From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca (simark.ca [158.69.221.121]) by sourceware.org (Postfix) with ESMTPS id 8DC803858D34 for ; Thu, 9 Jul 2020 03:31:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 8DC803858D34 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=simark.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=simark@simark.ca Received: from [10.0.0.11] (173-246-6-90.qc.cable.ebox.net [173.246.6.90]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by simark.ca (Postfix) with ESMTPSA id 0EE5C1E111; Wed, 8 Jul 2020 23:31:40 -0400 (EDT) Subject: Re: [PATCH 2/3] Fix crash if connection drops in scoped_restore_current_thread's ctor, part 2 To: Pedro Alves , gdb-patches@sourceware.org References: <20200708233125.1030-1-pedro@palves.net> <20200708233125.1030-3-pedro@palves.net> From: Simon Marchi Message-ID: Date: Wed, 8 Jul 2020 23:31:38 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200708233125.1030-3-pedro@palves.net> Content-Type: text/plain; charset=utf-8 Content-Language: fr Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_NUMSUBJECT, SPF_HELO_PASS, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 03:31:41 -0000 On 2020-07-08 7:31 p.m., Pedro Alves wrote: > Running the testsuite against an Asan-enabled build of GDB makes > gdb.base/multi-target.exp expose this bug. > > scoped_restore_current_thread's ctor calls get_frame_id to record the > selected frame's ID to restore later. If the frame ID hasn't been > computed yet, it will be computed on the spot, and that will usually > require accessing the target's memory and registers. If the remote > connection closes, while we're computing the frame ID, the remote > target exits its inferiors, unpushes itself, and throws a > TARGET_CLOSE_ERROR error. Exiting the inferiors deletes the > inferior's threads. > > scoped_restore_current_thread increments the current thread's refcount > to prevent the thread from being deleted from under its feet. > However, the code that does that isn't considering the case of the > thread being deleted from within get_frame_id. It only increments the > refcount _after_ get_frame_id returns. So if the current thread is > indeed deleted, the > > tp->incref (); > > statement references a stale TP pointer. > > Incrementing the refcounts earlier fixes it. > > We should probably also let the TARGET_CLOSE_ERROR error propagate in > this case. That alone would fix it, though it seems better to tweak > the refcount handling too. So, when the target closes while we (scoped_restore_current_thread) own a reference on the inferior and thread, the inferior and thread are still destroyed, and so we shouldn't decref them? Simon