Re: [RFA] Crasher bug in infptrace.c

[Andrew Cagney <ac131313@cygnus.com>]

[-- Attachment #1: Type: text/plain, Size: 723 bytes --]

> +       if (sizeof_buffer > sizeof (buffer))
>> +       sizeof_buffer = sizeof (buffer);
> 
> 
> Now you've thrown away your rounding on the ending address.
> 
> 
>> +       count = sizeof_buffer / sizeof (PTRACE_XFER_TYPE);
> 
> 
> Now count will never be greater than 250, so all writes of
> greater than 1000 bytes will lose.
> 


Yes.  I found/fixed them + forgot to flush the insn cache + forgot to 
increment myaddr + forgot to write to i of d didn't work, yet it was 
still as broken!  Eventually I found the only real bug :-^

> +         memcpy (buffer + addr_off, myaddr, addr_len);


It should be ``(char*)buffer + addr_off'' :-(

Attatched is a version that appears to work (no regressions).

enjoy,
Andrew



[-- Attachment #2: diffs --]
[-- Type: text/plain, Size: 4562 bytes --]

? diffs
Index: infptrace.c
===================================================================
RCS file: /cvs/src/src/gdb/infptrace.c,v
retrieving revision 1.20
diff -p -r1.20 infptrace.c
*** infptrace.c	2002/01/08 00:59:29	1.20
--- infptrace.c	2002/01/14 03:20:14
***************
*** 26,31 ****
--- 26,32 ----
  #include "target.h"
  #include "gdb_string.h"
  #include "regcache.h"
+ #include "gdb_assert.h"
  
  #include "gdb_wait.h"
  
*************** child_xfer_memory (CORE_ADDR memaddr, ch
*** 505,510 ****
--- 506,614 ----
  		   struct mem_attrib *attrib ATTRIBUTE_UNUSED,
  		   struct target_ops *target)
  {
+ #if 1
+   CORE_ADDR addr = memaddr;
+   long nr_bytes = len;
+   char *srcdest = myaddr;
+   while (nr_bytes > 0)
+     {
+       PTRACE_XFER_TYPE buffer[1000];
+       long sizeof_buffer;
+       CORE_ADDR bufaddr;
+       long count;
+       long addr_off;
+       long addr_len;
+       long addr_pad;
+       long i;
+ 
+       /* Round starting address down to longword boundary to pick up
+          all of the first byte.  */
+       bufaddr = addr & -(CORE_ADDR) sizeof (PTRACE_XFER_TYPE);
+ 
+       /* Round ending address up to ensure that all of the last word
+          is copied up and then adjust that to fit in BUFFER.  */
+       sizeof_buffer = ((addr - bufaddr)
+ 		       + nr_bytes
+ 		       + sizeof (PTRACE_XFER_TYPE) - 1);
+       if (sizeof_buffer > sizeof (buffer))
+ 	sizeof_buffer = sizeof (buffer);
+       count = sizeof_buffer / sizeof (PTRACE_XFER_TYPE);
+       sizeof_buffer = count * sizeof (PTRACE_XFER_TYPE); /* adjust */
+ 
+       /* Break the buffer down into three byte regions: ADDR_OFF
+ 	 specifies the offset into BUFFER that ADDR starts;
+ 	 ADDR_LEN specifies the number of ADDR bytes actually in
+ 	 the buffer; and ADDR_PAD is the number of left over bytes
+ 	 in the buffer.  Either/or ADDR_OFF and ADDR_PAD can be
+ 	 zero.  */
+       addr_off = addr - bufaddr;
+       addr_len = sizeof_buffer - addr_off;
+       if (addr_len > nr_bytes)
+ 	addr_len = nr_bytes;
+       addr_pad = sizeof_buffer - (addr_len + addr_off);
+       gdb_assert (addr_off + addr_len + addr_pad == sizeof_buffer);
+       
+       /* For writes, pre-fill the buffer with data that has to go out.  */
+       if (write)
+ 	{
+ 	  /* If the start is misaligned, a read - modify - write is
+              needed.  */
+ 	  if (addr_off > 0)
+ 	    buffer[0] = ptrace (PT_READ_I, PIDGET (inferior_ptid), 
+ 				(PTRACE_ARG3_TYPE) bufaddr, 0);
+ 	  /* If the end is misaligned, a read - modify - write is
+              needed.  */
+ 	  if (addr_pad > 0 && count > 1)
+ 	    {
+ 	      buffer[count - 1] =
+ 		ptrace (PT_READ_I, PIDGET (inferior_ptid),
+ 			((PTRACE_ARG3_TYPE)
+ 			 (bufaddr + (count - 1) * sizeof (PTRACE_XFER_TYPE))),
+ 			0);
+ 	    }
+ 	  /* Fill in LEN bytes in the middle. */
+ 	  memcpy ((char *) buffer + addr_off, srcdest, addr_len);
+ 	}
+ 
+       /* Transfer COUNT words. */
+       for (i = 0; i < count; i++)
+ 	{
+ 	  CORE_ADDR a = bufaddr + i * sizeof (PTRACE_XFER_TYPE);
+ 	  if (write)
+ 	    {
+ 	      errno = 0;
+ 	      ptrace (PT_WRITE_D, PIDGET (inferior_ptid), 
+ 		      (PTRACE_ARG3_TYPE) a, buffer[i]);
+ 	      if (errno)
+ 		{
+ 		  /* Using the appropriate one (I or D) is necessary
+ 		     for Gould NP1, at least.  */
+ 		  errno = 0;
+ 		  ptrace (PT_WRITE_I, PIDGET (inferior_ptid), 
+ 			  (PTRACE_ARG3_TYPE) addr, buffer[i]);
+ 		}
+ 	    }
+ 	  else
+ 	    {
+ 	      buffer[i] = ptrace (PT_READ_I, PIDGET (inferior_ptid),
+ 				  (PTRACE_ARG3_TYPE) a, 0);
+ 	    }
+ 	}
+ 
+       /* Copy any read data into MYADDR.  */
+       if (!write)
+ 	memcpy (srcdest, (char *) buffer + addr_off, addr_len);
+ 
+       /* Update all counters.  */
+       addr += addr_len;
+       nr_bytes -= addr_len;
+       srcdest += addr_len;
+     }
+ #ifdef CLEAR_INSN_CACHE
+   if (write)
+     CLEAR_INSN_CACHE ();
+ #endif
+ #else
    int i;
    /* Round starting address down to longword boundary.  */
    CORE_ADDR addr = memaddr & -(CORE_ADDR) sizeof (PTRACE_XFER_TYPE);
*************** child_xfer_memory (CORE_ADDR memaddr, ch
*** 591,596 ****
--- 695,715 ----
  
    if (old_chain != NULL)
      do_cleanups (old_chain);
+ #endif
+ #if 0
+   {
+     int i;
+     static FILE *t;
+     if (!t)
+       t = fopen ("log", "w");
+     fprintf (t, "%c 0x%lx %ld :",
+ 	     write ? 'w' : 'r',
+ 	     (long) memaddr, (long) len);
+     for (i = 0; i < len; i++)
+       fprintf (t, "%02x", myaddr[i] & 0xff);
+     fprintf (t, "\n");
+   }
+ #endif
    return len;
  }
  \f