[Bug tdep/31071] New: [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[Bug tdep/31071] New: [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

            Bug ID: 31071
           Summary: [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp:
                    execve: syscall execve has returned
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: tdep
          Assignee: unassigned at sourceware dot org
          Reporter: vries at gcc dot gnu.org
  Target Milestone: ---

On a pinebook (aarch64 linux kernel, 32-bit user land) I run into:
...
(gdb) PASS: gdb.base/catch-syscall.exp: execve: syscall(s) execve appears in
'info breakpoints'
continue^M
Continuing.^M
^M
Catchpoint 18 (call to syscall execve), 0xf7726318 in execve () from
/lib/arm-linux-gnueabihf/libc.so.6^M
(gdb) PASS: gdb.base/catch-syscall.exp: execve: program has called execve
continue^M
Continuing.^M
process 32392 is executing new program:
/home/rock/gdb/build/gdb/testsuite/outputs/gdb.base/catch-syscall/catch-syscall^M
Cannot access memory at address 0xf77c6a7c^M
(gdb) FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned
...

The memory error is thrown by arm_linux_get_syscall_number, when doing:
...
     /* PC gets incremented before the syscall-stop, so read the                
         previous instruction.  */
      unsigned long this_instr =
        read_memory_unsigned_integer (pc - 4, 4, byte_order_for_code);
...

The reason is that we're stopped at the syscall exit of syscall execve, and the
pc is at the first insn of the new exec, which also happens to be the first
insn in the code segment, so consequently we cannot read the previous insn.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
Note the special execve handling in aarch64_linux_get_syscall_number:
...
  /* On exit from a successful execve, we will be in a new process and all the  
     registers will be cleared - x0 to x30 will be 0, except for a 1 in x7.     
     This function will only ever get called when stopped at the entry or exit  
     of a syscall, so by checking for 0 in x0 (arg0/retval), x1 (arg1), x8      
     (syscall), x29 (FP) and x30 (LR) we can infer:                             
     1) Either inferior is at exit from successful execve.                      
     2) Or inferior is at entry to a call to io_setup with invalid arguments
and                   
        a corrupted FP and LR.                                                  
     It should be safe enough to assume case 1.  */
  if (ret == 0)
    {
      LONGEST x1 = -1, fp = -1, lr = -1;
      regs->cooked_read (AARCH64_X0_REGNUM + 1, &x1);
      regs->cooked_read (AARCH64_FP_REGNUM, &fp);
      regs->cooked_read (AARCH64_LR_REGNUM, &lr);
      if (x1 == 0 && fp ==0 && lr == 0)
        return aarch64_sys_execve;
    }
...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

--- Comment #2 from Tom de Vries <vries at gcc dot gnu.org> ---
This demonstrator patch makes the test-case pass:
...
diff --git a/gdb/arm-linux-tdep.c b/gdb/arm-linux-tdep.c
index dfa816990ff..74c78166403 100644
--- a/gdb/arm-linux-tdep.c
+++ b/gdb/arm-linux-tdep.c
@@ -845,8 +845,12 @@ arm_linux_get_syscall_number (struct gdbarch *gdbarch,

       /* PC gets incremented before the syscall-stop, so read the
         previous instruction.  */
-      unsigned long this_instr = 
-       read_memory_unsigned_integer (pc - 4, 4, byte_order_for_code);
+      unsigned long this_instr;
+
+      ULONGEST val;
+      if (!safe_read_memory_unsigned_integer (pc - 4, 4, byte_order_for_code,
&val))
+       return 11;
+      this_instr = val;

       unsigned long svc_operand = (0x00ffffff & this_instr);

...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

--- Comment #3 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #2)
> This demonstrator patch makes the test-case pass:

Which allows me to inspect the register values:
...
(gdb) info registers
r0             0x0                 0
r1             0x0                 0
r2             0x0                 0
r3             0x0                 0
r4             0x0                 0
r5             0x0                 0
r6             0x0                 0
r7             0x0                 0
r8             0x0                 0
r9             0x0                 0
r10            0x0                 0
r11            0x0                 0
r12            0x1                 1
sp             0xfffef670          0xfffef670
lr             0x0                 0
pc             0xf77c6a80          0xf77c6a80
cpsr           0x10                16
fpscr          0x0                 0
tpidruro       <unavailable>
...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
This is a basic version of the aarch64 approach:
...
diff --git a/gdb/arm-linux-tdep.c b/gdb/arm-linux-tdep.c
index dfa816990ff..2afb9a64cab 100644
--- a/gdb/arm-linux-tdep.c
+++ b/gdb/arm-linux-tdep.c
@@ -830,6 +830,13 @@ arm_linux_get_syscall_number (struct gdbarch *gdbarch,
   int is_thumb;
   ULONGEST svc_number = -1;

+  {
+    ULONGEST lr = -1;
+    regcache_cooked_read_unsigned (regs, ARM_LR_REGNUM, &lr);
+    if (lr == 0)
+      return 11;
+  }
+
   regcache_cooked_read_unsigned (regs, ARM_PC_REGNUM, &pc);
   regcache_cooked_read_unsigned (regs, ARM_PS_REGNUM, &cpsr);
   is_thumb = (cpsr & t_bit) != 0;
@@ -845,8 +852,12 @@ arm_linux_get_syscall_number (struct gdbarch *gdbarch,

       /* PC gets incremented before the syscall-stop, so read the
         previous instruction.  */
-      unsigned long this_instr = 
-       read_memory_unsigned_integer (pc - 4, 4, byte_order_for_code);
+      unsigned long this_instr;
+
+      ULONGEST val;
+      if (!safe_read_memory_unsigned_integer (pc - 4, 4, byte_order_for_code,
&val))
+       return -1;
+      this_instr = val;

       unsigned long svc_operand = (0x00ffffff & this_instr);

...

It's better to test more registers, but I'm not sure which ones.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |luis.machado at arm dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[luis.machado at arm dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

Luis Machado <luis.machado at arm dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING

--- Comment #5 from Luis Machado <luis.machado at arm dot com> ---
Thanks for reporting this. I can reproduce it. Is this on the mailing list yet,
or would you rather have a bit more input before sending the patch?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

--- Comment #6 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Luis Machado from comment #5)
> Thanks for reporting this. I can reproduce it. Is this on the mailing list
> yet, or would you rather have a bit more input before sending the patch?

It's not on the mailing list yet.

Do you have an idea which registers to test other than lr ?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[luis.machado at arm dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

--- Comment #7 from Luis Machado <luis.machado at arm dot com> ---
Thinking a bit about this, for 32-bit (and 32-bit-on-64-bit), syscall 0 is the
restart syscall. From the manpages:

long restart_syscall(void);

       Note: There is no glibc wrapper for this system call; see NOTES.

Given this is intended for internal use by the kernel, I suppose userspace has
no business trying to invoke it, so checking only LR should technically work.

In case someone does invoke it, checking the rest of the argument/variable
registers to make sure they are 0 seems reasonable, and may help avoid
false-positives when reporting execve.

I'm thinking checking r0~r8 should be more than enough, based on the appcs32
(https://github.com/ARM-software/abi-aa/blob/main/aapcs32/aapcs32.rst).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW

--- Comment #8 from Tom de Vries <vries at gcc dot gnu.org> ---
https://sourceware.org/pipermail/gdb-patches/2023-November/204225.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tom de Vries <vries@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=eb42bb148956c283d485bbd182606a851280149d

commit eb42bb148956c283d485bbd182606a851280149d
Author: Tom de Vries <tdevries@suse.de>
Date:   Tue Nov 21 11:44:07 2023 +0100

    [gdb/tdep] Fix catching syscall execve exit for arm

    When running test-case gdb.base/catch-syscall.exp on a pinebook (64-bit
    aarch64 kernel, 32-bit userland) I run into:
    ...
    (gdb) PASS: $exp: execve: syscall(s) execve appears in 'info breakpoints'
    continue^M
    Continuing.^M
    ^M
    Catchpoint 18 (call to syscall execve), 0xf7726318 in execve () from \
      /lib/arm-linux-gnueabihf/libc.so.6^M
    (gdb) PASS: gdb.base/catch-syscall.exp: execve: program has called execve
    continue^M
    Continuing.^M
    process 32392 is executing new program: catch-syscall^M
    Cannot access memory at address 0xf77c6a7c^M
    (gdb) FAIL: $exp: execve: syscall execve has returned
    ...

    The memory error is thrown by arm_linux_get_syscall_number, when doing:
    ...
         /* PC gets incremented before the syscall-stop, so read the
             previous instruction.  */
          unsigned long this_instr =
            read_memory_unsigned_integer (pc - 4, 4, byte_order_for_code);
    ...

    The reason for the error is that we're stopped at the syscall exit of
syscall
    execve, and the pc is at the first insn of the new exec, which also happens
to
    be the first insn in the code segment, so consequently we cannot read the
    previous insn.

    Fix this by detecting the situation by looking at the register state,
similar
    to what is done in aarch64_linux_get_syscall_number.

    Furthermore, catch the memory error by using
safe_read_memory_unsigned_integer
    and return -1 instead, matching the documented behaviour of
    arm_linux_get_syscall_number.

    Finally, rather than using a hardcoded constant 11, introduce an ad-hoc
    arm_sys_execve.

    Tested on pinebook.

    PR tdep/31071
    Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31071

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug tdep/31071] [gdb/tdep, arm] FAIL: gdb.base/catch-syscall.exp: execve: syscall execve has returned

[vries at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31071

Tom de Vries <vries at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |15.1

--- Comment #10 from Tom de Vries <vries at gcc dot gnu.org> ---
Fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.