From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-107597-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 27072 invoked by alias); 25 Nov 2013 12:19:54 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Received: (qmail 27061 invoked by uid 89); 25 Nov 2013 12:19:54 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.0 required=5.0 tests=AWL,BAYES_50,RDNS_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no version=3.3.2
X-HELO: mga02.intel.com
Received: from Unknown (HELO mga02.intel.com) (134.134.136.20) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 25 Nov 2013 12:19:53 +0000
Received: from fmsmga001.fm.intel.com ([10.253.24.23])  by orsmga101.jf.intel.com with ESMTP; 25 Nov 2013 04:19:45 -0800
X-ExtLoop1: 1
Received: from irsmsx104.ger.corp.intel.com ([163.33.3.159])  by fmsmga001.fm.intel.com with ESMTP; 25 Nov 2013 04:19:43 -0800
Received: from irsmsx152.ger.corp.intel.com (163.33.192.66) by IRSMSX104.ger.corp.intel.com (163.33.3.159) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 25 Nov 2013 12:19:42 +0000
Received: from irsmsx104.ger.corp.intel.com ([169.254.5.135]) by IRSMSX152.ger.corp.intel.com ([169.254.6.169]) with mapi id 14.03.0123.003; Mon, 25 Nov 2013 12:19:42 +0000
From: "Tedeschi, Walfred" <walfred.tedeschi@intel.com>
To: Joel Brobecker <brobecker@adacore.com>
CC: Tom Tromey <tromey@redhat.com>, Pedro Alves <palves@redhat.com>, Yao Qi	<yao@codesourcery.com>, "Mark Kettenis (mark.kettenis@xs4all.nl)"	<mark.kettenis@xs4all.nl>, "gdb-patches@sourceware.org"	<gdb-patches@sourceware.org>
Subject: RE: gdbserver crash due to: [pushed] [PATCH V7 0/8] Intel(R) MPX register support
Date: Mon, 25 Nov 2013 12:51:00 -0000
Message-ID: <AC542571535E904D8E8ADAE745D60B191B1DAE1D@IRSMSX104.ger.corp.intel.com>
References: <AC542571535E904D8E8ADAE745D60B191B1D8BC7@IRSMSX104.ger.corp.intel.com> <528E62B3.7080005@redhat.com> <AC542571535E904D8E8ADAE745D60B191B1D9C3D@IRSMSX104.ger.corp.intel.com> <87siuocq7e.fsf@fleche.redhat.com> <AC542571535E904D8E8ADAE745D60B191B1DACC6@IRSMSX104.ger.corp.intel.com> <20131125121757.GB3114@adacore.com>
In-Reply-To: <20131125121757.GB3114@adacore.com>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
X-SW-Source: 2013-11/txt/msg00764.txt.bz2

Hi All,

I have found the root cause already: It is related to the i386-xstate.h siz=
e macro.
Just about to send a fix.

Thanks and regards,
-Fred

-----Original Message-----
From: Joel Brobecker [mailto:brobecker@adacore.com]=20
Sent: Monday, November 25, 2013 1:18 PM
To: Tedeschi, Walfred
Cc: Tom Tromey; Pedro Alves; Yao Qi; Mark Kettenis (mark.kettenis@xs4all.nl=
); gdb-patches@sourceware.org
Subject: FYI: gdbserver crash due to: [pushed] [PATCH V7 0/8] Intel(R) MPX =
register support

Hello,

Just letting you guys know that I'm seeing a gdbserver crash due to this bu=
g, and that I am investigation - so that we don't duplicate efforts. It's c=
ode that's completely new to me, so I might take time figuring out what's w=
rong, hence the heads up.

FTR, I am on GNU/Linux Ubuntu 13.04 x86_64-linux.

To reproduce:

   % gdbserver :4444 simple_main

And then, start GDB elsewhere:

   % gdb simple_main
   (gdb) target remote :4444
   (gdb) cont

GDBserver crashes as follow:

    memory clobbered past end of allocated block
    [1]  + 26259 abort (core dumped)  /[...]/gdbserver :4444 simple_main

I think one needs to be in development mode in order to see the problem.

Also FTR, here are my notes so far:

| In linux-low.c:regsets_store_inferior_registers:
|
|       buf =3D xmalloc (regset->size);  <<<- size is 576
|
| ... and then calls:
|
|           regset->fill_function (regcache, buf);
|
| This goes to x86_fill_xstateregset, which is just a wrapper calling=20
| i387_cache_to_xsave. In i387_cache_to_xsave, we have:
|
|   struct i387_xsave *fp =3D (struct i387_xsave *) buf;
|
| This is where things get dicey because:
|
|     sizeof (struct i387_xsave) =3D 1040
|
| The first buffer overrun starts at:
|
|       if ((clear_bv & I386_XSTATE_AVX))
|         for (i =3D 0; i < num_xmm_registers; i++)
|           memset (((char *) &fp->ymmh_space[0]) + i * 16, 0, 16);
|
| And indeed, when looking at ymmh_space's offset, it's ... 576!

Now, I'll start looking at the discrepancy between regset-size and sizeof (=
struct i387_xsave).

--
Joel

PS: Anyone else seeing this? Since the patch was applied several days
    ago, I would have thought that someone else might have hit that...
Intel GmbH
Dornacher Strasse 1
85622 Feldkirchen/Muenchen, Deutschland
Sitz der Gesellschaft: Feldkirchen bei Muenchen
Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk
Registergericht: Muenchen HRB 47456
Ust.-IdNr./VAT Registration No.: DE129385895
Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052