From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6913 invoked by alias); 26 Mar 2010 16:43:18 -0000 Received: (qmail 6904 invoked by uid 22791); 26 Mar 2010 16:43:17 -0000 X-SWARE-Spam-Status: No, hits=-1.3 required=5.0 tests=AWL,BAYES_00,MSGID_FROM_MTA_HEADER,SPF_SOFTFAIL X-Spam-Check-By: sourceware.org Received: from mtagate3.de.ibm.com (HELO mtagate3.de.ibm.com) (195.212.17.163) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 26 Mar 2010 16:43:11 +0000 Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate3.de.ibm.com (8.13.1/8.13.1) with ESMTP id o2QGh8Re014310 for ; Fri, 26 Mar 2010 16:43:08 GMT Received: from d12av02.megacenter.de.ibm.com (d12av02.megacenter.de.ibm.com [9.149.165.228]) by d12nrmr1607.megacenter.de.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o2QGh8pu1597478 for ; Fri, 26 Mar 2010 17:43:08 +0100 Received: from d12av02.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av02.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id o2QGh83l009606 for ; Fri, 26 Mar 2010 17:43:08 +0100 Received: from tuxmaker.boeblingen.de.ibm.com (tuxmaker.boeblingen.de.ibm.com [9.152.85.9]) by d12av02.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with SMTP id o2QGh7XD009247; Fri, 26 Mar 2010 17:43:07 +0100 Message-Id: <201003261643.o2QGh7XD009247@d12av02.megacenter.de.ibm.com> Received: by tuxmaker.boeblingen.de.ibm.com (sSMTP sendmail emulation); Fri, 26 Mar 2010 17:43:07 +0100 Subject: [commit] Fix GDB crash (Re: [1/2] RFC: reference count breakpoint commands) To: tromey@redhat.com Date: Fri, 26 Mar 2010 16:43:00 -0000 From: "Ulrich Weigand" Cc: gdb-patches@sourceware.org In-Reply-To: from "Tom Tromey" at Mar 24, 2010 03:08:27 PM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2010-03/txt/msg00901.txt.bz2 Tom Tromey wrote: > 2010-03-24 Tom Tromey > > * breakpoint.h (struct counted_command_line): New struct. > (struct breakpoint) : Change type. > (struct bpstats) : Change type. > : New field. > * breakpoint.c (alloc_counted_command_line): New function. > (incref_counted_command_line): Likewise. > (decref_counted_command_line): Likewise. > (do_cleanup_counted_command_line): Likewise. > (make_cleanup_decref_counted_command_line): Likewise. > (breakpoint_set_commands): Use decref_counted_command_line and > alloc_counted_command_line. > (commands_command): Don't error if breakpoint commands are > executing. > (commands_from_control_command): Likewise. > (bpstat_free): Update. > (bpstat_copy): Likewise. > (bpstat_clear_actions): Likewise. > (bpstat_do_actions_1): Likewise. > (bpstat_stop_status): Likewise. > (print_one_breakpoint_location): Likewise. > (delete_breakpoint): Likewise. > (bpstat_alloc): Initialize new field. > (tracepoint_save_command): Update. > * tracepoint.c (encode_actions): Update. > (trace_dump_command): Update. This patch caused GDB to crash for me during execution of the commands.exp test case. The problem appears to be caused by a bpstat with NULL commands, but a non-NULL commands_left pointing to uninitialized memory. By inspection, it looks like there is one place (bpstat_clear_actions) where commands is cleared, but commands_left is left unchanged. It seems that commands_left ought to be cleared there as well. The following patch implements this, fixing the crash I was seeing. Tested on powerpc64-linux, committed to mainline. Bye, Ulrich ChangeLog: * breakpoint.c (bpstat_clear_actions): Reset bs->commands_left. Index: gdb/breakpoint.c =================================================================== RCS file: /cvs/src/src/gdb/breakpoint.c,v retrieving revision 1.468 diff -u -p -r1.468 breakpoint.c --- gdb/breakpoint.c 25 Mar 2010 20:48:52 -0000 1.468 +++ gdb/breakpoint.c 26 Mar 2010 16:04:42 -0000 @@ -2986,6 +2986,7 @@ bpstat_clear_actions (bpstat bs) for (; bs != NULL; bs = bs->next) { decref_counted_command_line (&bs->commands); + bs->commands_left = NULL; if (bs->old_val != NULL) { value_free (bs->old_val); -- Dr. Ulrich Weigand GNU Toolchain for Linux on System z and Cell BE Ulrich.Weigand@de.ibm.com