[binutils-gdb] Remove dwarf2_per_objfile_free and use after free of dwarf2_per_objfile

public inbox for gdb-testers@sourceware.org
help / color / mirror / Atom feed

From: sergiodj+buildbot@sergiodj.net
To: gdb-testers@sourceware.org
Subject: [binutils-gdb] Remove dwarf2_per_objfile_free and use after free of dwarf2_per_objfile
Date: Sun, 28 Jan 2018 17:24:00 -0000	[thread overview]
Message-ID: <fc8e7e75c2be02237a7961688b06869814f36a18@gdb-build> (raw)

*** TEST RESULTS FOR COMMIT fc8e7e75c2be02237a7961688b06869814f36a18 ***

Author: Simon Marchi <simon.marchi@ericsson.com>
Branch: master
Commit: fc8e7e75c2be02237a7961688b06869814f36a18

Remove dwarf2_per_objfile_free and use after free of dwarf2_per_objfile

I got some crashes while doing some work with dwarf2_per_objfile.  It
turns out that dwarf2_per_objfile_free is using the dwarf2_per_objfile
objects after their destructor has ran.

The easiest way to reproduce this is to run the inferior twice (do
"start" twice).  Currently, it goes unnoticed, but when I tried to
change all_comp_units and all_type_units to std::vectors, things started
crashing.

The dwarf2_per_objfile objects get destroyed here:

 #0  dwarf2_per_objfile::~dwarf2_per_objfile (this=0x35afe70, __in_chrg=<optimized out>) at /home/emaisin/src/binutils-gdb/gdb/dwarf2read.c:2422
 #1  0x0000000000833282 in dwarf2_free_objfile (objfile=0x356cff0) at /home/emaisin/src/binutils-gdb/gdb/dwarf2read.c:25363
 #2  0x0000000000699255 in elf_symfile_finish (objfile=0x356cff0) at /home/emaisin/src/binutils-gdb/gdb/elfread.c:1309
 #3  0x0000000000911ed3 in objfile::~objfile (this=0x356cff0, __in_chrg=<optimized out>) at /home/emaisin/src/binutils-gdb/gdb/objfiles.c:674

and just after that the dwarf2read per-objfile registry cleanup function
gets called:

 #0  dwarf2_per_objfile_free (objfile=0x356cff0, d=0x35afe70) at /home/emaisin/src/binutils-gdb/gdb/dwarf2read.c:25667
 ... registry boilerplate ...
 #4  0x00000000009103ea in objfile_free_data (container=0x356cff0) at /home/emaisin/src/binutils-gdb/gdb/objfiles.c:61
 #5  0x0000000000911ee2 in objfile::~objfile (this=0x356cff0, __in_chrg=<optimized out>) at /home/emaisin/src/binutils-gdb/gdb/objfiles.c:678

In dwarf2_per_objfile_free, we access fields of the dwarf2_per_objfile
object, which is invalid since its destructor has been executed.

This patch moves the content of dwarf2_per_objfile_free to the
destructor of dwarf2_per_objfile.  The call to
register_objfile_data_with_cleanup in _initialize_dwarf2_read can be
changed to the simpler register_objfile_data.

gdb/ChangeLog:

	* dwarf2read.c (free_dwo_files): Add forward-declaration.
	(dwarf2_per_objfile::~dwarf2_per_objfile): Move content from
	dwarf2_per_objfile_free here.
	(dwarf2_per_objfile_free): Remove.
	(_initialize_dwarf2_read): Don't register
	dwarf2_per_objfile_free as a registry cleanup.

next             reply	other threads:[~2018-01-28 17:24 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-28 17:24 sergiodj+buildbot [this message]
2018-01-28 17:24 ` Failures on Debian-s390x-m64, branch master sergiodj+buildbot
2018-01-28 17:30 ` Failures on Fedora-x86_64-native-gdbserver-m32, " sergiodj+buildbot
2018-01-28 17:35 ` Failures on Ubuntu-AArch32-native-extended-gdbserver-m32, " sergiodj+buildbot
2018-01-28 17:43 ` Failures on Ubuntu-AArch64-native-gdbserver-m64, " sergiodj+buildbot
2018-01-28 17:46 ` Failures on Fedora-x86_64-native-extended-gdbserver-m32, " sergiodj+buildbot
2018-01-28 18:00 ` Failures on Ubuntu-AArch32-native-gdbserver-m32, " sergiodj+buildbot
2018-01-28 18:01 ` Failures on Fedora-x86_64-native-extended-gdbserver-m64, " sergiodj+buildbot
2018-01-28 18:02 ` Failures on Fedora-x86_64-native-gdbserver-m64, " sergiodj+buildbot
2018-01-28 18:05 ` Failures on Fedora-x86_64-m64, " sergiodj+buildbot
2018-01-28 18:13 ` Failures on Ubuntu-AArch64-m64, " sergiodj+buildbot
2018-01-28 18:18 ` Failures on Debian-s390x-native-gdbserver-m64, " sergiodj+buildbot
2018-01-28 18:26 ` Failures on Ubuntu-AArch32-m32, " sergiodj+buildbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fc8e7e75c2be02237a7961688b06869814f36a18@gdb-build \
    --to=sergiodj+buildbot@sergiodj.net \
    --cc=gdb-testers@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).