearch.c:314 #13 0x000000000099b1d9 in _rl_isearch_callback (cxt=3D0x3f96740) at ../.././gdb-10.2/readline/readline/isearch.c:823 #14 0x00000000009a4546 in rl_callback_read_char () at ../.././gdb-10.2/readline/readline/callback.c:164 #15 0x00000000006b563e in gdb_rl_callback_read_char_wrapper_noexcept () at .././gdb-10.2/gdb/event-top.c:177 #16 0x00000000006b660e in gdb_rl_callback_read_char_wrapper (client_data=3D) at .././gdb-10.2/gdb/event-top.c:194 #17 0x00000000006b5580 in stdin_event_handler (error=3D, client_data=3D0x3f27170) at .././gdb-10.2/gdb/event-top.c:516 #18 0x0000000000dc21d5 in gdb_wait_for_event (block=3Dblock@entry=3D1) at .././gdb-10.2/gdbsupport/event-loop.cc:673 #19 0x0000000000dc22ad in gdb_wait_for_event (block=3D1) at .././gdb-10.2/gdbsupport/event-loop.cc:569 #20 gdb_do_one_event () at .././gdb-10.2/gdbsupport/event-loop.cc:215 #21 0x00000000007709e5 in start_event_loop () at .././gdb-10.2/gdb/main.c:3= 56 The first free happens in _rl_scxt_dispose() as part of the following call stack: #0 0x000000000099a1d2 in _rl_scxt_dispose (cxt=3Dcxt@entry=3D0x3f96740, flags=3Dflags@entry=3D0) at ../.././gdb-10.2/readline/readline/isearch.c:128 #1 0x000000000099aeb9 in _rl_isearch_cleanup (cxt=3D0x3f96740, r=3Dr@entry= =3D0) at ../.././gdb-10.2/readline/readline/isearch.c:768 #2 0x00000000009a4816 in rl_callback_sigcleanup () at ../.././gdb-10.2/readline/readline/callback.c:343 #3 0x00000000009a144f in _rl_handle_signal (sig=3D2) at ../.././gdb-10.2/readline/readline/signals.c:218 #4 0x00000000009a1504 in _rl_signal_handler (sig=3D) at ../.././gdb-10.2/readline/readline/signals.c:158 #5 0x00000000009a3eea in rl_read_key () at ../.././gdb-10.2/readline/readline/input.c:497 #6 rl_read_key () at ../.././gdb-10.2/readline/readline/input.c:455 #7 0x00000000009a408d in _rl_read_mbstring (first=3D, mb=3Dmb@entry=3D0x3f967b0 "", mlen=3Dmlen@entry=3D16) at ../.././gdb-10.2/readline/readline/input.c:686 #8 0x000000000099a259 in _rl_search_getchar (cxt=3D0x3f96740) at ../.././gdb-10.2/readline/readline/isearch.c:314 #9 0x000000000099b1d9 in _rl_isearch_callback (cxt=3D0x3f96740) at ../.././gdb-10.2/readline/readline/isearch.c:823 #10 0x00000000009a4546 in rl_callback_read_char () at ../.././gdb-10.2/readline/readline/callback.c:164 #11 0x00000000006b563e in gdb_rl_callback_read_char_wrapper_noexcept () at .././gdb-10.2/gdb/event-top.c:177 #12 0x00000000006b660e in gdb_rl_callback_read_char_wrapper (client_data=3D) at .././gdb-10.2/gdb/event-top.c:194 #13 0x00000000006b5580 in stdin_event_handler (error=3D, client_data=3D0x3f27170) at .././gdb-10.2/gdb/event-top.c:516 #14 0x0000000000dc21d5 in gdb_wait_for_event (block=3Dblock@entry=3D1) at .././gdb-10.2/gdbsupport/event-loop.cc:673 #15 0x0000000000dc22ad in gdb_wait_for_event (block=3D1) at .././gdb-10.2/gdbsupport/event-loop.cc:569 #16 gdb_do_one_event () at .././gdb-10.2/gdbsupport/event-loop.cc:215 #17 0x00000000007709e5 in start_event_loop () at .././gdb-10.2/gdb/main.c:3= 56 the second free happens in _rl_scxt_dispose() again but the call stack is different: #0 _rl_scxt_dispose (cxt=3Dcxt@entry=3D0x3f96740, flags=3Dflags@entry=3D0)= at ../.././gdb-10.2/readline/readline/isearch.c:125 #1 0x000000000099aeb9 in _rl_isearch_cleanup (cxt=3D0x3f96740, r=3D-1) at ../.././gdb-10.2/readline/readline/isearch.c:768 #2 0x000000000099b1fb in _rl_isearch_callback (cxt=3D) at ../.././gdb-10.2/readline/readline/isearch.c:827 #3 0x00000000009a4546 in rl_callback_read_char () at ../.././gdb-10.2/readline/readline/callback.c:164 #4 0x00000000006b563e in gdb_rl_callback_read_char_wrapper_noexcept () at .././gdb-10.2/gdb/event-top.c:177 #5 0x00000000006b660e in gdb_rl_callback_read_char_wrapper (client_data=3D) at .././gdb-10.2/gdb/event-top.c:194 #6 0x00000000006b5580 in stdin_event_handler (error=3D, client_data=3D0x3f27170) at .././gdb-10.2/gdb/event-top.c:516 #7 0x0000000000dc21d5 in gdb_wait_for_event (block=3Dblock@entry=3D1) at .././gdb-10.2/gdbsupport/event-loop.cc:673 #8 0x0000000000dc22ad in gdb_wait_for_event (block=3D1) at .././gdb-10.2/gdbsupport/event-loop.cc:569 #9 gdb_do_one_event () at .././gdb-10.2/gdbsupport/event-loop.cc:215 #10 0x00000000007709e5 in start_event_loop () at .././gdb-10.2/gdb/main.c:3= 56 It looks like that as part of the signal handling the isearch context is be= ing clered up and once the signal handler finishes the search fails (correctly) but it tries to free its own context again and thus it gets the double free. I can provide more information if required. I have a GDB recording I can us= e to analyze the bug further if needed. Best Regards Emiliano --=20 You are receiving this mail because: You are on the CC list for the bug.=