From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19827 invoked by alias); 7 Jul 2008 21:19:17 -0000 Received: (qmail 19815 invoked by uid 22791); 7 Jul 2008 21:19:16 -0000 X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (66.187.233.31) by sourceware.org (qpsmtpd/0.31) with ESMTP; Mon, 07 Jul 2008 21:18:48 +0000 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m67LINHS011327 for ; Mon, 7 Jul 2008 17:18:46 -0400 Received: from pobox.stuttgart.redhat.com (pobox.stuttgart.redhat.com [172.16.2.10]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m67LIMHj021838 for ; Mon, 7 Jul 2008 17:18:22 -0400 Received: from host0.dyn.jankratochvil.net (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.stuttgart.redhat.com (8.13.1/8.13.1) with ESMTP id m67LIKNS012509 for ; Mon, 7 Jul 2008 17:18:21 -0400 Received: from host0.dyn.jankratochvil.net (localhost [127.0.0.1]) by host0.dyn.jankratochvil.net (8.14.2/8.14.2) with ESMTP id m67LIJo3026287 for ; Mon, 7 Jul 2008 23:18:19 +0200 Received: (from jkratoch@localhost) by host0.dyn.jankratochvil.net (8.14.2/8.14.2/Submit) id m67LIJKT026284 for gdb-patches@sources.redhat.com; Mon, 7 Jul 2008 23:18:19 +0200 Date: Mon, 07 Jul 2008 21:19:00 -0000 From: Jan Kratochvil To: gdb-patches@sources.redhat.com Subject: [patch] Fix a crash due to a VALUE double free Message-ID: <20080707211819.GA26204@host0.dyn.jankratochvil.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2008-07/txt/msg00097.txt.bz2 --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-length: 143 Hi, it crashes if you call an inferior function right after a watchpoint hit. Bugreported with a reproducer by Jakub Jelinek. Regards, Jan --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename="gdb-value-double-free.patch" Content-length: 3452 gdb/ 2008-07-07 Jan Kratochvil * breakpoint.c (bpstat_copy): Call RELEASE_VALUE on the new OLD_VAL. gdb/testsuite/ 2008-07-07 Jan Kratochvil * gdb.base/value-double-free.exp, gdb.base/value-double-free.c: New. --- gdb/breakpoint.c 28 Jun 2008 09:42:15 -0000 1.327 +++ gdb/breakpoint.c 7 Jul 2008 21:12:14 -0000 @@ -1996,7 +1996,10 @@ bpstat_copy (bpstat bs) if (bs->commands != NULL) tmp->commands = copy_command_lines (bs->commands); if (bs->old_val != NULL) - tmp->old_val = value_copy (bs->old_val); + { + tmp->old_val = value_copy (bs->old_val); + release_value (tmp->old_val); + } if (p == NULL) /* This is the first thing in the chain. */ --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ gdb/testsuite/gdb.base/value-double-free.c 7 Jul 2008 21:12:17 -0000 @@ -0,0 +1,36 @@ +/* This testcase is part of GDB, the GNU debugger. + + Copyright 2008 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Please email any bugs, comments, and/or additions to this file to: + bug-gdb@prep.ai.mit.edu */ + +volatile int var; + +void +empty (void) +{ +} + +int +main (void) +{ + var = 1; + /* Workaround PR 38: We may miss the first watchpoint hit as we stop on the + exact instruction which would cause the watchpoint hit. */ + var = 2; + return 0; +} --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ gdb/testsuite/gdb.base/value-double-free.exp 7 Jul 2008 21:12:17 -0000 @@ -0,0 +1,38 @@ +# Copyright 2008 Free Software Foundation, Inc. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set testfile value-double-free +set srcfile ${testfile}.c +set binfile ${objdir}/${subdir}/${testfile} +if { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable {debug}] != "" } { + untested "Couldn't compile test program" + return -1 +} + +# Get things started. + +gdb_exit +gdb_start +gdb_reinitialize_dir $srcdir/$subdir +gdb_load ${binfile} + +if ![runto_main] { + return -1 +} +gdb_test "watch var" "atchpoint \[0-9\]+: var" +gdb_test "continue" "atchpoint \[0-9\]+: var.*Old value = 0.*New value = \[12\].*" +gdb_test "print empty()" " = void" +# We did segfault here. +gdb_test "help help" --rwEMma7ioTxnRzrJ--