From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1037 invoked by alias); 31 Aug 2011 20:12:14 -0000 Received: (qmail 941 invoked by uid 22791); 31 Aug 2011 20:11:52 -0000 X-SWARE-Spam-Status: No, hits=-0.7 required=5.0 tests=AWL,BAYES_20,RCVD_NUMERIC_HELO,RP_MATCHES_RCVD,SPF_HELO_PASS,TW_BJ X-Spam-Check-By: sourceware.org Received: from lo.gmane.org (HELO lo.gmane.org) (80.91.229.12) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 31 Aug 2011 20:11:39 +0000 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Qyr8L-0000jY-7p for gdb-patches@sources.redhat.com; Wed, 31 Aug 2011 22:11:37 +0200 Received: from 209.226.137.108 ([209.226.137.108]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 31 Aug 2011 22:11:37 +0200 Received: from aristovski by 209.226.137.108 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 31 Aug 2011 22:11:37 +0200 To: gdb-patches@sources.redhat.com From: Aleksandar Ristovski Subject: Re: dangling pointer in so_list Date: Wed, 31 Aug 2011 20:12:00 -0000 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110812 Thunderbird/6.0 In-Reply-To: X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2011-08/txt/msg00678.txt.bz2 I should have mentioned that there were no regressions (tested on x86_64-unknown-linux-gnu configuration). On 11-08-31 04:01 PM, Aleksandar Ristovski wrote: > Hello, > > I run into a gdb crash examining a core file. This happened on gdb 7.3, > on QNX. Unfortunately, I could not come up with a reproducible testcase > on gnu/linux due to differences in dynamic linkers, but offer a detailed > explanation instead: > > What happened is that a process loaded the same shared object more than > once. Then it crashed and a core was generated. > > In the core, we had a link map specifying the same shared object more > than once. While traversing the link map, gdb loaded shared objects > (symbols), thus associating each so_list object with an objfile object. > During the process, it detected duplicates and associated multiple > so_list objects with the same objfile instance. > > At this point, a change to solib-search-path causes gdb to reload > symbols, and the crash happens: while traversing so_list in > solib.c:reload_shared_libraries_1, in one iteration gdb calls > 'free_objfile' with a pointer to an instance of the objfile. In a > subsequent iteration, it tries to do the same with, now, dangling > pointer to the same objfile object. Not good. > > The attached patch fixes the issue. > > > Thanks, > > Aleksandar Ristovski > QNX Software Systems > > > > ChangeLog: > Aleksandar Ristovski > > * solib.c (reload_shared_libraries_1): Check whether objfile is used before > freeing it.