[Bug threads/31003] New: Infinite loop iterating threads from a core file

[Bug threads/31003] New: Infinite loop iterating threads from a core file

[jan at jankratochvil dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=31003

            Bug ID: 31003
           Summary: Infinite loop iterating threads from a core file
           Product: gdb
           Version: 13.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: threads
          Assignee: unassigned at sourceware dot org
          Reporter: jan at jankratochvil dot net
  Target Milestone: ---

gdb-13.2-6.fc38.x86_64 (core.3363627)

GDB locks up forever loading a core file (I cannot provide the core file).

find_new_threads_callback() should have a protection against repeating
th_p.th_unique

#0  iterate_thread_list (ta=ta@entry=0x5652508b6600,
callback=callback@entry=0x56523b045b50
<find_new_threads_callback(td_thrhandle_t const*, void*)>,
cbdata_p=cbdata_p@entry=0x7ffdfea49210, state=state@entry=TD_THR_ANY_STATE,
ti_pri=ti_pri@entry=-20, head=0x7fc6fcaef0b8, fake_empty=<optimized out>) at
td_ta_thr_iter.c:98
#1  0x00007f13680cc01e in td_ta_thr_iter (ta_arg=0x5652508b6600,
callback=0x56523b045b50 <find_new_threads_callback(td_thrhandle_t const*,
void*)>, cbdata_p=0x7ffdfea49210, state=TD_THR_ANY_STATE, ti_pri=-20,
ti_sigmask_p=<optimized out>, ti_user_flags=4294967295) at td_ta_thr_iter.c:137
#2  0x000056523b0458b0 in find_new_threads_once
(info=info@entry=0x5652508b6570, iteration=iteration@entry=0,
errp=errp@entry=0x7ffdfea49274) at ../../gdb/linux-thread-db.c:1540

Thread 1 "gdb" hit Breakpoint 1, iterate_thread_list
(ta=ta@entry=0x5652508b6600, callback=callback@entry=0x56523b045b50
<find_new_threads_callback(td_thrhandle_t const*, void*)>, 
    cbdata_p=cbdata_p@entry=0x7ffdfea49210, state=state@entry=TD_THR_ANY_STATE,
ti_pri=ti_pri@entry=-20, head=0x7fc6fcaef0b8, fake_empty=<optimized out>) at
td_ta_thr_iter.c:98
98                if (callback (&th, cbdata_p) != 0)
(gdb) p th
$3 = {th_ta_p = 0x5652508b6600, th_unique = 0x7fc6fa03f580}
(gdb) c
Continuing.

Thread 1 "gdb" hit Breakpoint 1, iterate_thread_list
(ta=ta@entry=0x5652508b6600, callback=callback@entry=0x56523b045b50
<find_new_threads_callback(td_thrhandle_t const*, void*)>, 
    cbdata_p=cbdata_p@entry=0x7ffdfea49210, state=state@entry=TD_THR_ANY_STATE,
ti_pri=ti_pri@entry=-20, head=0x7fc6fcaef0b8, fake_empty=<optimized out>) at
td_ta_thr_iter.c:98
98                if (callback (&th, cbdata_p) != 0)
(gdb) p th
$4 = {th_ta_p = 0x5652508b6600, th_unique = 0x7fc6fcaeedf0}
(gdb) c
Continuing.

Thread 1 "gdb" hit Breakpoint 1, iterate_thread_list
(ta=ta@entry=0x5652508b6600, callback=callback@entry=0x56523b045b50
<find_new_threads_callback(td_thrhandle_t const*, void*)>, 
    cbdata_p=cbdata_p@entry=0x7ffdfea49210, state=state@entry=TD_THR_ANY_STATE,
ti_pri=ti_pri@entry=-20, head=0x7fc6fcaef0b8, fake_empty=<optimized out>) at
td_ta_thr_iter.c:98
98                if (callback (&th, cbdata_p) != 0)
(gdb) p th
$5 = {th_ta_p = 0x5652508b6600, th_unique = 0x7fc6fa03f580}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug threads/31003] Infinite loop iterating threads from a core file

[jeremy.davies at gameloft dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31003

Jeremy Davies <jeremy.davies at gameloft dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jeremy.davies at gameloft dot com

--- Comment #1 from Jeremy Davies <jeremy.davies at gameloft dot com> ---
I've seen exactly the same behaviour, with GDB 13.1

I'm likewise working with a core file, and during loading td_ta_thr_iter() gets
caught in an endless loop because - for whatever reason - 'next' never equals
the initial 'head'.
(In case this is relevant, the corefile was generated by a process running
under Kubernetes.)

The callback function find_new_threads_callback() simply ignores threads it has
already seen, and returns 0 to continue iteration... forever.

While investigating, I've forced the callback to return a nonzero value, and
the entire iteration fails, causing GDB to exit.

Looking at the implementation of td_ta_thr_iter(), it seems it doesn't
anticipate this situation, which I've seen in a number of corefiles.  It
doesn't have any loop detection of its own, and the callback return values
don't allow for a 'loop detected' indication that might be used to terminate
iteration without failing it entirely.

I note that hitting ctrl-C in GDB interrupts loading - leaving it without
complete thread info, but (at least in the corefiles I'm working with)
sufficiently intact in the 'current' thread to be able to examine stack traces
etc.
So, for what it's worth, abandoning thread discovery without aborting GDB
entirely looks like a viable response (with an appropriate warning message) to
this situation.

(The ability for GDB to detect & react to this by itself, rather than requiring
a manual intervention in the form of ctrl-C, comes into play when using e.g.
remote debugging.  I'm using VSCode remote debugging, which appears unable to
interrupt the remote GDB in this case - forcing me to manually run GDB & issue
ctrl-C, which isn't always possible.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug threads/31003] Infinite loop iterating threads from a core file

[jeremy.davies at gameloft dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31003

--- Comment #2 from Jeremy Davies <jeremy.davies at gameloft dot com> ---
Note the circular sequence of 'addr' (== 'next'), which never equals 'head'.

(gdb) c
Continuing.

Thread 1 "gdb" hit Breakpoint 4, iterate_thread_list (ta=0x562cbc360b60,
callback=0x562ca78120a0 <find_new_threads_callback(td_thrhandle_t const*,
void*)>, cbdata_p=0x7ffed27b0020, state=<optimized out>, ti_pri=-20,
    head=0x7f1dd677c0d8, fake_empty=<optimized out>) at
./nptl_db/td_ta_thr_iter.c:75
75      in ./nptl_db/td_ta_thr_iter.c
(gdb) p addr
$3 = (psaddr_t) 0x7f1dd5227640
(gdb) c
Continuing.

Thread 1 "gdb" hit Breakpoint 4, iterate_thread_list (ta=0x562cbc360b60,
callback=0x562ca78120a0 <find_new_threads_callback(td_thrhandle_t const*,
void*)>, cbdata_p=0x7ffed27b0020, state=<optimized out>, ti_pri=-20,
    head=0x7f1dd677c0d8, fake_empty=<optimized out>) at
./nptl_db/td_ta_thr_iter.c:75
75      in ./nptl_db/td_ta_thr_iter.c
(gdb) p addr
$4 = (psaddr_t) 0x7f1dd677be10
(gdb) c
Continuing.

Thread 1 "gdb" hit Breakpoint 4, iterate_thread_list (ta=0x562cbc360b60,
callback=0x562ca78120a0 <find_new_threads_callback(td_thrhandle_t const*,
void*)>, cbdata_p=0x7ffed27b0020, state=<optimized out>, ti_pri=-20,
    head=0x7f1dd677c0d8, fake_empty=<optimized out>) at
./nptl_db/td_ta_thr_iter.c:75
75      in ./nptl_db/td_ta_thr_iter.c
(gdb) p addr
$5 = (psaddr_t) 0x7f1dd5227640
(gdb) c
Continuing.

Thread 1 "gdb" hit Breakpoint 4, iterate_thread_list (ta=0x562cbc360b60,
callback=0x562ca78120a0 <find_new_threads_callback(td_thrhandle_t const*,
void*)>, cbdata_p=0x7ffed27b0020, state=<optimized out>, ti_pri=-20,
    head=0x7f1dd677c0d8, fake_empty=<optimized out>) at
./nptl_db/td_ta_thr_iter.c:75
75      in ./nptl_db/td_ta_thr_iter.c
(gdb) p addr
$6 = (psaddr_t) 0x7f1dd677be10
(gdb) p head
$7 = (psaddr_t) 0x7f1dd677c0d8

-- 
You are receiving this mail because:
You are on the CC list for the bug.