public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug symtab/31694] New: heap-use-after-free in index-cache
@ 2024-05-02 14:06 ssbssa at sourceware dot org
2024-05-02 14:07 ` [Bug symtab/31694] " ssbssa at sourceware dot org
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: ssbssa at sourceware dot org @ 2024-05-02 14:06 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
Bug ID: 31694
Summary: heap-use-after-free in index-cache
Product: gdb
Version: HEAD
Status: NEW
Severity: normal
Priority: P2
Component: symtab
Assignee: unassigned at sourceware dot org
Reporter: ssbssa at sourceware dot org
Target Milestone: ---
On current master (75d933919d8) gdb crashes on windows for all executables,
with heob I see it's because it tries to access already-freed memory:
> unhandled exception code: 0xC0000005 (ACCESS_VIOLATION)
> exception on: '1 [17676]'
> 0x00007FF73CE30000 c:\src\repos\gdb64\bin\gdb.exe
> 0x00007FF73CF586F8 C:\src\repos\binutils-gdb.git\gdb\dwarf2\index-cache.c:163:3 [index_cache_store_context::store() const]
> 0x00007FF73CF46CB5 C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:601:27 [cooked_index_worker::write_to_cache(cooked_index const*, deferred_warnings*) const]
> C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:657:29 [operator()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
> 0x00007FF73D7FFD2F c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
> 0x00007FF73D37DE59 c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
> 0x00007FF73CF45E32 C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:667:20 [cooked_index::set_contents(std::vector<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> >, std::allocator<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> > > >&&, deferred_warnings*, parent_map_map const*)]
> 0x00007FF73CF832D5 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4916:23 [cooked_index_debug_info::done_reading()]
> 0x00007FF73D7FFD2F c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
> 0x00007FF73D37DE59 c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
> 0x00007FF73CF91777 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4989:17 [cooked_index_debug_info::do_reading()]
> 0x00007FF73CF45F48 C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:473:13 [operator()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index_worker::start()::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index_worker::start()::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
> C:\src\repos\binutils-gdb.git\gdbsupport\thread-pool.h:159:10 [gdb::thread_pool::post_task(std::function<void ()>&&)]
> C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:469:46 [cooked_index_worker::start()]
> 0x00007FF73CF84376 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:16754:22 [start_debug_info_reader]
> C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:3262:31 [dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool)]
> 0x00007FF73CEF7B66 C:\src\repos\binutils-gdb.git\gdb\coffread.c:720:33 [coff_symfile_read]
> 0x00007FF73D184C46 C:\src\repos\binutils-gdb.git\gdb\symfile.c:772:28 [read_symbols]
> 0x00007FF73D184290 C:\src\repos\binutils-gdb.git\gdb\symfile.c:964:16 [syms_from_objfile_1]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:981:23 [syms_from_objfile]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1084:21 [symbol_file_add_with_addrs]
> 0x00007FF73D185E23 C:\src\repos\binutils-gdb.git\gdb\symfile.c:1158:37 [symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1171:35 [symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>)]
> 0x00007FF73D186109 C:\src\repos\binutils-gdb.git\gdb\symfile.c:1195:45 [symbol_file_add_main_1]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1186:26 [symbol_file_add_main(char const*, enum_flags<symfile_add_flag>)]
> 0x00007FF73D05C19E C:\src\repos\binutils-gdb.git\gdb\main.c:507:15 [catch_command_errors]
> 0x00007FF73D05FF55 C:\src\repos\binutils-gdb.git\gdb\main.c:1218:29 [captured_main_1]
> 0x00007FF73D06018C C:\src\repos\binutils-gdb.git\gdb\main.c:1329:19 [captured_main]
> C:\src\repos\binutils-gdb.git\gdb\main.c:1358:21 [gdb_main(captured_main_args*)]
> 0x00007FF73D86D76F C:\src\repos\binutils-gdb.git\gdb\gdb.c:38:19 [main]
> 0x00007FF73CE31430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup]
> 0x00007FF73CE315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup]
> read access violation at 0x000002357C810F48
> freed block 0x000002357C810E60 (size 416, offset +232)
> allocated on: (#9257) '1 [17676]'
> [malloc]
> 0x00007FF73CE30000 c:\src\repos\gdb64\bin\gdb.exe
> 0x00007FF73D37AEFD C:\src\repos\binutils-gdb.git\gdbsupport\new-op.cc:58:20 [operator new(unsigned long long)]
> 0x00007FF73CF84325 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:16749:46 [start_debug_info_reader]
> C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:3262:31 [dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool)]
> 0x00007FF73CEF7B66 C:\src\repos\binutils-gdb.git\gdb\coffread.c:720:33 [coff_symfile_read]
> 0x00007FF73D184C46 C:\src\repos\binutils-gdb.git\gdb\symfile.c:772:28 [read_symbols]
> 0x00007FF73D184290 C:\src\repos\binutils-gdb.git\gdb\symfile.c:964:16 [syms_from_objfile_1]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:981:23 [syms_from_objfile]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1084:21 [symbol_file_add_with_addrs]
> 0x00007FF73D185E23 C:\src\repos\binutils-gdb.git\gdb\symfile.c:1158:37 [symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1171:35 [symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>)]
> 0x00007FF73D186109 C:\src\repos\binutils-gdb.git\gdb\symfile.c:1195:45 [symbol_file_add_main_1]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1186:26 [symbol_file_add_main(char const*, enum_flags<symfile_add_flag>)]
> 0x00007FF73D05C19E C:\src\repos\binutils-gdb.git\gdb\main.c:507:15 [catch_command_errors]
> 0x00007FF73D05FF55 C:\src\repos\binutils-gdb.git\gdb\main.c:1218:29 [captured_main_1]
> 0x00007FF73D06018C C:\src\repos\binutils-gdb.git\gdb\main.c:1329:19 [captured_main]
> C:\src\repos\binutils-gdb.git\gdb\main.c:1358:21 [gdb_main(captured_main_args*)]
> 0x00007FF73D86D76F C:\src\repos\binutils-gdb.git\gdb\gdb.c:38:19 [main]
> 0x00007FF73CE31430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup]
> 0x00007FF73CE315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup]
> freed on: '1 [17676]'
> [free]
> 0x00007FF73CE30000 c:\src\repos\gdb64\bin\gdb.exe
> 0x00007FF73CF46C99 C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.h:689:10 [cooked_index::index_for_writing()]
> C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:657:48 [operator()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
> 0x00007FF73D7FFD2F c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
> 0x00007FF73D37DE59 c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
> 0x00007FF73CF45E32 C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:667:20 [cooked_index::set_contents(std::vector<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> >, std::allocator<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> > > >&&, deferred_warnings*, parent_map_map const*)]
> 0x00007FF73CF832D5 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4916:23 [cooked_index_debug_info::done_reading()]
> 0x00007FF73D7FFD2F c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
> 0x00007FF73D37DE59 c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
> C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
> 0x00007FF73CF91777 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4989:17 [cooked_index_debug_info::do_reading()]
> 0x00007FF73CF45F48 C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:473:13 [operator()]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index_worker::start()::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index_worker::start()::<lambda()>&>]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
> c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
> C:\src\repos\binutils-gdb.git\gdbsupport\thread-pool.h:159:10 [gdb::thread_pool::post_task(std::function<void ()>&&)]
> C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:469:46 [cooked_index_worker::start()]
> 0x00007FF73CF84376 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:16754:22 [start_debug_info_reader]
> C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:3262:31 [dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool)]
> 0x00007FF73CEF7B66 C:\src\repos\binutils-gdb.git\gdb\coffread.c:720:33 [coff_symfile_read]
> 0x00007FF73D184C46 C:\src\repos\binutils-gdb.git\gdb\symfile.c:772:28 [read_symbols]
> 0x00007FF73D184290 C:\src\repos\binutils-gdb.git\gdb\symfile.c:964:16 [syms_from_objfile_1]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:981:23 [syms_from_objfile]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1084:21 [symbol_file_add_with_addrs]
> 0x00007FF73D185E23 C:\src\repos\binutils-gdb.git\gdb\symfile.c:1158:37 [symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1171:35 [symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>)]
> 0x00007FF73D186109 C:\src\repos\binutils-gdb.git\gdb\symfile.c:1195:45 [symbol_file_add_main_1]
> C:\src\repos\binutils-gdb.git\gdb\symfile.c:1186:26 [symbol_file_add_main(char const*, enum_flags<symfile_add_flag>)]
> 0x00007FF73D05C19E C:\src\repos\binutils-gdb.git\gdb\main.c:507:15 [catch_command_errors]
> 0x00007FF73D05FF55 C:\src\repos\binutils-gdb.git\gdb\main.c:1218:29 [captured_main_1]
> 0x00007FF73D06018C C:\src\repos\binutils-gdb.git\gdb\main.c:1329:19 [captured_main]
> C:\src\repos\binutils-gdb.git\gdb\main.c:1358:21 [gdb_main(captured_main_args*)]
> 0x00007FF73D86D76F C:\src\repos\binutils-gdb.git\gdb\gdb.c:38:19 [main]
> 0x00007FF73CE31430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup]
> 0x00007FF73CE315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup]
On linux I can reproduce it with an ASAN build, and gdb configured with
--disable-threading:
> $ gdb/gdb-test/build-asan/gdb/gdb -q comma-digits
> Reading symbols from comma-digits...
> =================================================================
> ==7310==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000002128 at pc 0x00000098794a bp 0x7ffe37e6af70 sp 0x7ffe37e6af68
> READ of size 1 at 0x614000002128 thread T0
> #0 0x987949 in index_cache_store_context::store() const ../../gdb/dwarf2/index-cache.c:163
> #1 0x943467 in cooked_index_worker::write_to_cache(cooked_index const*, deferred_warnings*) const ../../gdb/dwarf2/cooked-index.c:601
> #2 0x1705e39 in std::function<void ()>::operator()() const /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:690
> #3 0x1705e39 in gdb::task_group::impl::~impl() ../../gdbsupport/task-group.cc:38
> #4 0x1705e39 in std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:377
> #5 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:155
> #6 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:148
> #7 0x17057f3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:730
> #8 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1169
> #9 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1287
> #10 0x17057f3 in gdb::task_group::start() ../../gdbsupport/task-group.cc:90
> #11 0x9470ba in cooked_index::set_contents(std::vector<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> >, std::allocator<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> > > >&&, deferred_warnings*, parent_map_map const*) ../../gdb/dwarf2/cooked-index.c:667
> #12 0xa40211 in cooked_index_debug_info::done_reading() ../../gdb/dwarf2/read.c:4916
> #13 0x1705e39 in std::function<void ()>::operator()() const /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:690
> #14 0x1705e39 in gdb::task_group::impl::~impl() ../../gdbsupport/task-group.cc:38
> #15 0x1705e39 in std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:377
> #16 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:155
> #17 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:148
> #18 0x17057f3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:730
> #19 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1169
> #20 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1287
> #21 0x17057f3 in gdb::task_group::start() ../../gdbsupport/task-group.cc:90
> #22 0xa8bffa in cooked_index_debug_info::do_reading() ../../gdb/dwarf2/read.c:4989
> #23 0x943aee in operator() ../../gdb/dwarf2/cooked-index.c:473
> #24 0x943aee in _M_invoke /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:300
> #25 0x943aee in std::function<void ()>::operator()() const /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:690
> #26 0x943aee in gdb::thread_pool::post_task(std::function<void ()>&&) ../../gdb/../gdbsupport/thread-pool.h:159
> #27 0x943aee in cooked_index_worker::start() ../../gdb/dwarf2/cooked-index.c:482
> #28 0xa37105 in start_debug_info_reader ../../gdb/dwarf2/read.c:16754
> #29 0xa37105 in dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool) ../../gdb/dwarf2/read.c:3262
> #30 0xac6c4e in elf_symfile_read_dwarf2 ../../gdb/elfread.c:1199
> #31 0xac6c4e in elf_symfile_read ../../gdb/elfread.c:1311
> #32 0x115162c in read_symbols ../../gdb/symfile.c:772
> #33 0x114fb86 in syms_from_objfile_1 ../../gdb/symfile.c:964
> #34 0x114fb86 in syms_from_objfile ../../gdb/symfile.c:981
> #35 0x114fb86 in symbol_file_add_with_addrs ../../gdb/symfile.c:1084
> #36 0x115501d in symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*) ../../gdb/symfile.c:1158
> #37 0x115501d in symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>) ../../gdb/symfile.c:1171
> #38 0x1155206 in symbol_file_add_main_1 ../../gdb/symfile.c:1195
> #39 0x11553c2 in symbol_file_add_main(char const*, enum_flags<symfile_add_flag>) ../../gdb/symfile.c:1186
> #40 0xdd6953 in symbol_file_add_main_adapter ../../gdb/main.c:538
> #41 0xdd6a26 in catch_command_errors ../../gdb/main.c:507
> #42 0xddbb2c in captured_main_1 ../../gdb/main.c:1218
> #43 0xddc5ea in captured_main ../../gdb/main.c:1329
> #44 0xddc5ea in gdb_main(captured_main_args*) ../../gdb/main.c:1358
> #45 0x4b3333 in main ../../gdb/gdb.c:38
> #46 0x3ee6c1ed1f in __libc_start_main (/lib64/libc.so.6+0x3ee6c1ed1f)
> #47 0x4e76d0 (/home/domanjoh/gdb/gdb-test/build-asan/gdb/gdb+0x4e76d0)
>
> 0x614000002128 is located 232 bytes inside of 408-byte region [0x614000002040,0x6140000021d8)
> freed by thread T0 here:
> #0 0x7fd75ccf8ea5 in operator delete(void*, unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:177
> #1 0x9462e5 in cooked_index::index_for_writing() ../../gdb/dwarf2/cooked-index.h:689
> #2 0x9462e5 in operator() ../../gdb/dwarf2/cooked-index.c:657
> #3 0x9462e5 in _M_invoke /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:300
>
> previously allocated by thread T0 here:
> #0 0x7fd75ccf7a1f in operator new(unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:104
> #1 0xa36cf9 in start_debug_info_reader ../../gdb/dwarf2/read.c:16749
> #2 0xa36cf9 in dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool) ../../gdb/dwarf2/read.c:3262
>
> SUMMARY: AddressSanitizer: heap-use-after-free ../../gdb/dwarf2/index-cache.c:163 in index_cache_store_context::store() const
> Shadow bytes around the buggy address:
> 0x0c287fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c287fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c287fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
> 0x0c287fff8400: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c287fff8410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c287fff8420: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
> 0x0c287fff8430: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c287fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c287fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c287fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c287fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> Shadow gap: cc
> ==7310==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
@ 2024-05-02 14:07 ` ssbssa at sourceware dot org
2024-05-02 16:24 ` tromey at sourceware dot org
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ssbssa at sourceware dot org @ 2024-05-02 14:07 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
Hannes Domani <ssbssa at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |15.1
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
2024-05-02 14:07 ` [Bug symtab/31694] " ssbssa at sourceware dot org
@ 2024-05-02 16:24 ` tromey at sourceware dot org
2024-05-03 11:44 ` ssbssa at sourceware dot org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: tromey at sourceware dot org @ 2024-05-02 16:24 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
Tom Tromey <tromey at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tromey at sourceware dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
2024-05-02 14:07 ` [Bug symtab/31694] " ssbssa at sourceware dot org
2024-05-02 16:24 ` tromey at sourceware dot org
@ 2024-05-03 11:44 ` ssbssa at sourceware dot org
2024-05-03 11:48 ` ssbssa at sourceware dot org
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ssbssa at sourceware dot org @ 2024-05-03 11:44 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
Hannes Domani <ssbssa at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ssbssa at sourceware dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
` (2 preceding siblings ...)
2024-05-03 11:44 ` ssbssa at sourceware dot org
@ 2024-05-03 11:48 ` ssbssa at sourceware dot org
2024-05-04 7:29 ` bernd.edlinger at hotmail dot de
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: ssbssa at sourceware dot org @ 2024-05-03 11:48 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
--- Comment #1 from Hannes Domani <ssbssa at sourceware dot org> ---
Created attachment 15488
--> https://sourceware.org/bugzilla/attachment.cgi?id=15488&action=edit
heob output as html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
` (3 preceding siblings ...)
2024-05-03 11:48 ` ssbssa at sourceware dot org
@ 2024-05-04 7:29 ` bernd.edlinger at hotmail dot de
2024-05-04 12:10 ` ssbssa at sourceware dot org
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bernd.edlinger at hotmail dot de @ 2024-05-04 7:29 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
Bernd Edlinger <bernd.edlinger at hotmail dot de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bernd.edlinger at hotmail dot de
--- Comment #2 from Bernd Edlinger <bernd.edlinger at hotmail dot de> ---
ed29a346be439466ff2a5ce33e715e02c49fbdac is the first bad commit
commit ed29a346be439466ff2a5ce33e715e02c49fbdac
Author: Tom Tromey <tom@tromey.com>
Date: Sun Jan 28 09:14:04 2024 -0700
Avoid race when writing to index cache
The background DWARF reader changes introduced a race when writing to
the index cache. The problem here is that constructing the
index_cache_store_context object should only happen on the main
thread, to ensure that the various value captures do not race.
This patch adds an assert to the construct to that effect, and then
arranges for this object to be constructed by the cooked_index_worker
constructor -- which is only invoked on the main thread.
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31262
gdb/dwarf2/cooked-index.c | 27 ++++++++++++---------------
gdb/dwarf2/cooked-index.h | 15 ++++++++++-----
gdb/dwarf2/index-cache.c | 4 ++++
3 files changed, 26 insertions(+), 20 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
` (4 preceding siblings ...)
2024-05-04 7:29 ` bernd.edlinger at hotmail dot de
@ 2024-05-04 12:10 ` ssbssa at sourceware dot org
2024-05-04 16:55 ` cvs-commit at gcc dot gnu.org
2024-05-04 16:58 ` ssbssa at sourceware dot org
7 siblings, 0 replies; 9+ messages in thread
From: ssbssa at sourceware dot org @ 2024-05-04 12:10 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
--- Comment #3 from Hannes Domani <ssbssa at sourceware dot org> ---
https://sourceware.org/pipermail/gdb-patches/2024-May/208833.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
` (5 preceding siblings ...)
2024-05-04 12:10 ` ssbssa at sourceware dot org
@ 2024-05-04 16:55 ` cvs-commit at gcc dot gnu.org
2024-05-04 16:58 ` ssbssa at sourceware dot org
7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-05-04 16:55 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
--- Comment #4 from Sourceware Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Hannes Domani <ssbssa@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5140d8e013b0d8ab560b1bb8c72e0a8b2e96ac4b
commit 5140d8e013b0d8ab560b1bb8c72e0a8b2e96ac4b
Author: Hannes Domani <ssbssa@yahoo.de>
Date: Sat May 4 18:55:20 2024 +0200
Fix heap-use-after-free in index-cached with --disable-threading
If threads are disabled, either by --disable-threading explicitely, or by
missing std::thread support, you get the following ASAN error when
loading symbols:
==7310==ERROR: AddressSanitizer: heap-use-after-free on address
0x614000002128 at pc 0x00000098794a bp 0x7ffe37e6af70 sp 0x7ffe37e6af68
READ of size 1 at 0x614000002128 thread T0
#0 0x987949 in index_cache_store_context::store() const
../../gdb/dwarf2/index-cache.c:163
#1 0x943467 in cooked_index_worker::write_to_cache(cooked_index const*,
deferred_warnings*) const ../../gdb/dwarf2/cooked-index.c:601
#2 0x1705e39 in std::function<void ()>::operator()() const
/gcc/9/include/c++/9.2.0/bits/std_function.h:690
#3 0x1705e39 in gdb::task_group::impl::~impl()
../../gdbsupport/task-group.cc:38
0x614000002128 is located 232 bytes inside of 408-byte region
[0x614000002040,0x6140000021d8)
freed by thread T0 here:
#0 0x7fd75ccf8ea5 in operator delete(void*, unsigned long)
../../.././libsanitizer/asan/asan_new_delete.cc:177
#1 0x9462e5 in cooked_index::index_for_writing()
../../gdb/dwarf2/cooked-index.h:689
#2 0x9462e5 in operator() ../../gdb/dwarf2/cooked-index.c:657
#3 0x9462e5 in _M_invoke
/gcc/9/include/c++/9.2.0/bits/std_function.h:300
It's happening because cooked_index_worker::wait always returns true in
this case, which tells cooked_index::wait it can delete the m_state
cooked_index_worker member, but cooked_index_worker::write_to_cache tries
to access it immediately afterwards.
Fixed by making cooked_index_worker::wait only return true if desired_state
is CACHE_DONE, same as if threading was enabled, so m_state will not be
prematurely deleted.
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31694
Approved-By: Tom Tromey <tom@tromey.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug symtab/31694] heap-use-after-free in index-cache
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
` (6 preceding siblings ...)
2024-05-04 16:55 ` cvs-commit at gcc dot gnu.org
@ 2024-05-04 16:58 ` ssbssa at sourceware dot org
7 siblings, 0 replies; 9+ messages in thread
From: ssbssa at sourceware dot org @ 2024-05-04 16:58 UTC (permalink / raw)
To: gdb-prs
https://sourceware.org/bugzilla/show_bug.cgi?id=31694
Hannes Domani <ssbssa at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Hannes Domani <ssbssa at sourceware dot org> ---
Fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-05-04 16:58 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-02 14:06 [Bug symtab/31694] New: heap-use-after-free in index-cache ssbssa at sourceware dot org
2024-05-02 14:07 ` [Bug symtab/31694] " ssbssa at sourceware dot org
2024-05-02 16:24 ` tromey at sourceware dot org
2024-05-03 11:44 ` ssbssa at sourceware dot org
2024-05-03 11:48 ` ssbssa at sourceware dot org
2024-05-04 7:29 ` bernd.edlinger at hotmail dot de
2024-05-04 12:10 ` ssbssa at sourceware dot org
2024-05-04 16:55 ` cvs-commit at gcc dot gnu.org
2024-05-04 16:58 ` ssbssa at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).