From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id CB260384AB5B; Fri, 3 May 2024 11:43:50 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CB260384AB5B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1714736630; bh=iQ5JoLXldRQ4v7NoslBQWLII2RV2okVmdV+8JsamCyw=; h=From:To:Subject:Date:From; b=K9ewXEKKlqegv+GisTR8F0bEuMw8OU5rhX8eHkpWBMM0i+ZKUDNApflxBDTJw9u+9 D5tht7sM0K/aQJSOea374YZlsWsU2QvCxxI1f4Yi2WjDqgLmrKlaI1yIzOGulkAVFr lQRUNgMofQ6B7gmxPm3UsKmzUAPwkjPRF4t/F2fo= From: "ssbssa at sourceware dot org" To: gdb-prs@sourceware.org Subject: [Bug symtab/31697] New: heap-use-after-free in symtab Date: Fri, 03 May 2024 11:43:50 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: symtab X-Bugzilla-Version: 14.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ssbssa at sourceware dot org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31697 Bug ID: 31697 Summary: heap-use-after-free in symtab Product: gdb Version: 14.1 Status: NEW Severity: normal Priority: P2 Component: symtab Assignee: unassigned at sourceware dot org Reporter: ssbssa at sourceware dot org Target Milestone: --- Created attachment 15486 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D15486&action=3Ded= it valgrind log With current gdb 14 I get heap-use-after-free crash when 'start'ing inside = TUI triggers a file reload. The file reload was happening because of PR31636, but can be reproduced when 'touch'ing the executable beforehand. It happens with all executables when doing the steps in this order: > $ gdb -q gdb-12213.exe > Reading symbols from gdb-12213.exe... > (gdb) tui enable > ---------- TUI ---------- > (gdb) !touch gdb-12213.exe > (gdb) start > `C:\src\tests\gdb-12213.exe' has changed; re-reading symbols. Here it crashes, heob tells me it's because acces to already-freed memory: > unhandled exception code: 0xC0000005 (ACCESS_VIOLATION) > exception on: '1 [19992]' > 0x00007FF7DF430000 C:\src\repos\gdb64\bin\gdb.exe > 0x00007FF7DF7B70B7 C:\src\repos\binutils-gdb.git\gdb\symtab.h:503= :12 [general_symbol_info::language() const] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:110= 8:16 [general_symbol_info::search_name() const] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:124= 6:57 [eq_symbol_entry] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:143= 1:23 [symbol_cache_lookup] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:257= 3:32 [lookup_global_or_static_symbol] > 0x00007FF7DF7B8206 C:\src\repos\binutils-gdb.git\gdb\symtab.c:264= 1:38 [lookup_global_symbol(char const*, block const*, domain_enum)] > 0x00007FF7DF7B82C5 C:\src\repos\binutils-gdb.git\gdb\symtab.c:247= 3:31 [language_defn::lookup_symbol_nonlocal(char const*, block const*, doma= in_enum) const] > 0x00007FF7DF7BF545 C:\src\repos\binutils-gdb.git\gdb\symtab.c:215= 0:44 [lookup_symbol_aux] > 0x00007FF7DF7BF896 C:\src\repos\binutils-gdb.git\gdb\symtab.c:195= 5:28 [lookup_symbol_in_language(char const*, block const*, domain_enum, lan= guage, field_of_this_result*)] > 0x00007FF7DF7BF918 C:\src\repos\binutils-gdb.git\gdb\symtab.c:196= 8:36 [lookup_symbol(char const*, block const*, domain_enum, field_of_this_r= esult*)] > 0x00007FF7DF785F4A C:\src\repos\binutils-gdb.git\gdb\source.c:319= :37 [select_source_symtab()] > 0x00007FF7DF80CD1D C:\src\repos\binutils-gdb.git\gdb\tui\tui-disa= sm.c:401:39 [tui_get_begin_asm_address(gdbarch**, unsigned long long*)] > 0x00007FF7DF821B2E C:\src\repos\binutils-gdb.git\gdb\tui\tui-wins= ource.c:55:33 [tui_display_main()] > 0x00007FF7DF7AC922 c:\msys64\mingw64\x86_64-w64-mingw32\include\c= ++\11.2.0\bits\std_function.h:560:9 [std::function::= operator()(program_space*) const] > C:\src\repos\binutils-gdb.git\gdbsupport\obser= vable.h:166:9 [gdb::observers::observable::notify(program_s= pace*) const] > C:\src\repos\binutils-gdb.git\gdb\symfile.c:29= 18:47 [clear_symtab_users(enum_flags)] > 0x00007FF7DF7AE61C C:\src\repos\binutils-gdb.git\gdb\symfile.c:26= 90:26 [reread_symbols(int)] > 0x00007FF7DF63E8F3 C:\src\repos\binutils-gdb.git\gdb\infcmd.c:398= :18 [run_command_1] > 0x00007FF7DF4EE4C5 C:\src\repos\binutils-gdb.git\gdb\cli\cli-deco= de.c:2735:17 [cmd_func(cmd_list_element*, char const*, int)] > 0x00007FF7DF7FA2E0 C:\src\repos\binutils-gdb.git\gdb\top.c:575:11= [execute_command(char const*, int)] > 0x00007FF7DF5C16EE C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 552:23 [command_handler(char const*)] > 0x00007FF7DF5C29D7 C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 788:23 [command_line_handler(std::unique_ptr= >&&)] > 0x00007FF7DF5C2075 C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 259:25 [gdb_rl_callback_handler] > 0x00007FF7DF87B484 C:\src\repos\binutils-gdb.git\readline\readlin= e\callback.c:290:5 [rl_callback_read_char] > 0x00007FF7DF5C122D C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 195:29 [gdb_rl_callback_read_char_wrapper_noexcept] > 0x00007FF7DF5C1F23 C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 234:51 [gdb_rl_callback_read_char_wrapper] > 0x00007FF7DF82A4CD C:\src\repos\binutils-gdb.git\gdb\ui.c:155:22 = [stdin_event_handler] > 0x00007FF7DF980EDA C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:573:22 [handle_file_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:716:25 [gdb_wait_for_event] > 0x00007FF7DF9818DC C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:593:3 [gdb_wait_for_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:264:29 [gdb_do_one_event(int)] > 0x00007FF7DF683E21 C:\src\repos\binutils-gdb.git\gdb\main.c:407:3= 0 [start_event_loop] > C:\src\repos\binutils-gdb.git\gdb\main.c:471:2= 0 [captured_command_loop] > 0x00007FF7DF6878F4 C:\src\repos\binutils-gdb.git\gdb\main.c:1324:= 26 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1343:= 21 [gdb_main(captured_main_args*)] > 0x00007FF7DFE5D44F C:\src\repos\binutils-gdb.git\gdb\gdb.c:39:19 = [main] > 0x00007FF7DF431430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:345:15 [__tmainCRTStartup] > 0x00007FF7DF4315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:220:9 [mainCRTStartup] > read access violation at 0x0000014125ED0A68 > freed block 0x0000014125ED0020 (size 4064, offset +2632) > allocated on: (#10393) '1 [19992]' > [malloc] > 0x00007FF7DF430000 C:\src\repos\gdb64\bin\gdb.exe > 0x00007FF7DF4640AB C:\src\repos\binutils-gdb.git\gdb\alloc.c:57:1= 6 [xmalloc] > 0x00007FF7DF96D000 C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:94:12 [call_chunkfun] > C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:206:43 [_obstack_newchunk] > 0x00007FF7DF5A730C C:\src\repos\binutils-gdb.git\gdbsupport\gdb_o= bstack.h:144:12 [allocate_on_obstack::operator new(unsigned long long, obst= ack*)] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:19004:40 [new_symbol] > 0x00007FF7DF5AA5BD C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:6718:18 [process_die] > 0x00007FF7DF5AA6F8 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:7686:16 [read_file_scope] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:6658:23 [process_die] > 0x00007FF7DF5AFEE2 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:6422:15 [process_full_comp_unit] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:5696:26 [process_queue] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:1770:19 [dw2_do_instantiate_symtab] > C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:1792:33 [dw2_instantiate_symtab] > 0x00007FF7DF5B0663 C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:3042:27 [dw2_expand_symtabs_matching_one(dwarf2_per_cu_data*, dwarf2_per_= objfile*, gdb::function_view, gdb::function_view<= bool (compunit_symtab*)>)] > 0x00007FF7DF5B0EFE C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.= c:16954:41 [cooked_index_functions::expand_symtabs_matching(objfile*, gdb::= function_view, lookup_name_info const*, gdb::func= tion_view, gdb::function_view,= enum_flags, domain_enum, search_domain)] > 0x00007FF7DF7A6865 C:\src\repos\binutils-gdb.git\gdb\symfile-debu= g.c:285:42 [objfile::lookup_symbol(block_enum, char const*, domain_enum)] > 0x00007FF7DF7B594C C:\src\repos\binutils-gdb.git\gdb\symtab.c:241= 1:33 [lookup_symbol_via_quick_fns] > C:\src\repos\binutils-gdb.git\gdb\symtab.c:254= 2:40 [lookup_symbol_in_objfile] > 0x00007FF7DF7B5AD4 C:\src\repos\binutils-gdb.git\gdb\symtab.c:258= 8:39 [operator()] > C:\src\repos\binutils-gdb.git\gdbsupport\funct= ion-view.h:305:33 [operator()] > C:\src\repos\binutils-gdb.git\gdbsupport\funct= ion-view.h:299:17 [_FUN] > 0x00007FF7DF85DF6D C:\src\repos\binutils-gdb.git\gdbsupport\funct= ion-view.h:289:12 [gdb::function_view::operator()(objfile*= ) const] > C:\src\repos\binutils-gdb.git\gdb\windows-tdep= .c:586:9 [windows_iterate_over_objfiles_in_search_order] > 0x00007FF7DF47FBD4 C:\src\repos\binutils-gdb.git\gdb\gdbarch.c:50= 78:50 [gdbarch_iterate_over_objfiles_in_search_order(gdbarch*, gdb::functio= n_view, objfile*)] > 0x00007FF7DF7B700A C:\src\repos\binutils-gdb.git\gdb\symtab.c:258= 5:7 [lookup_global_or_static_symbol] > 0x00007FF7DF7B8206 C:\src\repos\binutils-gdb.git\gdb\symtab.c:264= 1:38 [lookup_global_symbol(char const*, block const*, domain_enum)] > 0x00007FF7DF7B82C5 C:\src\repos\binutils-gdb.git\gdb\symtab.c:247= 3:31 [language_defn::lookup_symbol_nonlocal(char const*, block const*, doma= in_enum) const] > 0x00007FF7DF7BF545 C:\src\repos\binutils-gdb.git\gdb\symtab.c:215= 0:44 [lookup_symbol_aux] > 0x00007FF7DF7BF896 C:\src\repos\binutils-gdb.git\gdb\symtab.c:195= 5:28 [lookup_symbol_in_language(char const*, block const*, domain_enum, lan= guage, field_of_this_result*)] > 0x00007FF7DF7BF918 C:\src\repos\binutils-gdb.git\gdb\symtab.c:196= 8:36 [lookup_symbol(char const*, block const*, domain_enum, field_of_this_r= esult*)] > 0x00007FF7DF785F4A C:\src\repos\binutils-gdb.git\gdb\source.c:319= :37 [select_source_symtab()] > 0x00007FF7DF80CD1D C:\src\repos\binutils-gdb.git\gdb\tui\tui-disa= sm.c:401:39 [tui_get_begin_asm_address(gdbarch**, unsigned long long*)] > 0x00007FF7DF821B2E C:\src\repos\binutils-gdb.git\gdb\tui\tui-wins= ource.c:55:33 [tui_display_main()] > 0x00007FF7DF823C4C C:\src\repos\binutils-gdb.git\gdb\tui\tui.c:49= 9:22 [tui_enable()] > 0x00007FF7DF8240C1 C:\src\repos\binutils-gdb.git\gdb\tui\tui.c:12= 3:15 [tui_rl_switch_mode] > 0x00007FF7DF864A46 C:\src\repos\binutils-gdb.git\readline\readlin= e\readline.c:892:9 [_rl_dispatch_subseq] > 0x00007FF7DF86551D C:\src\repos\binutils-gdb.git\readline\readlin= e\readline.c:801:11 [_rl_dispatch_callback] > 0x00007FF7DF87B5CE C:\src\repos\binutils-gdb.git\readline\readlin= e\callback.c:233:10 [rl_callback_read_char] > 0x00007FF7DF5C122D C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 195:29 [gdb_rl_callback_read_char_wrapper_noexcept] > 0x00007FF7DF5C1F23 C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 234:51 [gdb_rl_callback_read_char_wrapper] > 0x00007FF7DF82A4CD C:\src\repos\binutils-gdb.git\gdb\ui.c:155:22 = [stdin_event_handler] > 0x00007FF7DF980EDA C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:573:22 [handle_file_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:716:25 [gdb_wait_for_event] > 0x00007FF7DF9818DC C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:593:3 [gdb_wait_for_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:264:29 [gdb_do_one_event(int)] > 0x00007FF7DF683E21 C:\src\repos\binutils-gdb.git\gdb\main.c:407:3= 0 [start_event_loop] > C:\src\repos\binutils-gdb.git\gdb\main.c:471:2= 0 [captured_command_loop] > 0x00007FF7DF6878F4 C:\src\repos\binutils-gdb.git\gdb\main.c:1324:= 26 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1343:= 21 [gdb_main(captured_main_args*)] > 0x00007FF7DFE5D44F C:\src\repos\binutils-gdb.git\gdb\gdb.c:39:19 = [main] > 0x00007FF7DF431430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:345:15 [__tmainCRTStartup] > 0x00007FF7DF4315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:220:9 [mainCRTStartup] > freed on: '1 [19992]' > [free] > 0x00007FF7DF430000 C:\src\repos\gdb64\bin\gdb.exe > 0x00007FF7DF96D151 C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:103:5 [call_freefun] > C:\src\repos\binutils-gdb.git\libiberty\obstac= k.c:280:7 [_obstack_free] > 0x00007FF7DF7AEADE C:\src\repos\binutils-gdb.git\gdb\symfile.c:25= 79:4 [reread_symbols(int)] > 0x00007FF7DF63E8F3 C:\src\repos\binutils-gdb.git\gdb\infcmd.c:398= :18 [run_command_1] > 0x00007FF7DF4EE4C5 C:\src\repos\binutils-gdb.git\gdb\cli\cli-deco= de.c:2735:17 [cmd_func(cmd_list_element*, char const*, int)] > 0x00007FF7DF7FA2E0 C:\src\repos\binutils-gdb.git\gdb\top.c:575:11= [execute_command(char const*, int)] > 0x00007FF7DF5C16EE C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 552:23 [command_handler(char const*)] > 0x00007FF7DF5C29D7 C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 788:23 [command_line_handler(std::unique_ptr= >&&)] > 0x00007FF7DF5C2075 C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 259:25 [gdb_rl_callback_handler] > 0x00007FF7DF87B484 C:\src\repos\binutils-gdb.git\readline\readlin= e\callback.c:290:5 [rl_callback_read_char] > 0x00007FF7DF5C122D C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 195:29 [gdb_rl_callback_read_char_wrapper_noexcept] > 0x00007FF7DF5C1F23 C:\src\repos\binutils-gdb.git\gdb\event-top.c:= 234:51 [gdb_rl_callback_read_char_wrapper] > 0x00007FF7DF82A4CD C:\src\repos\binutils-gdb.git\gdb\ui.c:155:22 = [stdin_event_handler] > 0x00007FF7DF980EDA C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:573:22 [handle_file_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:716:25 [gdb_wait_for_event] > 0x00007FF7DF9818DC C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:593:3 [gdb_wait_for_event] > C:\src\repos\binutils-gdb.git\gdbsupport\event= -loop.cc:264:29 [gdb_do_one_event(int)] > 0x00007FF7DF683E21 C:\src\repos\binutils-gdb.git\gdb\main.c:407:3= 0 [start_event_loop] > C:\src\repos\binutils-gdb.git\gdb\main.c:471:2= 0 [captured_command_loop] > 0x00007FF7DF6878F4 C:\src\repos\binutils-gdb.git\gdb\main.c:1324:= 26 [captured_main] > C:\src\repos\binutils-gdb.git\gdb\main.c:1343:= 21 [gdb_main(captured_main_args*)] > 0x00007FF7DFE5D44F C:\src\repos\binutils-gdb.git\gdb\gdb.c:39:19 = [main] > 0x00007FF7DF431430 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:345:15 [__tmainCRTStartup] > 0x00007FF7DF4315B5 C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\= crtexe.c:220:9 [mainCRTStartup] I see the same when I use valgrind on linux, the log is attached. Note that I can't confirm if this bug also exists on master, since there gdb crashes much earlier because of PR31694. --=20 You are receiving this mail because: You are on the CC list for the bug.=