public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove
@ 2024-01-18 9:07 vries at gcc dot gnu.org
2024-01-18 14:27 ` [Bug gdb/31258] " vries at gcc dot gnu.org
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-01-18 9:07 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
Bug ID: 31258
Summary: [gdb] ThreadSanitizer: heap-use-after-free in memmove
Product: gdb
Version: HEAD
Status: NEW
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: vries at gcc dot gnu.org
Target Milestone: ---
When building gdb with O0 -fsanitize=thread, and run test-case
gdb.ada/uninitialized_vars.exp, I run into a heap-user-after-free:
(gdb) info locals
a = 0
z = (a => 1, b => false, c => 2.0)
y = (a => 184, c => 9.18340949e-41, d => -411009023)
==================
[1m[31mWARNING: ThreadSanitizer: heap-use-after-free (pid=519489)
[1m[0m[1m[34m Read of size 4 at 0xfffff1c0fc18 by main thread:
[1m[0m #0 memmove <null> (libtsan.so.2+0x4b10c) (BuildId:
fe872cc4563474b7ad67d63a019aa94e1e0df888)
#1 unsigned char* std::__copy_move_backward<false, true,
std::random_access_iterator_tag>::__copy_move_b<unsigned char const, unsigned
char>(unsigned char const*, unsigned char const*, unsigned char*)
/usr/include/c++/13/bits/stl_algobase.h:748 (gdb+0x45bf80) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#2 unsigned char* std::__copy_move_backward_a2<false, unsigned char const*,
unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*)
/usr/include/c++/13/bits/stl_algobase.h:769 (gdb+0x45b12c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#3 unsigned char* std::__copy_move_backward_a1<false, unsigned char const*,
unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*)
/usr/include/c++/13/bits/stl_algobase.h:778 (gdb+0x459dc4) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#4 unsigned char* std::__copy_move_backward_a<false, unsigned char const*,
unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*)
/usr/include/c++/13/bits/stl_algobase.h:807 (gdb+0x458710) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#5 unsigned char* std::copy_backward<unsigned char const*, unsigned
char*>(unsigned char const*, unsigned char const*, unsigned char*)
/usr/include/c++/13/bits/stl_algobase.h:867 (gdb+0x456c4c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#6 void gdb::copy<unsigned char const, unsigned
char>(gdb::array_view<unsigned char const>, gdb::array_view<unsigned char>)
/home/vries/gdb/src/gdb/../gdbsupport/array-view.h:223 (gdb+0x455030) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#7 value::contents_copy_raw(value*, long, long, long)
/home/vries/gdb/src/gdb/value.c:1239 (gdb+0x110a4e8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#8 value::primitive_field(long, int, type*)
/home/vries/gdb/src/gdb/value.c:3078 (gdb+0x110fef8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#9 value_field(value*, int) /home/vries/gdb/src/gdb/value.c:3095
(gdb+0x110ffa8) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#10 print_field_values /home/vries/gdb/src/gdb/ada-valprint.c:658
(gdb+0x4f7f8c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#11 ada_val_print_struct_union /home/vries/gdb/src/gdb/ada-valprint.c:857
(gdb+0x4f88d8) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#12 ada_value_print_inner(value*, ui_file*, int, value_print_options
const*) /home/vries/gdb/src/gdb/ada-valprint.c:1042 (gdb+0x4f90a0) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#13 ada_language::value_print_inner(value*, ui_file*, int,
value_print_options const*) const <null> (gdb+0x4c5358) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#14 common_val_print(value*, ui_file*, int, value_print_options const*,
language_defn const*) /home/vries/gdb/src/gdb/valprint.c:1092 (gdb+0x10fd41c)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#15 common_val_print_checked(value*, ui_file*, int, value_print_options
const*, language_defn const*) /home/vries/gdb/src/gdb/valprint.c:1184
(gdb+0x10fd908) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#16 print_variable_and_value(char const*, symbol*, frame_info_ptr,
ui_file*, int) /home/vries/gdb/src/gdb/printcmd.c:2355 (gdb+0xcb133c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#17 print_variable_and_value_data::operator()(char const*, symbol*)
/home/vries/gdb/src/gdb/stack.c:2295 (gdb+0xf2be88) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#18 gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::operator()(gdb::fv_detail::erased_callable, char
const*, symbol*) const
/home/vries/gdb/src/gdb/../gdbsupport/function-view.h:305 (gdb+0xf3358c)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#19 gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::_FUN(gdb::fv_detail::erased_callable, char const*,
symbol*) /home/vries/gdb/src/gdb/../gdbsupport/function-view.h:299
(gdb+0xf335f4) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#20 gdb::function_view<void (char const*, symbol*)>::operator()(char
const*, symbol*) const
/home/vries/gdb/src/gdb/../gdbsupport/function-view.h:289 (gdb+0xf32e18)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#21 iterate_over_block_locals /home/vries/gdb/src/gdb/stack.c:2227
(gdb+0xf2bb78) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#22 iterate_over_block_local_vars(block const*, gdb::function_view<void
(char const*, symbol*)>) /home/vries/gdb/src/gdb/stack.c:2246 (gdb+0xf2bc10)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#23 print_frame_local_vars /home/vries/gdb/src/gdb/stack.c:2367
(gdb+0xf2c1dc) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#24 info_locals_command(char const*, int)
/home/vries/gdb/src/gdb/stack.c:2445 (gdb+0xf2c62c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#25 do_simple_func /home/vries/gdb/src/gdb/cli/cli-decode.c:95
(gdb+0x6e444c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#26 cmd_func(cmd_list_element*, char const*, int)
/home/vries/gdb/src/gdb/cli/cli-decode.c:2735 (gdb+0x6ebb88) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#27 execute_command(char const*, int) /home/vries/gdb/src/gdb/top.c:575
(gdb+0xff748c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#28 command_handler(char const*) /home/vries/gdb/src/gdb/event-top.c:566
(gdb+0x942488) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#29 command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char>
>&&) /home/vries/gdb/src/gdb/event-top.c:802 (gdb+0x942bc0) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#30 tui_command_line_handler /home/vries/gdb/src/gdb/tui/tui-interp.c:104
(gdb+0x10365f8) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#31 gdb_rl_callback_handler /home/vries/gdb/src/gdb/event-top.c:259
(gdb+0x941884) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#32 rl_callback_read_char
/home/vries/gdb/src/readline/readline/callback.c:290 (gdb+0x11a2c7c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#33 gdb_rl_callback_read_char_wrapper_noexcept
/home/vries/gdb/src/gdb/event-top.c:195 (gdb+0x9415f8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#34 gdb_rl_callback_read_char_wrapper
/home/vries/gdb/src/gdb/event-top.c:234 (gdb+0x941720) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#35 stdin_event_handler /home/vries/gdb/src/gdb/ui.c:155 (gdb+0x1079320)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#36 handle_file_event /home/vries/gdb/src/gdbsupport/event-loop.cc:573
(gdb+0x1cf5678) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#37 gdb_wait_for_event /home/vries/gdb/src/gdbsupport/event-loop.cc:694
(gdb+0x1cf5d3c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#38 gdb_do_one_event(int) /home/vries/gdb/src/gdbsupport/event-loop.cc:264
(gdb+0x1cf4074) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#39 start_event_loop /home/vries/gdb/src/gdb/main.c:408 (gdb+0xb79354)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#40 captured_command_loop /home/vries/gdb/src/gdb/main.c:472 (gdb+0xb79584)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#41 captured_main /home/vries/gdb/src/gdb/main.c:1342 (gdb+0xb7b99c)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#42 gdb_main(captured_main_args*) /home/vries/gdb/src/gdb/main.c:1361
(gdb+0xb7ba4c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#43 main /home/vries/gdb/src/gdb/gdb.c:39 (gdb+0x423ce8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
[1m[34m Previous write of size 8 at 0xfffff1c0fc18 by main thread:
[1m[0m #0 operator delete(void*, unsigned long) <null>
(libtsan.so.2+0x8fb14) (BuildId: fe872cc4563474b7ad67d63a019aa94e1e0df888)
#1 std::__new_allocator<dwarf_stack_value>::deallocate(dwarf_stack_value*,
unsigned long) /usr/include/c++/13/bits/new_allocator.h:172 (gdb+0x822504)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#2 std::allocator_traits<std::allocator<dwarf_stack_value>
>::deallocate(std::allocator<dwarf_stack_value>&, dwarf_stack_value*, unsigned
long) /usr/include/c++/13/bits/alloc_traits.h:517 (gdb+0x820bf4) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#3 std::_Vector_base<dwarf_stack_value, std::allocator<dwarf_stack_value>
>::_M_deallocate(dwarf_stack_value*, unsigned long)
/usr/include/c++/13/bits/stl_vector.h:387 (gdb+0x820bf4)
#4 std::_Vector_base<dwarf_stack_value, std::allocator<dwarf_stack_value>
>::~_Vector_base() /usr/include/c++/13/bits/stl_vector.h:366 (gdb+0x81fc94)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#5 std::vector<dwarf_stack_value, std::allocator<dwarf_stack_value>
>::~vector() /usr/include/c++/13/bits/stl_vector.h:735 (gdb+0x81fd24) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#6 dwarf_expr_context::~dwarf_expr_context()
/home/vries/gdb/src/gdb/dwarf2/expr.h:124 (gdb+0x822e38) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#7 dwarf2_evaluate_loc_desc_full /home/vries/gdb/src/gdb/dwarf2/loc.c:1559
(gdb+0x86c10c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#8 dwarf2_evaluate_loc_desc(type*, frame_info_ptr, unsigned char const*,
unsigned long, dwarf2_per_cu_data*, dwarf2_per_objfile*, bool)
/home/vries/gdb/src/gdb/dwarf2/loc.c:1570 (gdb+0x86c2f0) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#9 locexpr_read_variable /home/vries/gdb/src/gdb/dwarf2/loc.c:3061
(gdb+0x86f650) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#10 language_defn::read_var_value(symbol*, block const*, frame_info_ptr)
const /home/vries/gdb/src/gdb/findvar.c:502 (gdb+0x98294c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#11 ada_language::read_var_value(symbol*, block const*, frame_info_ptr)
const <null> (gdb+0x4c412c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#12 read_var_value(symbol*, block const*, frame_info_ptr)
/home/vries/gdb/src/gdb/findvar.c:729 (gdb+0x983464) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#13 print_variable_and_value(char const*, symbol*, frame_info_ptr,
ui_file*, int) /home/vries/gdb/src/gdb/printcmd.c:2352 (gdb+0xcb12f0) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#14 print_variable_and_value_data::operator()(char const*, symbol*)
/home/vries/gdb/src/gdb/stack.c:2295 (gdb+0xf2be88) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#15 gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::operator()(gdb::fv_detail::erased_callable, char
const*, symbol*) const
/home/vries/gdb/src/gdb/../gdbsupport/function-view.h:305 (gdb+0xf3358c)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#16 gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::_FUN(gdb::fv_detail::erased_callable, char const*,
symbol*) /home/vries/gdb/src/gdb/../gdbsupport/function-view.h:299
(gdb+0xf335f4) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#17 gdb::function_view<void (char const*, symbol*)>::operator()(char
const*, symbol*) const
/home/vries/gdb/src/gdb/../gdbsupport/function-view.h:289 (gdb+0xf32e18)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#18 iterate_over_block_locals /home/vries/gdb/src/gdb/stack.c:2227
(gdb+0xf2bb78) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#19 iterate_over_block_local_vars(block const*, gdb::function_view<void
(char const*, symbol*)>) /home/vries/gdb/src/gdb/stack.c:2246 (gdb+0xf2bc10)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#20 print_frame_local_vars /home/vries/gdb/src/gdb/stack.c:2367
(gdb+0xf2c1dc) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#21 info_locals_command(char const*, int)
/home/vries/gdb/src/gdb/stack.c:2445 (gdb+0xf2c62c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#22 do_simple_func /home/vries/gdb/src/gdb/cli/cli-decode.c:95
(gdb+0x6e444c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#23 cmd_func(cmd_list_element*, char const*, int)
/home/vries/gdb/src/gdb/cli/cli-decode.c:2735 (gdb+0x6ebb88) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#24 execute_command(char const*, int) /home/vries/gdb/src/gdb/top.c:575
(gdb+0xff748c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#25 command_handler(char const*) /home/vries/gdb/src/gdb/event-top.c:566
(gdb+0x942488) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#26 command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char>
>&&) /home/vries/gdb/src/gdb/event-top.c:802 (gdb+0x942bc0) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#27 tui_command_line_handler /home/vries/gdb/src/gdb/tui/tui-interp.c:104
(gdb+0x10365f8) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#28 gdb_rl_callback_handler /home/vries/gdb/src/gdb/event-top.c:259
(gdb+0x941884) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#29 rl_callback_read_char
/home/vries/gdb/src/readline/readline/callback.c:290 (gdb+0x11a2c7c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#30 gdb_rl_callback_read_char_wrapper_noexcept
/home/vries/gdb/src/gdb/event-top.c:195 (gdb+0x9415f8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#31 gdb_rl_callback_read_char_wrapper
/home/vries/gdb/src/gdb/event-top.c:234 (gdb+0x941720) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#32 stdin_event_handler /home/vries/gdb/src/gdb/ui.c:155 (gdb+0x1079320)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#33 handle_file_event /home/vries/gdb/src/gdbsupport/event-loop.cc:573
(gdb+0x1cf5678) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#34 gdb_wait_for_event /home/vries/gdb/src/gdbsupport/event-loop.cc:694
(gdb+0x1cf5d3c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#35 gdb_do_one_event(int) /home/vries/gdb/src/gdbsupport/event-loop.cc:264
(gdb+0x1cf4074) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#36 start_event_loop /home/vries/gdb/src/gdb/main.c:408 (gdb+0xb79354)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#37 captured_command_loop /home/vries/gdb/src/gdb/main.c:472 (gdb+0xb79584)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#38 captured_main /home/vries/gdb/src/gdb/main.c:1342 (gdb+0xb7b99c)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#39 gdb_main(captured_main_args*) /home/vries/gdb/src/gdb/main.c:1361
(gdb+0xb7ba4c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#40 main /home/vries/gdb/src/gdb/gdb.c:39 (gdb+0x423ce8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
[1m[32m Location is heap block of size 8 at 0xfffff1c0fc10 allocated by main
thread:
[1m[0m #0 calloc <null> (libtsan.so.2+0x454e8) (BuildId:
fe872cc4563474b7ad67d63a019aa94e1e0df888)
#1 xcalloc /home/vries/gdb/src/gdb/alloc.c:97 (gdb+0x500024) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#2 xzalloc(unsigned long) /home/vries/gdb/src/gdbsupport/common-utils.cc:29
(gdb+0x1cee77c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#3 value::allocate_contents(bool) /home/vries/gdb/src/gdb/value.c:937
(gdb+0x11093a8) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#4 value::fetch_lazy() /home/vries/gdb/src/gdb/value.c:4033 (gdb+0x1112b30)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#5 value::entirely_covered_by_range_vector(std::vector<range,
std::allocator<range> > const&) /home/vries/gdb/src/gdb/value.c:229
(gdb+0x11073b0) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#6 value::entirely_optimized_out() /home/vries/gdb/src/gdb/value.h:560
(gdb+0x4f9558) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#7 value_check_printable /home/vries/gdb/src/gdb/valprint.c:1133
(gdb+0x10fd680) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#8 common_val_print_checked(value*, ui_file*, int, value_print_options
const*, language_defn const*) /home/vries/gdb/src/gdb/valprint.c:1182
(gdb+0x10fd8d8) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#9 print_variable_and_value(char const*, symbol*, frame_info_ptr, ui_file*,
int) /home/vries/gdb/src/gdb/printcmd.c:2355 (gdb+0xcb133c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#10 print_variable_and_value_data::operator()(char const*, symbol*)
/home/vries/gdb/src/gdb/stack.c:2295 (gdb+0xf2be88) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#11 gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::operator()(gdb::fv_detail::erased_callable, char
const*, symbol*) const
/home/vries/gdb/src/gdb/../gdbsupport/function-view.h:305 (gdb+0xf3358c)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#12 gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::_FUN(gdb::fv_detail::erased_callable, char const*,
symbol*) /home/vries/gdb/src/gdb/../gdbsupport/function-view.h:299
(gdb+0xf335f4) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#13 gdb::function_view<void (char const*, symbol*)>::operator()(char
const*, symbol*) const
/home/vries/gdb/src/gdb/../gdbsupport/function-view.h:289 (gdb+0xf32e18)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#14 iterate_over_block_locals /home/vries/gdb/src/gdb/stack.c:2227
(gdb+0xf2bb78) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#15 iterate_over_block_local_vars(block const*, gdb::function_view<void
(char const*, symbol*)>) /home/vries/gdb/src/gdb/stack.c:2246 (gdb+0xf2bc10)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#16 print_frame_local_vars /home/vries/gdb/src/gdb/stack.c:2367
(gdb+0xf2c1dc) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#17 info_locals_command(char const*, int)
/home/vries/gdb/src/gdb/stack.c:2445 (gdb+0xf2c62c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#18 do_simple_func /home/vries/gdb/src/gdb/cli/cli-decode.c:95
(gdb+0x6e444c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#19 cmd_func(cmd_list_element*, char const*, int)
/home/vries/gdb/src/gdb/cli/cli-decode.c:2735 (gdb+0x6ebb88) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#20 execute_command(char const*, int) /home/vries/gdb/src/gdb/top.c:575
(gdb+0xff748c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#21 command_handler(char const*) /home/vries/gdb/src/gdb/event-top.c:566
(gdb+0x942488) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#22 command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char>
>&&) /home/vries/gdb/src/gdb/event-top.c:802 (gdb+0x942bc0) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#23 tui_command_line_handler /home/vries/gdb/src/gdb/tui/tui-interp.c:104
(gdb+0x10365f8) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#24 gdb_rl_callback_handler /home/vries/gdb/src/gdb/event-top.c:259
(gdb+0x941884) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#25 rl_callback_read_char
/home/vries/gdb/src/readline/readline/callback.c:290 (gdb+0x11a2c7c) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#26 gdb_rl_callback_read_char_wrapper_noexcept
/home/vries/gdb/src/gdb/event-top.c:195 (gdb+0x9415f8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#27 gdb_rl_callback_read_char_wrapper
/home/vries/gdb/src/gdb/event-top.c:234 (gdb+0x941720) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#28 stdin_event_handler /home/vries/gdb/src/gdb/ui.c:155 (gdb+0x1079320)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#29 handle_file_event /home/vries/gdb/src/gdbsupport/event-loop.cc:573
(gdb+0x1cf5678) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#30 gdb_wait_for_event /home/vries/gdb/src/gdbsupport/event-loop.cc:694
(gdb+0x1cf5d3c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#31 gdb_do_one_event(int) /home/vries/gdb/src/gdbsupport/event-loop.cc:264
(gdb+0x1cf4074) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#32 start_event_loop /home/vries/gdb/src/gdb/main.c:408 (gdb+0xb79354)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#33 captured_command_loop /home/vries/gdb/src/gdb/main.c:472 (gdb+0xb79584)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#34 captured_main /home/vries/gdb/src/gdb/main.c:1342 (gdb+0xb7b99c)
(BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#35 gdb_main(captured_main_args*) /home/vries/gdb/src/gdb/main.c:1361
(gdb+0xb7ba4c) (BuildId: 6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
#36 main /home/vries/gdb/src/gdb/gdb.c:39 (gdb+0x423ce8) (BuildId:
6dc308d9bc2da51d7adf979315fabd66fb46e8a3)
SUMMARY: ThreadSanitizer: heap-use-after-free (/lib64/libtsan.so.2+0x4b10c)
(BuildId: fe872cc4563474b7ad67d63a019aa94e1e0df888) in memmove
==================
y2 = (a => 224, c => 9.18340949e-41, d => -411009023)
nv = (v => (kind => 200, string_value => 4160731976))
ut = (b => 3, c => 4.20389539e-45)
tt = (a => -134229152, b => 255 '["ff"]')
ctt = (a => -8816, b => 255 '["ff"]', c => -1.02340132e+34)
ctt2 = (a => -141925200, b => 255 '["ff"]')
w = (0 => (field1 => 0x67fffff7fc41bc, field2 => "["04"]["a4"]"), (field1 =>
0xfffff7ffb000 <tunable_list+688>, field2 => "["98"]["a1"]"))
dire = (num1 => 0, num2 => 0, num3 => 0, num4 => 0, field1 => (), field2 => (0
=> (field1 => 0xfffff7fff480, field2 => "["00"]["00"]"), (field1 =>
0xfffff7841908, field2 => "["a3"]!"), (field1 => 0xfffff7ffef00, field2 =>
"`["d9"]"), (field1 => 0x400, field2 => "["00"]["ef"]"), (field1 => 0x0, field2
=> "["00"]["ef"]"), (field1 => 0xfffff7ffcb48 <_rtld_local+2888>, field2 =>
"["00"]["00"]"), (field1 => 0x0, field2 => "["00"]["00"]"), (field1 => 0x0,
field2 => "["00"]["00"]"), (field1 => 0x0, field2 => "["00"]["00"]"), (field1
=> 0x0, field2 => " ["da"]"), (field1 => 0xafffff7fc41bc, field2 =>
"P["ca"]")), field3 => (0 => (field1 => 0xfffff7ffb000 <tunable_list+688>,
field2 => "H["c9"]")), field4 => (0 => (field1 => 0xfffff7fac588, field2 =>
"8["c5"]")), field5 => (0 => (field1 => 0x0, field2 => "H["cb"]")))
nvp = (discr => 0)
t_ptr = <error reading variable: Cannot access memory at address 0x6>
t_ptr2 = <error reading variable: Value out of range.>
my_str = <error reading variable: Cannot access memory at address 0x54>
v_null = v_null
v_boolean = v_boolean
v_integer = v_integer
nbi_n = (var => v_null)
nbi_i = (var => v_null)
nbi_b = (var => 144, integer_value => 65535)
(gdb) PASS: gdb.ada/uninitialized_vars.exp: info locals
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
@ 2024-01-18 14:27 ` vries at gcc dot gnu.org
2024-01-18 16:44 ` vries at gcc dot gnu.org
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-01-18 14:27 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
--- Comment #1 from Tom de Vries <vries at gcc dot gnu.org> ---
(In reply to Tom de Vries from comment #0)
> When building gdb with O0 -fsanitize=thread, and run test-case
> gdb.ada/uninitialized_vars.exp, I run into a heap-user-after-free:
> (gdb) info locals
> a = 0
> z = (a => 1, b => false, c => 2.0)
> y = (a => 184, c => 9.18340949e-41, d => -411009023)
This was with f39 aarch64, using gcc 13.
Also reproduced on openSUSE Tumbleweed x86_64, likewise using gcc 13.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
2024-01-18 14:27 ` [Bug gdb/31258] " vries at gcc dot gnu.org
@ 2024-01-18 16:44 ` vries at gcc dot gnu.org
2024-01-19 15:39 ` vries at gcc dot gnu.org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-01-18 16:44 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
--- Comment #2 from Tom de Vries <vries at gcc dot gnu.org> ---
The problem is a discrepancy between type size and fields.
The variable y2:
...
Y2 : Variable_Record := (A => False, C => 1.0, D => 2);
...
is of type:
...
type Variable_Record (A : Boolean := True) is record
case A is
when True =>
B : Integer;
when False =>
C : Float;
D : Integer;
end case;
end record;
...
For the valid values of a, 0 and 1, we get correct values for the size of the
type:
...
(gdb) set var y2.a=0
(gdb) ptype y2
type = struct parse__variable_record {
boolean a;
float c;
integer d;
}
(gdb) p sizeof (y2)
$9 = 12
(gdb) set var y2.a=1
(gdb) ptype y2
type = struct parse__variable_record {
boolean a;
integer b;
}
(gdb) p sizeof (y2)
$10 = 8
....
and correct corresponding types.
When y2.a is unitialized, say to 0x70:
...
(gdb) set var y2.a=0x70
(gdb) ptype y2
type = struct parse__variable_record {
boolean a;
float c;
integer d;
}
(gdb) p sizeof (y2)
$14 = 8
...
we get the type with three fields, which doesn't fit in the computed type size
of 8.
This demonstrator patch fixes it for ada:
...
diff --git a/gdb/ada-valprint.c b/gdb/ada-valprint.c
index ac85440b139..79769bae3bd 100644
--- a/gdb/ada-valprint.c
+++ b/gdb/ada-valprint.c
@@ -601,6 +601,10 @@ print_field_values (struct value *value, struct value
*outer_value,
continue;
}
+ long field_offset = type->field (i).loc_bitpos ();
+ if (field_offset / 8 >= type->length ())
+ continue;
+
if (comma_needed)
gdb_printf (stream, ", ");
comma_needed = 1;
...
However, same issue triggers again when setting language to c.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
2024-01-18 14:27 ` [Bug gdb/31258] " vries at gcc dot gnu.org
2024-01-18 16:44 ` vries at gcc dot gnu.org
@ 2024-01-19 15:39 ` vries at gcc dot gnu.org
2024-01-20 23:20 ` vries at gcc dot gnu.org
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-01-19 15:39 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
--- Comment #3 from Tom de Vries <vries at gcc dot gnu.org> ---
Created attachment 15312
--> https://sourceware.org/bugzilla/attachment.cgi?id=15312&action=edit
Test-case
With gcc 12, I get:
...
Running gdb.ada/uninitialized-variable-record.exp ...
FAIL: gdb.ada/uninitialized-variable-record.exp: ada: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: asm: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: c: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: c++: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: d: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: fortran: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: go: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: minimal: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: modula-2: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: objective-c: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: opencl: print y2
FAIL: gdb.ada/uninitialized-variable-record.exp: pascal: print y2
...
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug gdb/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
` (2 preceding siblings ...)
2024-01-19 15:39 ` vries at gcc dot gnu.org
@ 2024-01-20 23:20 ` vries at gcc dot gnu.org
2024-01-21 9:08 ` [Bug exp/31258] " vries at gcc dot gnu.org
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-01-20 23:20 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
--- Comment #4 from Tom de Vries <vries at gcc dot gnu.org> ---
Created attachment 15316
--> https://sourceware.org/bugzilla/attachment.cgi?id=15316&action=edit
tentative patch
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug exp/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
` (3 preceding siblings ...)
2024-01-20 23:20 ` vries at gcc dot gnu.org
@ 2024-01-21 9:08 ` vries at gcc dot gnu.org
2024-01-22 13:27 ` vries at gcc dot gnu.org
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-01-21 9:08 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
Tom de Vries <vries at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|gdb |exp
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug exp/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
` (4 preceding siblings ...)
2024-01-21 9:08 ` [Bug exp/31258] " vries at gcc dot gnu.org
@ 2024-01-22 13:27 ` vries at gcc dot gnu.org
2024-02-19 8:59 ` cvs-commit at gcc dot gnu.org
2024-02-19 9:01 ` vries at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-01-22 13:27 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
--- Comment #5 from Tom de Vries <vries at gcc dot gnu.org> ---
https://sourceware.org/pipermail/gdb-patches/2024-January/206145.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug exp/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
` (5 preceding siblings ...)
2024-01-22 13:27 ` vries at gcc dot gnu.org
@ 2024-02-19 8:59 ` cvs-commit at gcc dot gnu.org
2024-02-19 9:01 ` vries at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-02-19 8:59 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
--- Comment #6 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tom de Vries <vries@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c3e06e640e53afa75d82b44f4b701815be3db19b
commit c3e06e640e53afa75d82b44f4b701815be3db19b
Author: Tom de Vries <tdevries@suse.de>
Date: Mon Feb 19 09:59:15 2024 +0100
[gdb/exp] Fix printing of out of bounds struct members
When building gdb with -O0 -fsanitize=address, and running test-case
gdb.ada/uninitialized_vars.exp, I run into:
...
(gdb) info locals
a = 0
z = (a => 1, b => false, c => 2.0)
=================================================================
==66372==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000097f58 at pc 0xffff52c0da1c bp 0xffffc90a1d40 sp 0xffffc90a1d80
READ of size 4 at 0x602000097f58 thread T0
#0 0xffff52c0da18 in memmove (/lib64/libasan.so.8+0x6da18)
#1 0xbcab24 in unsigned char* std::__copy_move_backward<false, true,
std::random_access_iterator_tag>::__copy_move_b<unsigned char const, unsigned
char>(unsigned char const*, unsigned char const*, unsigned char*)
/usr/include/c++/13/bits/stl_algobase.h:748
#2 0xbc9bf4 in unsigned char* std::__copy_move_backward_a2<false,
unsigned char const*, unsigned char*>(unsigned char const*, unsigned char
const*, unsigned char*) /usr/include/c++/13/bits/stl_algobase.h:769
#3 0xbc898c in unsigned char* std::__copy_move_backward_a1<false,
unsigned char const*, unsigned char*>(unsigned char const*, unsigned char
const*, unsigned char*) /usr/include/c++/13/bits/stl_algobase.h:778
#4 0xbc715c in unsigned char* std::__copy_move_backward_a<false,
unsigned char const*, unsigned char*>(unsigned char const*, unsigned char
const*, unsigned char*) /usr/include/c++/13/bits/stl_algobase.h:807
#5 0xbc4e6c in unsigned char* std::copy_backward<unsigned char const*,
unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*)
/usr/include/c++/13/bits/stl_algobase.h:867
#6 0xbc2934 in void gdb::copy<unsigned char const, unsigned
char>(gdb::array_view<unsigned char const>, gdb::array_view<unsigned char>)
gdb/../gdbsupport/array-view.h:223
#7 0x20e0100 in value::contents_copy_raw(value*, long, long, long)
gdb/value.c:1239
#8 0x20e9830 in value::primitive_field(long, int, type*)
gdb/value.c:3078
#9 0x20e98f8 in value_field(value*, int) gdb/value.c:3095
#10 0xcafd64 in print_field_values gdb/ada-valprint.c:658
#11 0xcb0fa0 in ada_val_print_struct_union gdb/ada-valprint.c:857
#12 0xcb1bb4 in ada_value_print_inner(value*, ui_file*, int,
value_print_options const*) gdb/ada-valprint.c:1042
#13 0xc66e04 in ada_language::value_print_inner(value*, ui_file*, int,
value_print_options const*) const (/home/vries/gdb/build/gdb/gdb+0xc66e04)
#14 0x20ca1e8 in common_val_print(value*, ui_file*, int,
value_print_options const*, language_defn const*) gdb/valprint.c:1092
#15 0x20caabc in common_val_print_checked(value*, ui_file*, int,
value_print_options const*, language_defn const*) gdb/valprint.c:1184
#16 0x196c524 in print_variable_and_value(char const*, symbol*,
frame_info_ptr, ui_file*, int) gdb/printcmd.c:2355
#17 0x1d99ca0 in print_variable_and_value_data::operator()(char const*,
symbol*) gdb/stack.c:2308
#18 0x1dabca0 in gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::operator()(gdb::fv_detail::erased_callable, char
const*, symbol*) const gdb/../gdbsupport/function-view.h:305
#19 0x1dabd14 in gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::_FUN(gdb::fv_detail::erased_callable, char const*,
symbol*) gdb/../gdbsupport/function-view.h:299
#20 0x1dab34c in gdb::function_view<void (char const*,
symbol*)>::operator()(char const*, symbol*) const
gdb/../gdbsupport/function-view.h:289
#21 0x1d9963c in iterate_over_block_locals gdb/stack.c:2240
#22 0x1d99790 in iterate_over_block_local_vars(block const*,
gdb::function_view<void (char const*, symbol*)>) gdb/stack.c:2259
#23 0x1d9a598 in print_frame_local_vars gdb/stack.c:2380
#24 0x1d9afac in info_locals_command(char const*, int) gdb/stack.c:2458
#25 0xfd7b30 in do_simple_func gdb/cli/cli-decode.c:95
#26 0xfe5a2c in cmd_func(cmd_list_element*, char const*, int)
gdb/cli/cli-decode.c:2735
#27 0x1f03790 in execute_command(char const*, int) gdb/top.c:575
#28 0x1384080 in command_handler(char const*) gdb/event-top.c:566
#29 0x1384e2c in command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) gdb/event-top.c:802
#30 0x1f731e4 in tui_command_line_handler gdb/tui/tui-interp.c:104
#31 0x1382a58 in gdb_rl_callback_handler gdb/event-top.c:259
#32 0x21dbb80 in rl_callback_read_char readline/readline/callback.c:290
#33 0x1382510 in gdb_rl_callback_read_char_wrapper_noexcept
gdb/event-top.c:195
#34 0x138277c in gdb_rl_callback_read_char_wrapper gdb/event-top.c:234
#35 0x1fe9b40 in stdin_event_handler gdb/ui.c:155
#36 0x35ff1bc in handle_file_event gdbsupport/event-loop.cc:573
#37 0x35ff9d8 in gdb_wait_for_event gdbsupport/event-loop.cc:694
#38 0x35fd284 in gdb_do_one_event(int) gdbsupport/event-loop.cc:264
#39 0x1768080 in start_event_loop gdb/main.c:408
#40 0x17684c4 in captured_command_loop gdb/main.c:472
#41 0x176cfc8 in captured_main gdb/main.c:1342
#42 0x176d088 in gdb_main(captured_main_args*) gdb/main.c:1361
#43 0xb73edc in main gdb/gdb.c:39
#44 0xffff519b09d8 in __libc_start_call_main (/lib64/libc.so.6+0x309d8)
#45 0xffff519b0aac in __libc_start_main@@GLIBC_2.34
(/lib64/libc.so.6+0x30aac)
#46 0xb73c2c in _start (/home/vries/gdb/build/gdb/gdb+0xb73c2c)
0x602000097f58 is located 0 bytes after 8-byte region
[0x602000097f50,0x602000097f58)
allocated by thread T0 here:
#0 0xffff52c65218 in calloc (/lib64/libasan.so.8+0xc5218)
#1 0xcbc278 in xcalloc gdb/alloc.c:97
#2 0x35f21e8 in xzalloc(unsigned long) gdbsupport/common-utils.cc:29
#3 0x20de270 in value::allocate_contents(bool) gdb/value.c:937
#4 0x20edc08 in value::fetch_lazy() gdb/value.c:4033
#5 0x20dadc0 in
value::entirely_covered_by_range_vector(std::vector<range,
std::allocator<range> > const&) gdb/value.c:229
#6 0xcb2298 in value::entirely_optimized_out() gdb/value.h:560
#7 0x20ca6fc in value_check_printable gdb/valprint.c:1133
#8 0x20caa8c in common_val_print_checked(value*, ui_file*, int,
value_print_options const*, language_defn const*) gdb/valprint.c:1182
#9 0x196c524 in print_variable_and_value(char const*, symbol*,
frame_info_ptr, ui_file*, int) gdb/printcmd.c:2355
#10 0x1d99ca0 in print_variable_and_value_data::operator()(char const*,
symbol*) gdb/stack.c:2308
#11 0x1dabca0 in gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::operator()(gdb::fv_detail::erased_callable, char
const*, symbol*) const gdb/../gdbsupport/function-view.h:305
#12 0x1dabd14 in gdb::function_view<void (char const*,
symbol*)>::bind<print_variable_and_value_data>(print_variable_and_value_data&)::{lambda(gdb::fv_detail::erased_callable,
char const*, symbol*)#1}::_FUN(gdb::fv_detail::erased_callable, char const*,
symbol*) gdb/../gdbsupport/function-view.h:299
#13 0x1dab34c in gdb::function_view<void (char const*,
symbol*)>::operator()(char const*, symbol*) const
gdb/../gdbsupport/function-view.h:289
#14 0x1d9963c in iterate_over_block_locals gdb/stack.c:2240
#15 0x1d99790 in iterate_over_block_local_vars(block const*,
gdb::function_view<void (char const*, symbol*)>) gdb/stack.c:2259
#16 0x1d9a598 in print_frame_local_vars gdb/stack.c:2380
#17 0x1d9afac in info_locals_command(char const*, int) gdb/stack.c:2458
#18 0xfd7b30 in do_simple_func gdb/cli/cli-decode.c:95
#19 0xfe5a2c in cmd_func(cmd_list_element*, char const*, int)
gdb/cli/cli-decode.c:2735
#20 0x1f03790 in execute_command(char const*, int) gdb/top.c:575
#21 0x1384080 in command_handler(char const*) gdb/event-top.c:566
#22 0x1384e2c in command_line_handler(std::unique_ptr<char,
gdb::xfree_deleter<char> >&&) gdb/event-top.c:802
#23 0x1f731e4 in tui_command_line_handler gdb/tui/tui-interp.c:104
#24 0x1382a58 in gdb_rl_callback_handler gdb/event-top.c:259
#25 0x21dbb80 in rl_callback_read_char readline/readline/callback.c:290
#26 0x1382510 in gdb_rl_callback_read_char_wrapper_noexcept
gdb/event-top.c:195
#27 0x138277c in gdb_rl_callback_read_char_wrapper gdb/event-top.c:234
#28 0x1fe9b40 in stdin_event_handler gdb/ui.c:155
#29 0x35ff1bc in handle_file_event gdbsupport/event-loop.cc:573
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/lib64/libasan.so.8+0x6da18) in memmove
...
The error happens when trying to print either variable y or y2:
...
type Variable_Record (A : Boolean := True) is record
case A is
when True =>
B : Integer;
when False =>
C : Float;
D : Integer;
end case;
end record;
Y : Variable_Record := (A => True, B => 1);
Y2 : Variable_Record := (A => False, C => 1.0, D => 2);
...
when the variables are uninitialized.
The error happens only when printing the entire variable:
...
(gdb) p y.a
$2 = 216
(gdb) p y.b
There is no member named b.
(gdb) p y.c
$3 = 9.18340949e-41
(gdb) p y.d
$4 = 1
(gdb) p y
<AddressSanitizer: heap-buffer-overflow>
...
The error happens as follows:
- field a functions as discriminant, choosing either the b, or c+d variant.
- when y.a happens to be set to 216, as above, gdb interprets this as the
variable having the c+d variant (which is why trying to print y.b fails).
- when printing y, gdb allocates a value, copies the bytes into it from the
target, and then prints the value.
- gdb allocates the value using the type size, which is 8. It's 8 because
that's what the DW_AT_byte_size indicates. Note that for valid values of
a,
it gives correct results: if a is 0 (c+d variant), size is 12, if a is 1
(b variant), size is 8.
- gdb tries to print field d, which is at an 8 byte offset, and that
results
in a out-of-bounds access for the allocated 8-byte value.
Fix this by handling this case in value::contents_copy_raw, such that we
have:
...
(gdb) p y
$1 = (a => 24, c => 9.18340949e-41,
d => <error reading variable: access outside bounds of object>)
...
An alternative (additional) fix could be this: in
compute_variant_fields_inner
gdb reads the discriminant y.a to decide which variant is active. It would
be
nice to detect that the value (y.a == 24) is not a valid Boolean, and give
up
on choosing a variant altoghether. However, the situation regarding the
internal type CODE_TYPE_BOOL is currently ambiguous (see PR31282) and it's
not
possible to reliably decide what valid values are.
The test-case source file gdb.ada/uninitialized-variable-record/parse.adb
is
a reduced version of gdb.ada/uninitialized_vars/parse.adb, so it copies the
copyright years.
Note that the test-case needs gcc-12 or newer, it's unsupported for older
gcc
versions. [ So, it would be nice to rewrite it into a dwarf assembly
test-case. ]
The test-case loops over all languages. This is inherited from an earlier
attempt to fix this, which had language-specific fixes (in
print_field_values,
cp_print_value_fields, pascal_object_print_value_fields and
f_language::value_print_inner). I've left this in, but I suppose it's not
strictly necessary anymore.
Tested on x86_64-linux.
PR exp/31258
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31258
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug exp/31258] [gdb] ThreadSanitizer: heap-use-after-free in memmove
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
` (6 preceding siblings ...)
2024-02-19 8:59 ` cvs-commit at gcc dot gnu.org
@ 2024-02-19 9:01 ` vries at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: vries at gcc dot gnu.org @ 2024-02-19 9:01 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31258
Tom de Vries <vries at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Target Milestone|--- |15.1
Status|NEW |RESOLVED
--- Comment #7 from Tom de Vries <vries at gcc dot gnu.org> ---
Fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-02-19 9:01 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-18 9:07 [Bug gdb/31258] New: [gdb] ThreadSanitizer: heap-use-after-free in memmove vries at gcc dot gnu.org
2024-01-18 14:27 ` [Bug gdb/31258] " vries at gcc dot gnu.org
2024-01-18 16:44 ` vries at gcc dot gnu.org
2024-01-19 15:39 ` vries at gcc dot gnu.org
2024-01-20 23:20 ` vries at gcc dot gnu.org
2024-01-21 9:08 ` [Bug exp/31258] " vries at gcc dot gnu.org
2024-01-22 13:27 ` vries at gcc dot gnu.org
2024-02-19 8:59 ` cvs-commit at gcc dot gnu.org
2024-02-19 9:01 ` vries at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).