Re: [PATCH] Fix PR 21337 v2: segfault when re-reading symbols with remote debugging.

Mirror of the gdb-patches mailing list
 help / color / mirror / Atom feed

From: Simon Marchi <simon.marchi@polymtl.ca>
To: Doug Gilmore <Doug.Gilmore@imgtec.com>
Cc: Luis Machado <lgustavo@codesourcery.com>, gdb-patches@sourceware.org
Subject: Re: [PATCH] Fix PR 21337 v2: segfault when re-reading symbols with  remote debugging.
Date: Thu, 27 Apr 2017 19:46:00 -0000	[thread overview]
Message-ID: <7e9595026acbfd2f1a7bff321fa255e1@polymtl.ca> (raw)
In-Reply-To: <fddf3219-1de7-09ca-517c-7d68b34e878d@imgtec.com>

On 2017-04-25 14:16, Doug Gilmore wrote:
> Sorry for the delay, here is the trace under "valgrind 
> --num-callers=111".
> 
> Note that I marked the critical call points in reread_symbols.  In
> reread_symbols at symfile.c:2631 read_symbols is called.  Via the call
> to read_symbols, bsearch_cmp is eventually called, which "reads"
> memory that was free'd memory via the call to _obstack_free that was
> called just above in reread_symbols at symfile.c:2579.
> 
> The patch moves the call to objfiles_changed to the point obstack_free
> is called, so that free'd memory will not be referenced.
> 
> Trace attached.
> 
> Thanks,
> 
> Doug
> 
> (gdb) qrun
> `/home/dgilmore/tmp/h' has changed; re-reading symbols.
> ==8380== Invalid read of size 8
> ==8380==    at 0x653949: bsearch_cmp(void const*, void const*) 
> (objfiles.c:1415)
> ==8380==    by 0x559D247: bsearch (stdlib-bsearch.h:33)
> ==8380==    by 0x653B05: find_pc_section(unsigned long) 
> (objfiles.c:1462)
> ==8380==    by 0x649D00: lookup_minimal_symbol_by_pc(unsigned long)
> (minsyms.c:785)
> ==8380==    by 0x40852B: mips_pc_is_mips(unsigned long) 
> (mips-tdep.c:1183)
> ==8380==    by 0x4086EA: mips_adjust_dwarf2_addr(unsigned long)
> (mips-tdep.c:1271)
> ==8380==    by 0x5E55C2: gdbarch_adjust_dwarf2_addr(gdbarch*, unsigned
> long) (gdbarch.c:3417)
> ==8380==    by 0x5A3EB1: read_attribute_value(die_reader_specs const*,
> attribute*, unsigned int, long, unsigned char const*)
> (dwarf2read.c:16620)
> ==8380==    by 0x5A4823: read_attribute(die_reader_specs const*,
> attribute*, attr_abbrev*, unsigned char const*) (dwarf2read.c:16846)
> ==8380==    by 0x5A13BC: read_full_die_1(die_reader_specs const*,
> die_info**, unsigned char const*, int*, int) (dwarf2read.c:15585)
> ==8380==    by 0x5A1431: read_full_die(die_reader_specs const*,
> die_info**, unsigned char const*, int*) (dwarf2read.c:15604)
> ==8380==    by 0x5890B5: init_cutu_and_read_dies(dwarf2_per_cu_data*,
> abbrev_table*, int, int, void (*)(die_reader_specs const*, unsigned
> char const*, die_info*, int, void*), void*) (dwarf2read.c:5753)
> ==8380==    by 0x58A48F:
> process_psymtab_comp_unit(dwarf2_per_cu_data*, int, language)
> (dwarf2read.c:6265)
> ==8380==    by 0x58B0D0: dwarf2_build_psymtabs_hard(objfile*)
> (dwarf2read.c:6658)
> ==8380==    by 0x5859F8: dwarf2_build_psymtabs(objfile*) 
> (dwarf2read.c:4407)
> ==8380==    by 0x498C32: read_psyms(objfile*) (elfread.c:1290)
> ==8380==    by 0x6703D8: require_partial_symbols(objfile*, int) 
> (psymtab.c:87)
> ==8380==    by 0x6ADB21: read_symbols(objfile*,
> enum_flags<symfile_add_flag>) (symfile.c:883)
> ==8380==    by 0x6B1706: reread_symbols() (symfile.c:2631)   <<<  note
> _obstack_free called at reread_symbols() (symfile.c:2579)
> ==8380==    by 0x4389A5: remote_open_1(char const*, int, target_ops*,
> int) (remote.c:5021)
> ==8380==    by 0x437AD8: remote_open(char const*, int) (remote.c:4370)
> ==8380==    by 0x6D546E: open_target(char*, int, cmd_list_element*)
> (target.c:359)
> ==8380==    by 0x4662CC: do_sfunc(cmd_list_element*, char*, int)
> (cli-decode.c:122)
> ==8380==    by 0x4692F1: cmd_func(cmd_list_element*, char*, int)
> (cli-decode.c:1887)
> ==8380==    by 0x6E76BF: execute_command(char*, int) (top.c:674)
> ==8380==    by 0x46DF03: execute_control_command(command_line*)
> (cli-script.c:494)
> ==8380==    by 0x46DD74: execute_user_command(cmd_list_element*,
> char*) (cli-script.c:423)
> ==8380==    by 0x6E7606: execute_command(char*, int) (top.c:664)
> ==8380==    by 0x5C392C: command_handler(char*) (event-top.c:590)
> ==8380==    by 0x5C3CF1: command_line_handler(char*) (event-top.c:780)
> ==8380==    by 0x5C32D2: gdb_rl_callback_handler(char*) 
> (event-top.c:213)
> ==8380==    by 0x76C1DF: rl_callback_read_char (callback.c:220)
> ==8380==    by 0x5C31EB: gdb_rl_callback_read_char_wrapper_noexcept()
> (event-top.c:175)
> ==8380==    by 0x5C3261: gdb_rl_callback_read_char_wrapper(void*)
> (event-top.c:192)
> ==8380==    by 0x5C37DB: stdin_event_handler(int, void*) 
> (event-top.c:518)
> ==8380==    by 0x5C1E60: handle_file_event(file_handler*, int)
> (event-loop.c:733)
> ==8380==    by 0x5C23EC: gdb_wait_for_event(int) (event-loop.c:859)
> ==8380==    by 0x5C1231: gdb_do_one_event() (event-loop.c:322)
> ==8380==    by 0x5C12E2: start_event_loop() (event-loop.c:371)
> ==8380==    by 0x6352DC: captured_command_loop(void*) (main.c:325)
> ==8380==    by 0x5C4CA6: catch_errors(int (*)(void*), void*, char
> const*, return_mask) (exceptions.c:236)
> ==8380==    by 0x6366C4: captured_main(void*) (main.c:1150)
> ==8380==    by 0x6366ED: gdb_main(captured_main_args*) (main.c:1160)
> ==8380==    by 0x4066C3: main (gdb.c:32)
> ==8380==  Address 0x5aaca00 is 288 bytes inside a block of size 4,064 
> free'd
> ==8380==    at 0x4C2BDEC: free (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==8380==    by 0x545CD3: xfree(void*) (common-utils.c:100)
> ==8380==    by 0x81C903: _obstack_free (obstack.c:280)
> ==8380==    by 0x6B1143: reread_symbols() (symfile.c:2579)    <<<
> ==8380==    by 0x4389A5: remote_open_1(char const*, int, target_ops*,
> int) (remote.c:5021)
> ==8380==    by 0x437AD8: remote_open(char const*, int) (remote.c:4370)
> ==8380==    by 0x6D546E: open_target(char*, int, cmd_list_element*)
> (target.c:359)
> ==8380==    by 0x4662CC: do_sfunc(cmd_list_element*, char*, int)
> (cli-decode.c:122)
> ==8380==    by 0x4692F1: cmd_func(cmd_list_element*, char*, int)
> (cli-decode.c:1887)
> ==8380==    by 0x6E76BF: execute_command(char*, int) (top.c:674)
> ==8380==    by 0x46DF03: execute_control_command(command_line*)
> (cli-script.c:494)
> ==8380==    by 0x46DD74: execute_user_command(cmd_list_element*,
> char*) (cli-script.c:423)
> ==8380==    by 0x6E7606: execute_command(char*, int) (top.c:664)
> ==8380==    by 0x5C392C: command_handler(char*) (event-top.c:590)
> ==8380==    by 0x5C3CF1: command_line_handler(char*) (event-top.c:780)
> ==8380==    by 0x5C32D2: gdb_rl_callback_handler(char*) 
> (event-top.c:213)
> ==8380==    by 0x76C1DF: rl_callback_read_char (callback.c:220)
> ==8380==    by 0x5C31EB: gdb_rl_callback_read_char_wrapper_noexcept()
> (event-top.c:175)
> ==8380==    by 0x5C3261: gdb_rl_callback_read_char_wrapper(void*)
> (event-top.c:192)
> ==8380==    by 0x5C37DB: stdin_event_handler(int, void*) 
> (event-top.c:518)
> ==8380==    by 0x5C1E60: handle_file_event(file_handler*, int)
> (event-loop.c:733)
> ==8380==    by 0x5C23EC: gdb_wait_for_event(int) (event-loop.c:859)
> ==8380==    by 0x5C1231: gdb_do_one_event() (event-loop.c:322)
> ==8380==    by 0x5C12E2: start_event_loop() (event-loop.c:371)
> ==8380==    by 0x6352DC: captured_command_loop(void*) (main.c:325)
> ==8380==    by 0x5C4CA6: catch_errors(int (*)(void*), void*, char
> const*, return_mask) (exceptions.c:236)
> ==8380==    by 0x6366C4: captured_main(void*) (main.c:1150)
> ==8380==    by 0x6366ED: gdb_main(captured_main_args*) (main.c:1160)
> ==8380==    by 0x4066C3: main (gdb.c:32)
> ==8380==

Hi Doug,

I've ran this in my head many times, but I still don't understand which 
field exactly is stale and causes the segfault.

According to the backtrace, the line of the crash is:

   if (pc < obj_section_addr (section))

That macro expands to

#define obj_section_addr(s)				      		\
   (bfd_get_section_vma ((s)->objfile->obfd, s->the_bfd_section)		\
    + obj_section_offset (s))

which further expands to

#define obj_section_offset(s)						\
   (((s)->objfile->section_offsets)->offsets[gdb_bfd_section_index 
((s)->objfile->obfd, (s)->the_bfd_section)])


Could you point out which dereferencing operator/memory access causes 
the crash?  At first I thought it would be ->section_offsets, but that 
field is set properly before calling read_symbols:

	  /* We use the same section offsets as from last time.  I'm not
	     sure whether that is always correct for shared libraries.  */
	  objfile->section_offsets = (struct section_offsets *)
	    obstack_alloc (&objfile->objfile_obstack,
			   SIZEOF_N_SECTION_OFFSETS (num_offsets));
	  memcpy (objfile->section_offsets, offsets,
		  SIZEOF_N_SECTION_OFFSETS (num_offsets));
	  objfile->num_sections = num_offsets;

so it should not be the culprit...  The s variable itself should point 
to an instance of obj_section, contained in the 
objfile_pspace_info::sections array.  This one is allocated with 
XNEWVEC, so it shouldn't be affected by the fact that we clear the 
obstack.

The objfile object itself doesn't change address, so the pointers to it 
should still be valid...

I find the obj_section_addr and obj_section_offset very bad for 
readability and debuggability.  Could you change them for inline 
functions that are not one liners?  Then it will be obvious in the 
backtrace which operation causes the crash.

Thanks,

Simon

next prev parent reply	other threads:[~2017-04-27 19:46 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-31 23:04 [PATCH] [mips] Fix PR 21337 v1: " Doug Gilmore
2017-04-10 16:01 ` Doug Gilmore
2017-04-12 18:52 ` Luis Machado
2017-04-12 21:42   ` Doug Gilmore
2017-04-13 18:56     ` [PATCH] Fix PR 21337 v2: " Doug Gilmore
2017-04-14 15:33       ` Luis Machado
2017-04-22  2:15       ` Simon Marchi
2017-04-25 18:16         ` Doug Gilmore
2017-04-27 19:46           ` Simon Marchi [this message]
2017-04-28 23:44             ` Doug Gilmore
2017-04-29  1:13               ` Luis Machado
2017-04-29  1:42               ` Simon Marchi
2017-04-29 17:12                 ` Doug Gilmore
2017-04-29 23:26                   ` Simon Marchi
2017-04-30  5:14                     ` Doug Gilmore
2017-05-10 23:26                       ` Doug Gilmore
2017-05-12  3:29                         ` Simon Marchi
2017-05-12 19:24                           ` Doug Gilmore
2017-05-16 23:11                           ` [PATCH] Fix PR 21337 (v3): " Doug Gilmore
2017-06-06 16:08                             ` [PING][PATCH] " Doug Gilmore
2017-06-23 18:20                               ` [PING^2][PATCH] " Doug Gilmore
2017-06-25 11:25                             ` [PATCH] " Simon Marchi
2017-06-27 17:29                               ` [PATCH] Fix PR 21337 (v4): " Doug Gilmore
2017-06-27 21:35                                 ` Doug Gilmore
2017-06-28  2:01                                   ` Maciej W. Rozycki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7e9595026acbfd2f1a7bff321fa255e1@polymtl.ca \
    --to=simon.marchi@polymtl.ca \
    --cc=Doug.Gilmore@imgtec.com \
    --cc=gdb-patches@sourceware.org \
    --cc=lgustavo@codesourcery.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox