public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "ssbssa at sourceware dot org" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug symtab/31697] New: heap-use-after-free in symtab Date: Fri, 03 May 2024 11:43:50 +0000 [thread overview] Message-ID: <bug-31697-4717@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=31697 Bug ID: 31697 Summary: heap-use-after-free in symtab Product: gdb Version: 14.1 Status: NEW Severity: normal Priority: P2 Component: symtab Assignee: unassigned at sourceware dot org Reporter: ssbssa at sourceware dot org Target Milestone: --- Created attachment 15486 --> https://sourceware.org/bugzilla/attachment.cgi?id=15486&action=edit valgrind log With current gdb 14 I get heap-use-after-free crash when 'start'ing inside TUI triggers a file reload. The file reload was happening because of PR31636, but can be reproduced when 'touch'ing the executable beforehand. It happens with all executables when doing the steps in this order: > $ gdb -q gdb-12213.exe > Reading symbols from gdb-12213.exe... > (gdb) tui enable > ---------- TUI ---------- > (gdb) !touch gdb-12213.exe > (gdb) start > `C:\src\tests\gdb-12213.exe' has changed; re-reading symbols. Here it crashes, heob tells me it's because acces to already-freed memory: > unhandled exception code: 0xC0000005 (ACCESS_VIOLATION) > exception on: '1 [19992]' > 0x00007FF7DF430000 C:\src\repos\gdb64\bin\gdb.exe > 0x00007FF7DF7B70B7 C:\src\repos\binutils-gdb.git\gdb\symtab.h:503:12 [general_symbol_info::language() const] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:1108:16 [general_symbol_info::search_name() const] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:1246:57 [eq_symbol_entry] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:1431:23 [symbol_cache_lookup] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:2573:32 [lookup_global_or_static_symbol] > 0x00007FF7DF7B8206 C:\src\repos\binutils-gdb.git\gdb\symtab.c:2641:38 [lookup_global_symbol(char const*, block const*, domain_enum)] > 0x00007FF7DF7B82C5 C:\src\repos\binutils-gdb.git\gdb\symtab.c:2473:31 [language_defn::lookup_symbol_nonlocal(char const*, block const*, domain_enum) const] > 0x00007FF7DF7BF545 C:\src\repos\binutils-gdb.git\gdb\symtab.c:2150:44 [lookup_symbol_aux] > 0x00007FF7DF7BF896 C:\src\repos\binutils-gdb.git\gdb\symtab.c:1955:28 [lookup_symbol_in_language(char const*, block const*, domain_enum, language, field_of_this_result*)] > 0x00007FF7DF7BF918 C:\src\repos\binutils-gdb.git\gdb\symtab.c:1968:36 [lookup_symbol(char const*, block const*, domain_enum, field_of_this_result*)] > 0x00007FF7DF785F4A C:\src\repos\binutils-gdb.git\gdb\source.c:319:37 [select_source_symtab()] > 0x00007FF7DF80CD1D C:\src\repos\binutils-gdb.git\gdb\tui\tui-disasm.c:401:39 [tui_get_begin_asm_address(gdbarch**, unsigned long long*)] > 0x00007FF7DF821B2E C:\src\repos\binutils-gdb.git\gdb\tui\tui-winsource.c:55:33 [tui_display_main()] > 0x00007FF7DF7AC922 c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void (program_space*)>::operator()(program_space*) const] > C:\src\repos\binutils-gdb.git\gdbsupport\observable.h:166:9 [gdb::observers::observable<program_space*>::notify(program_space*) const] > C:\src\repos\binutils-gdb.git\gdb\symfile.c:2918:47 [clear_symtab_users(enum_flags<symfile_add_flag>)] > 0x00007FF7DF7AE61C C:\src\repos\binutils-gdb.git\gdb\symfile.c:2690:26 [reread_symbols(int)] > 0x00007FF7DF63E8F3 C:\src\repos\binutils-gdb.git\gdb\infcmd.c:398:18 [run_command_1] > 0x00007FF7DF4EE4C5 C:\src\repos\binutils-gdb.git\gdb\cli\cli-decode.c:2735:17 [cmd_func(cmd_list_element*, char const*, int)] > 0x00007FF7DF7FA2E0 C:\src\repos\binutils-gdb.git\gdb\top.c:575:11 [execute_command(char const*, int)] > 0x00007FF7DF5C16EE C:\src\repos\binutils-gdb.git\gdb\event-top.c:552:23 [command_handler(char const*)] > 0x00007FF7DF5C29D7 C:\src\repos\binutils-gdb.git\gdb\event-top.c:788:23 [command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&)] > 0x00007FF7DF5C2075 C:\src\repos\binutils-gdb.git\gdb\event-top.c:259:25 [gdb_rl_callback_handler] > 0x00007FF7DF87B484 C:\src\repos\binutils-gdb.git\readline\readline\callback.c:290:5 [rl_callback_read_char] > 0x00007FF7DF5C122D C:\src\repos\binutils-gdb.git\gdb\event-top.c:195:29 [gdb_rl_callback_read_char_wrapper_noexcept] > 0x00007FF7DF5C1F23 C:\src\repos\binutils-gdb.git\gdb\event-top.c:234:51 [gdb_rl_callback_read_char_wrapper] > 0x00007FF7DF82A4CD C:\src\repos\binutils-gdb.git\gdb\ui.c:155:22 [stdin_event_handler] > 0x00007FF7DF980EDA C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:573:22 [handle_file_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:716:25 [gdb_wait_for_event] > 0x00007FF7DF9818DC C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:593:3 [gdb_wait_for_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:264:29 [gdb_do_one_event(int)] > 0x00007FF7DF683E21 C:\src\repos\binutils-gdb.git\gdb\main.c:407:30 [start_event_loop] > C:\src\repos\binutils-gdb.git\gdb\main.c:471:20 [captured_command_loop] > 0x00007FF7DF6878F4 C:\src\repos\binutils-gdb.git\gdb\main.c:1324:26 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1343:21 [gdb_main(captured_main_args*)] > 0x00007FF7DFE5D44F C:\src\repos\binutils-gdb.git\gdb\gdb.c:39:19 [main] > 0x00007FF7DF431430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup] > 0x00007FF7DF4315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup] > read access violation at 0x0000014125ED0A68 > freed block 0x0000014125ED0020 (size 4064, offset +2632) > allocated on: (#10393) '1 [19992]' > [malloc] > 0x00007FF7DF430000 C:\src\repos\gdb64\bin\gdb.exe > 0x00007FF7DF4640AB C:\src\repos\binutils-gdb.git\gdb\alloc.c:57:16 [xmalloc] > 0x00007FF7DF96D000 C:\src\repos\binutils-gdb.git\libiberty\obstack.c:94:12 [call_chunkfun] > C:\src\repos\binutils-gdb.git\libiberty\obstack.c:206:43 [_obstack_newchunk] > 0x00007FF7DF5A730C C:\src\repos\binutils-gdb.git\gdbsupport\gdb_obstack.h:144:12 [allocate_on_obstack::operator new(unsigned long long, obstack*)] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:19004:40 [new_symbol] > 0x00007FF7DF5AA5BD C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:6718:18 [process_die] > 0x00007FF7DF5AA6F8 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:7686:16 [read_file_scope] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:6658:23 [process_die] > 0x00007FF7DF5AFEE2 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:6422:15 [process_full_comp_unit] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:5696:26 [process_queue] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:1770:19 [dw2_do_instantiate_symtab] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:1792:33 [dw2_instantiate_symtab] > 0x00007FF7DF5B0663 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:3042:27 [dw2_expand_symtabs_matching_one(dwarf2_per_cu_data*, dwarf2_per_objfile*, gdb::function_view<bool (char const*, bool)>, gdb::function_view<bool (compunit_symtab*)>)] > 0x00007FF7DF5B0EFE C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:16954:41 [cooked_index_functions::expand_symtabs_matching(objfile*, gdb::function_view<bool (char const*, bool)>, lookup_name_info const*, gdb::function_view<bool (char const*)>, gdb::function_view<bool (compunit_symtab*)>, enum_flags<block_search_flag_values>, domain_enum, search_domain)] > 0x00007FF7DF7A6865 C:\src\repos\binutils-gdb.git\gdb\symfile-debug.c:285:42 [objfile::lookup_symbol(block_enum, char const*, domain_enum)] > 0x00007FF7DF7B594C C:\src\repos\binutils-gdb.git\gdb\symtab.c:2411:33 [lookup_symbol_via_quick_fns] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:2542:40 [lookup_symbol_in_objfile] > 0x00007FF7DF7B5AD4 C:\src\repos\binutils-gdb.git\gdb\symtab.c:2588:39 [operator()] > C:\src\repos\binutils-gdb.git\gdbsupport\function-view.h:305:33 [operator()] > C:\src\repos\binutils-gdb.git\gdbsupport\function-view.h:299:17 [_FUN] > 0x00007FF7DF85DF6D C:\src\repos\binutils-gdb.git\gdbsupport\function-view.h:289:12 [gdb::function_view<bool (objfile*)>::operator()(objfile*) const] > C:\src\repos\binutils-gdb.git\gdb\windows-tdep.c:586:9 [windows_iterate_over_objfiles_in_search_order] > 0x00007FF7DF47FBD4 C:\src\repos\binutils-gdb.git\gdb\gdbarch.c:5078:50 [gdbarch_iterate_over_objfiles_in_search_order(gdbarch*, gdb::function_view<bool (objfile*)>, objfile*)] > 0x00007FF7DF7B700A C:\src\repos\binutils-gdb.git\gdb\symtab.c:2585:7 [lookup_global_or_static_symbol] > 0x00007FF7DF7B8206 C:\src\repos\binutils-gdb.git\gdb\symtab.c:2641:38 [lookup_global_symbol(char const*, block const*, domain_enum)] > 0x00007FF7DF7B82C5 C:\src\repos\binutils-gdb.git\gdb\symtab.c:2473:31 [language_defn::lookup_symbol_nonlocal(char const*, block const*, domain_enum) const] > 0x00007FF7DF7BF545 C:\src\repos\binutils-gdb.git\gdb\symtab.c:2150:44 [lookup_symbol_aux] > 0x00007FF7DF7BF896 C:\src\repos\binutils-gdb.git\gdb\symtab.c:1955:28 [lookup_symbol_in_language(char const*, block const*, domain_enum, language, field_of_this_result*)] > 0x00007FF7DF7BF918 C:\src\repos\binutils-gdb.git\gdb\symtab.c:1968:36 [lookup_symbol(char const*, block const*, domain_enum, field_of_this_result*)] > 0x00007FF7DF785F4A C:\src\repos\binutils-gdb.git\gdb\source.c:319:37 [select_source_symtab()] > 0x00007FF7DF80CD1D C:\src\repos\binutils-gdb.git\gdb\tui\tui-disasm.c:401:39 [tui_get_begin_asm_address(gdbarch**, unsigned long long*)] > 0x00007FF7DF821B2E C:\src\repos\binutils-gdb.git\gdb\tui\tui-winsource.c:55:33 [tui_display_main()] > 0x00007FF7DF823C4C C:\src\repos\binutils-gdb.git\gdb\tui\tui.c:499:22 [tui_enable()] > 0x00007FF7DF8240C1 C:\src\repos\binutils-gdb.git\gdb\tui\tui.c:123:15 [tui_rl_switch_mode] > 0x00007FF7DF864A46 C:\src\repos\binutils-gdb.git\readline\readline\readline.c:892:9 [_rl_dispatch_subseq] > 0x00007FF7DF86551D C:\src\repos\binutils-gdb.git\readline\readline\readline.c:801:11 [_rl_dispatch_callback] > 0x00007FF7DF87B5CE C:\src\repos\binutils-gdb.git\readline\readline\callback.c:233:10 [rl_callback_read_char] > 0x00007FF7DF5C122D C:\src\repos\binutils-gdb.git\gdb\event-top.c:195:29 [gdb_rl_callback_read_char_wrapper_noexcept] > 0x00007FF7DF5C1F23 C:\src\repos\binutils-gdb.git\gdb\event-top.c:234:51 [gdb_rl_callback_read_char_wrapper] > 0x00007FF7DF82A4CD C:\src\repos\binutils-gdb.git\gdb\ui.c:155:22 [stdin_event_handler] > 0x00007FF7DF980EDA C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:573:22 [handle_file_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:716:25 [gdb_wait_for_event] > 0x00007FF7DF9818DC C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:593:3 [gdb_wait_for_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:264:29 [gdb_do_one_event(int)] > 0x00007FF7DF683E21 C:\src\repos\binutils-gdb.git\gdb\main.c:407:30 [start_event_loop] > C:\src\repos\binutils-gdb.git\gdb\main.c:471:20 [captured_command_loop] > 0x00007FF7DF6878F4 C:\src\repos\binutils-gdb.git\gdb\main.c:1324:26 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1343:21 [gdb_main(captured_main_args*)] > 0x00007FF7DFE5D44F C:\src\repos\binutils-gdb.git\gdb\gdb.c:39:19 [main] > 0x00007FF7DF431430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup] > 0x00007FF7DF4315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup] > freed on: '1 [19992]' > [free] > 0x00007FF7DF430000 C:\src\repos\gdb64\bin\gdb.exe > 0x00007FF7DF96D151 C:\src\repos\binutils-gdb.git\libiberty\obstack.c:103:5 [call_freefun] > C:\src\repos\binutils-gdb.git\libiberty\obstack.c:280:7 [_obstack_free] > 0x00007FF7DF7AEADE C:\src\repos\binutils-gdb.git\gdb\symfile.c:2579:4 [reread_symbols(int)] > 0x00007FF7DF63E8F3 C:\src\repos\binutils-gdb.git\gdb\infcmd.c:398:18 [run_command_1] > 0x00007FF7DF4EE4C5 C:\src\repos\binutils-gdb.git\gdb\cli\cli-decode.c:2735:17 [cmd_func(cmd_list_element*, char const*, int)] > 0x00007FF7DF7FA2E0 C:\src\repos\binutils-gdb.git\gdb\top.c:575:11 [execute_command(char const*, int)] > 0x00007FF7DF5C16EE C:\src\repos\binutils-gdb.git\gdb\event-top.c:552:23 [command_handler(char const*)] > 0x00007FF7DF5C29D7 C:\src\repos\binutils-gdb.git\gdb\event-top.c:788:23 [command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&)] > 0x00007FF7DF5C2075 C:\src\repos\binutils-gdb.git\gdb\event-top.c:259:25 [gdb_rl_callback_handler] > 0x00007FF7DF87B484 C:\src\repos\binutils-gdb.git\readline\readline\callback.c:290:5 [rl_callback_read_char] > 0x00007FF7DF5C122D C:\src\repos\binutils-gdb.git\gdb\event-top.c:195:29 [gdb_rl_callback_read_char_wrapper_noexcept] > 0x00007FF7DF5C1F23 C:\src\repos\binutils-gdb.git\gdb\event-top.c:234:51 [gdb_rl_callback_read_char_wrapper] > 0x00007FF7DF82A4CD C:\src\repos\binutils-gdb.git\gdb\ui.c:155:22 [stdin_event_handler] > 0x00007FF7DF980EDA C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:573:22 [handle_file_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:716:25 [gdb_wait_for_event] > 0x00007FF7DF9818DC C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:593:3 [gdb_wait_for_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event-loop.cc:264:29 [gdb_do_one_event(int)] > 0x00007FF7DF683E21 C:\src\repos\binutils-gdb.git\gdb\main.c:407:30 [start_event_loop] > C:\src\repos\binutils-gdb.git\gdb\main.c:471:20 [captured_command_loop] > 0x00007FF7DF6878F4 C:\src\repos\binutils-gdb.git\gdb\main.c:1324:26 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1343:21 [gdb_main(captured_main_args*)] > 0x00007FF7DFE5D44F C:\src\repos\binutils-gdb.git\gdb\gdb.c:39:19 [main] > 0x00007FF7DF431430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup] > 0x00007FF7DF4315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup] I see the same when I use valgrind on linux, the log is attached. Note that I can't confirm if this bug also exists on master, since there gdb crashes much earlier because of PR31694. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2024-05-03 11:43 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-05-03 11:43 ssbssa at sourceware dot org [this message] 2024-05-03 11:44 ` [Bug symtab/31697] " ssbssa at sourceware dot org 2024-05-03 11:46 ` ssbssa at sourceware dot org 2024-05-03 12:20 ` vries at gcc dot gnu.org 2024-05-03 12:31 ` vries at gcc dot gnu.org 2024-05-03 12:40 ` vries at gcc dot gnu.org 2024-05-03 12:49 ` vries at gcc dot gnu.org 2024-05-03 13:14 ` ssbssa at sourceware dot org 2024-05-04 12:11 ` ssbssa at sourceware dot org 2024-05-07 17:30 ` cvs-commit at gcc dot gnu.org 2024-05-07 17:32 ` ssbssa at sourceware dot org 2024-05-08 15:01 ` cvs-commit at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-31697-4717@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).