[patch] Fix a crash due to a VALUE double free

[patch] Fix a crash due to a VALUE double free

[Jan Kratochvil]

[-- Attachment #1: Type: text/plain, Size: 143 bytes --]

Hi,

it crashes if you call an inferior function right after a watchpoint hit.

Bugreported with a reproducer by Jakub Jelinek.


Regards,
Jan

[-- Attachment #2: gdb-value-double-free.patch --]
[-- Type: text/plain, Size: 3452 bytes --]

gdb/
2008-07-07  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* breakpoint.c (bpstat_copy): Call RELEASE_VALUE on the new OLD_VAL.

gdb/testsuite/
2008-07-07  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* gdb.base/value-double-free.exp, gdb.base/value-double-free.c: New.

--- gdb/breakpoint.c	28 Jun 2008 09:42:15 -0000	1.327
+++ gdb/breakpoint.c	7 Jul 2008 21:12:14 -0000
@@ -1996,7 +1996,10 @@ bpstat_copy (bpstat bs)
       if (bs->commands != NULL)
 	tmp->commands = copy_command_lines (bs->commands);
       if (bs->old_val != NULL)
-	tmp->old_val = value_copy (bs->old_val);
+	{
+	  tmp->old_val = value_copy (bs->old_val);
+	  release_value (tmp->old_val);
+	}
 
       if (p == NULL)
 	/* This is the first thing in the chain.  */
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ gdb/testsuite/gdb.base/value-double-free.c	7 Jul 2008 21:12:17 -0000
@@ -0,0 +1,36 @@
+/* This testcase is part of GDB, the GNU debugger.
+
+   Copyright 2008 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+   Please email any bugs, comments, and/or additions to this file to:
+   bug-gdb@prep.ai.mit.edu  */
+
+volatile int var;
+
+void
+empty (void)
+{
+}
+
+int
+main (void)
+{
+  var = 1;
+  /* Workaround PR 38: We may miss the first watchpoint hit as we stop on the
+     exact instruction which would cause the watchpoint hit.  */
+  var = 2;
+  return 0;
+}
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ gdb/testsuite/gdb.base/value-double-free.exp	7 Jul 2008 21:12:17 -0000
@@ -0,0 +1,38 @@
+# Copyright 2008 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+set testfile value-double-free
+set srcfile ${testfile}.c
+set binfile ${objdir}/${subdir}/${testfile}
+if  { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable {debug}] != "" } {
+    untested "Couldn't compile test program"
+    return -1
+}
+
+# Get things started.
+
+gdb_exit
+gdb_start
+gdb_reinitialize_dir $srcdir/$subdir
+gdb_load ${binfile}
+
+if ![runto_main] {
+    return -1
+}
+gdb_test "watch var" "atchpoint \[0-9\]+: var"
+gdb_test "continue" "atchpoint \[0-9\]+: var.*Old value = 0.*New value = \[12\].*"
+gdb_test "print empty()" " = void"
+# We did segfault here.
+gdb_test "help help"

Re: [patch] Fix a crash due to a VALUE double free

[Stan Shebs]

Jan Kratochvil wrote:
> Hi,
>
> it crashes if you call an inferior function right after a watchpoint hit.
>
> Bugreported with a reproducer by Jakub Jelinek.
>   
This is OK to commit. Thanks!

Stan

Re: [patch] Fix a crash due to a VALUE double free

[Luis Machado]

Hi Jan,


This testcase is currently failing for PPC64.

Running /home/luis/src/gdb/gdb-head/HEAD/gdb/testsuite/gdb.base/value-double-free.exp ...
FAIL: gdb.base/value-double-free.exp: continue
FAIL: gdb.base/value-double-free.exp: print empty()

More complete log:

(gdb) run ^M
Starting
program: /home/luis/builds/gdb-head/DFP/gdb/testsuite/gdb.base/value-double-free ^M
^M
Breakpoint 1, main ()
at /home/luis/src/gdb/gdb-head/HEAD/gdb/testsuite/gdb.base/value-double-free.c:31^M
31        var = 1;^M
(gdb) watch var^M
Hardware watchpoint 2: var^M
(gdb) PASS: gdb.base/value-double-free.exp: watch var
continue^M
Continuing.^M
Target is executing.^M
(gdb) FAIL: gdb.base/value-double-free.exp: continue
print empty()^M
Target is executing.^M
(gdb) FAIL: gdb.base/value-double-free.exp: print empty()
help help^M
Print list of commands.^M
(gdb) PASS: gdb.base/value-double-free.exp: help help
testcase /home/luis/src/gdb/gdb-head/HEAD/gdb/testsuite/gdb.base/value-double-free.exp completed in 1 seconds


On Mon, 2008-07-07 at 23:18 +0200, Jan Kratochvil wrote:
> Hi,
> 
> it crashes if you call an inferior function right after a watchpoint hit.
> 
> Bugreported with a reproducer by Jakub Jelinek.
> 
> 
> Regards,
> Jan
> plain text document attachment (gdb-value-double-free.patch)
> gdb/
> 2008-07-07  Jan Kratochvil  <jan.kratochvil@redhat.com>
> 
> 	* breakpoint.c (bpstat_copy): Call RELEASE_VALUE on the new OLD_VAL.
> 
> gdb/testsuite/
> 2008-07-07  Jan Kratochvil  <jan.kratochvil@redhat.com>
> 
> 	* gdb.base/value-double-free.exp, gdb.base/value-double-free.c: New.
> 
> --- gdb/breakpoint.c	28 Jun 2008 09:42:15 -0000	1.327
> +++ gdb/breakpoint.c	7 Jul 2008 21:12:14 -0000
> @@ -1996,7 +1996,10 @@ bpstat_copy (bpstat bs)
>        if (bs->commands != NULL)
>  	tmp->commands = copy_command_lines (bs->commands);
>        if (bs->old_val != NULL)
> -	tmp->old_val = value_copy (bs->old_val);
> +	{
> +	  tmp->old_val = value_copy (bs->old_val);
> +	  release_value (tmp->old_val);
> +	}
> 
>        if (p == NULL)
>  	/* This is the first thing in the chain.  */
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ gdb/testsuite/gdb.base/value-double-free.c	7 Jul 2008 21:12:17 -0000
> @@ -0,0 +1,36 @@
> +/* This testcase is part of GDB, the GNU debugger.
> +
> +   Copyright 2008 Free Software Foundation, Inc.
> +
> +   This program is free software; you can redistribute it and/or modify
> +   it under the terms of the GNU General Public License as published by
> +   the Free Software Foundation; either version 3 of the License, or
> +   (at your option) any later version.
> +
> +   This program is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +   GNU General Public License for more details.
> +
> +   You should have received a copy of the GNU General Public License
> +   along with this program.  If not, see <http://www.gnu.org/licenses/>.
> +
> +   Please email any bugs, comments, and/or additions to this file to:
> +   bug-gdb@prep.ai.mit.edu  */
> +
> +volatile int var;
> +
> +void
> +empty (void)
> +{
> +}
> +
> +int
> +main (void)
> +{
> +  var = 1;
> +  /* Workaround PR 38: We may miss the first watchpoint hit as we stop on the
> +     exact instruction which would cause the watchpoint hit.  */
> +  var = 2;
> +  return 0;
> +}
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ gdb/testsuite/gdb.base/value-double-free.exp	7 Jul 2008 21:12:17 -0000
> @@ -0,0 +1,38 @@
> +# Copyright 2008 Free Software Foundation, Inc.
> +
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
> +
> +set testfile value-double-free
> +set srcfile ${testfile}.c
> +set binfile ${objdir}/${subdir}/${testfile}
> +if  { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable {debug}] != "" } {
> +    untested "Couldn't compile test program"
> +    return -1
> +}
> +
> +# Get things started.
> +
> +gdb_exit
> +gdb_start
> +gdb_reinitialize_dir $srcdir/$subdir
> +gdb_load ${binfile}
> +
> +if ![runto_main] {
> +    return -1
> +}
> +gdb_test "watch var" "atchpoint \[0-9\]+: var"
> +gdb_test "continue" "atchpoint \[0-9\]+: var.*Old value = 0.*New value = \[12\].*"
> +gdb_test "print empty()" " = void"
> +# We did segfault here.
> +gdb_test "help help"
-- 
Luis Machado
Software Engineer 
IBM Linux Technology Center

Re: [patch] Fix a crash due to a VALUE double free

[Luis Machado]

FYI

The failures was due to a async-related regression introduced in PPC.

Regards,
Luis
On Mon, 2008-07-14 at 12:11 -0300, Luis Machado wrote:
> Hi Jan,
> 
> 
> This testcase is currently failing for PPC64.
> 
> Running /home/luis/src/gdb/gdb-head/HEAD/gdb/testsuite/gdb.base/value-double-free.exp ...
> FAIL: gdb.base/value-double-free.exp: continue
> FAIL: gdb.base/value-double-free.exp: print empty()
> 
> More complete log:
> 
> (gdb) run ^M
> Starting
> program: /home/luis/builds/gdb-head/DFP/gdb/testsuite/gdb.base/value-double-free ^M
> ^M
> Breakpoint 1, main ()
> at /home/luis/src/gdb/gdb-head/HEAD/gdb/testsuite/gdb.base/value-double-free.c:31^M
> 31        var = 1;^M
> (gdb) watch var^M
> Hardware watchpoint 2: var^M
> (gdb) PASS: gdb.base/value-double-free.exp: watch var
> continue^M
> Continuing.^M
> Target is executing.^M
> (gdb) FAIL: gdb.base/value-double-free.exp: continue
> print empty()^M
> Target is executing.^M
> (gdb) FAIL: gdb.base/value-double-free.exp: print empty()
> help help^M
> Print list of commands.^M
> (gdb) PASS: gdb.base/value-double-free.exp: help help
> testcase /home/luis/src/gdb/gdb-head/HEAD/gdb/testsuite/gdb.base/value-double-free.exp completed in 1 seconds
> 
> 
> On Mon, 2008-07-07 at 23:18 +0200, Jan Kratochvil wrote:
> > Hi,
> > 
> > it crashes if you call an inferior function right after a watchpoint hit.
> > 
> > Bugreported with a reproducer by Jakub Jelinek.
> > 
> > 
> > Regards,
> > Jan
> > plain text document attachment (gdb-value-double-free.patch)
> > gdb/
> > 2008-07-07  Jan Kratochvil  <jan.kratochvil@redhat.com>
> > 
> > 	* breakpoint.c (bpstat_copy): Call RELEASE_VALUE on the new OLD_VAL.
> > 
> > gdb/testsuite/
> > 2008-07-07  Jan Kratochvil  <jan.kratochvil@redhat.com>
> > 
> > 	* gdb.base/value-double-free.exp, gdb.base/value-double-free.c: New.
> > 
> > --- gdb/breakpoint.c	28 Jun 2008 09:42:15 -0000	1.327
> > +++ gdb/breakpoint.c	7 Jul 2008 21:12:14 -0000
> > @@ -1996,7 +1996,10 @@ bpstat_copy (bpstat bs)
> >        if (bs->commands != NULL)
> >  	tmp->commands = copy_command_lines (bs->commands);
> >        if (bs->old_val != NULL)
> > -	tmp->old_val = value_copy (bs->old_val);
> > +	{
> > +	  tmp->old_val = value_copy (bs->old_val);
> > +	  release_value (tmp->old_val);
> > +	}
> > 
> >        if (p == NULL)
> >  	/* This is the first thing in the chain.  */
> > --- /dev/null	1 Jan 1970 00:00:00 -0000
> > +++ gdb/testsuite/gdb.base/value-double-free.c	7 Jul 2008 21:12:17 -0000
> > @@ -0,0 +1,36 @@
> > +/* This testcase is part of GDB, the GNU debugger.
> > +
> > +   Copyright 2008 Free Software Foundation, Inc.
> > +
> > +   This program is free software; you can redistribute it and/or modify
> > +   it under the terms of the GNU General Public License as published by
> > +   the Free Software Foundation; either version 3 of the License, or
> > +   (at your option) any later version.
> > +
> > +   This program is distributed in the hope that it will be useful,
> > +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > +   GNU General Public License for more details.
> > +
> > +   You should have received a copy of the GNU General Public License
> > +   along with this program.  If not, see <http://www.gnu.org/licenses/>.
> > +
> > +   Please email any bugs, comments, and/or additions to this file to:
> > +   bug-gdb@prep.ai.mit.edu  */
> > +
> > +volatile int var;
> > +
> > +void
> > +empty (void)
> > +{
> > +}
> > +
> > +int
> > +main (void)
> > +{
> > +  var = 1;
> > +  /* Workaround PR 38: We may miss the first watchpoint hit as we stop on the
> > +     exact instruction which would cause the watchpoint hit.  */
> > +  var = 2;
> > +  return 0;
> > +}
> > --- /dev/null	1 Jan 1970 00:00:00 -0000
> > +++ gdb/testsuite/gdb.base/value-double-free.exp	7 Jul 2008 21:12:17 -0000
> > @@ -0,0 +1,38 @@
> > +# Copyright 2008 Free Software Foundation, Inc.
> > +
> > +# This program is free software; you can redistribute it and/or modify
> > +# it under the terms of the GNU General Public License as published by
> > +# the Free Software Foundation; either version 3 of the License, or
> > +# (at your option) any later version.
> > +#
> > +# This program is distributed in the hope that it will be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > +# GNU General Public License for more details.
> > +#
> > +# You should have received a copy of the GNU General Public License
> > +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
> > +
> > +set testfile value-double-free
> > +set srcfile ${testfile}.c
> > +set binfile ${objdir}/${subdir}/${testfile}
> > +if  { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable {debug}] != "" } {
> > +    untested "Couldn't compile test program"
> > +    return -1
> > +}
> > +
> > +# Get things started.
> > +
> > +gdb_exit
> > +gdb_start
> > +gdb_reinitialize_dir $srcdir/$subdir
> > +gdb_load ${binfile}
> > +
> > +if ![runto_main] {
> > +    return -1
> > +}
> > +gdb_test "watch var" "atchpoint \[0-9\]+: var"
> > +gdb_test "continue" "atchpoint \[0-9\]+: var.*Old value = 0.*New value = \[12\].*"
> > +gdb_test "print empty()" " = void"
> > +# We did segfault here.
> > +gdb_test "help help"