From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 0C7AF3858C50; Thu, 30 May 2024 12:22:49 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0C7AF3858C50
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1717071770;
	bh=qweq/f/7gWngDYvqlQhapIrZMigWreRRZAUAco6N6pA=;
	h=From:To:Subject:Date:From;
	b=f3fRY49Pij2LHGi9ZBFpWdf2YJcVF/IHvb3+Ds56sNKrfeb8NbSAsLPEIMd1GvDO1
	 2Q45JHYX4DhcOMZxL4YAG5o3ozddv7TExztExhKLlSVO4JO7bId//M+wZQwz703CQ3
	 GelzXzTJ3t4o0zI17fPUr/Mf6ohO9Rc4UlwGVSuk=
From: "jonessyue at qnap dot com" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug gdb/31820] New: segfault when target_stack::push > t->stratum
 ()
Date: Thu, 30 May 2024 12:22:49 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gdb
X-Bugzilla-Component: gdb
X-Bugzilla-Version: 14.1
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jonessyue at qnap dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-31820-4717@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gdb-prs.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D31820

            Bug ID: 31820
           Summary: segfault when target_stack::push > t->stratum ()
           Product: gdb
           Version: 14.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: jonessyue at qnap dot com
  Target Milestone: ---

cross toolchain: gcc-5.3.1, glibc-2.23, aarch64-linux-gnu-g++

When run gdb-14.2 on aarch64 cross target machine, gdb it self segfault,
like this:

# ./gdb
Segmentation fault (core dumped)

It looks like earlier gdb version works fine, test result:
----------+---------
  result  | gdb ver
----------+---------
 segfault | gdb-14.2=20=20=20=20=20
 segfault | gdb-10.1
     pass | gdb_9.2
     pass | gdb-9.1=20=20=20=20=20=20
     pass | gdb-8.01=20=20=20=20

Recompile with '-O0 -g' and check backtrace, 't->stratum ()' triggered
dereference null pointer 0x0 and cause segfault, not sure why the
static variable 'the_dummy_target' with '_vptr.target_ops =3D 0x0'.

Thread 1 "gdb" received signal SIGSEGV, Segmentation fault.
target_stack::push (this=3D0xd7cb70, t=3D0xd04b30 <the_dummy_target>) at
target.c:1206
1206      strata stratum =3D t->stratum ();
(gdb) bt
#0  target_stack::push (this=3D0xd7cb70, t=3D0xd04b30 <the_dummy_target>) at
target.c:1206
#1  0x0000000000666438 in inferior::inferior (this=3D0xd7c9d0, pid_=3D<opti=
mized
out>) at inferior.c:90
#2  0x00000000006665d8 in add_inferior_silent (pid=3Dpid@entry=3D0) at
inferior.c:205
#3  0x0000000000667888 in initialize_inferiors () at inferior.c:1089
#4  0x0000000000805734 in gdb_init () at top.c:2327
#5  0x00000000006c5ee0 in captured_main_1 (context=3Dcontext@entry=3D0x3fff=
ffff638)
at main.c:1036
#6  0x00000000006c6c68 in captured_main (data=3Ddata@entry=3D0x3fffffff638)=
 at
main.c:1314
#7  gdb_main (args=3Dargs@entry=3D0x3fffffff658) at main.c:1343
#8  0x000000000041ba24 in main (argc=3D1, argv=3D0x3fffffff7a8) at gdb.c:39
(gdb) p t
$1 =3D (target_ops *) 0xd04b30 <the_dummy_target>
(gdb) p *t
$2 =3D {
  <refcounted_object> =3D {
    m_refcount =3D 1
  },
  members of target_ops:
  _vptr.target_ops =3D 0x0
}
(gdb) p the_dummy_target
$3 =3D {
  <target_ops> =3D {
    <refcounted_object> =3D {
      m_refcount =3D 1
    },
    members of target_ops:
    _vptr.target_ops =3D 0x0
  }, <No data fields>}
(gdb)

Then startover and set a watchpoint on the static variable=20
'the_dummy_target', it looks like its _vptr.target_ops is 0x0=20
in the first place (while program loaded?)

(gdb) watch the_dummy_target
Hardware watchpoint 1: the_dummy_target
(gdb) run
<... cut dummy ...>
[New LWP 5506]
[New LWP 5507]
[New LWP 5508]
[New LWP 5510]

Thread 1 "gdb" hit Hardware watchpoint 1: the_dummy_target

Old value =3D {<target_ops> =3D {<refcounted_object> =3D {m_refcount =3D 0},
_vptr.target_ops =3D 0x0}, <No data fields>}
New value =3D {<target_ops> =3D {<refcounted_object> =3D {m_refcount =3D 1},
_vptr.target_ops =3D 0x0}, <No data fields>}

target_stack::push (this=3D0xd7cb70, t=3D0xd04b30 <the_dummy_target>) at
target.c:1206
1206      strata stratum =3D t->stratum ();
(gdb) bt
#0  target_stack::push (this=3D0xd7cb70, t=3D0xd04b30 <the_dummy_target>) at
target.c:1206
#1  0x0000000000666438 in inferior::inferior (this=3D0xd7c9d0, pid_=3D<opti=
mized
out>) at inferior.c:90
#2  0x00000000006665d8 in add_inferior_silent (pid=3Dpid@entry=3D0) at
inferior.c:205
#3  0x0000000000667888 in initialize_inferiors () at inferior.c:1089
#4  0x0000000000805734 in gdb_init () at top.c:2327
#5  0x00000000006c5ee0 in captured_main_1 (context=3Dcontext@entry=3D0x3fff=
ffff638)
at main.c:1036
#6  0x00000000006c6c68 in captured_main (data=3Ddata@entry=3D0x3fffffff638)=
 at
main.c:1314
#7  gdb_main (args=3Dargs@entry=3D0x3fffffff658) at main.c:1343
#8  0x000000000041ba24 in main (argc=3D1, argv=3D0x3fffffff7a8) at gdb.c:39
(gdb)


Since gdb-9.2 works fine so do the same breakpoint to 'target_stack::push',
it shows that _vptr.target_ops is not 0x0 for 't' and 'the_dummy_target'.
Not sure why latest gdb-14.2 is 0x0, will dig further.

(gdb) b target_stack::push
Breakpoint 1 at 0x6cec50: file ../../gdb/target.c, line 560.
(gdb) run
<... cut dummy ...>

Breakpoint 1, target_stack::push (this=3Dthis@entry=3D0xaa05b8 <g_target_st=
ack>,
t=3Dt@entry=3D0xa272d0 <the_dummy_target>) at ../../gdb/target.c:560
560     {
(gdb) bt
#0  target_stack::push (this=3Dthis@entry=3D0xaa05b8 <g_target_stack>,
t=3Dt@entry=3D0xa272d0 <the_dummy_target>) at ../../gdb/target.c:560
#1  0x00000000006cff70 in push_target (t=3D0xa272d0 <the_dummy_target>) at
../../gdb/target.c:579
#2  initialize_targets () at ../../gdb/target.c:3986
#3  0x00000000006dc65c in gdb_init (argv0=3D<optimized out>) at
../../gdb/top.c:2273
#4  0x00000000005d9428 in captured_main_1 (context=3Dcontext@entry=3D0x3fff=
ffff628)
at ../../gdb/main.c:882
#5  0x00000000005da170 in captured_main (data=3Ddata@entry=3D0x3fffffff628)=
 at
../../gdb/main.c:1192
#6  gdb_main (args=3Dargs@entry=3D0x3fffffff648) at ../../gdb/main.c:1217
#7  0x000000000040f3a0 in main (argc=3D<optimized out>, argv=3D<optimized o=
ut>) at
../../gdb/gdb.c:32
(gdb) l
555
556     /* See target.h.  */
557
558     void
559     target_stack::push (target_ops *t)
560     {
561       /* If there's already a target at this stratum, remove it.  */
562       strata stratum =3D t->stratum ();
563
564       if (m_stack[stratum] !=3D NULL)
(gdb) p t
$1 =3D (target_ops *) 0xa272d0 <the_dummy_target>
(gdb) p *t
$2 =3D {_vptr.target_ops =3D 0x8d73e0 <vtable for dummy_target+16>}
(gdb) p the_dummy_target
$3 =3D {<target_ops> =3D {_vptr.target_ops =3D 0x8d73e0 <vtable for
dummy_target+16>}, <No data fields>}
(gdb) p the_dummy_target
$4 =3D {<target_ops> =3D {_vptr.target_ops =3D 0x8d73e0 <vtable for
dummy_target+16>}, <No data fields>}

--=20
You are receiving this mail because:
You are on the CC list for the bug.=