From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-return-45694-listarch-gdb=sources.redhat.com@sourceware.org>
Received: (qmail 83983 invoked by alias); 27 Mar 2017 08:54:10 -0000
Mailing-List: contact gdb-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb.sourceware.org>
List-Subscribe: <mailto:gdb-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb/>
List-Post: <mailto:gdb@sourceware.org>
List-Help: <mailto:gdb-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-owner@sourceware.org
Received: (qmail 83967 invoked by uid 89); 27 Mar 2017 08:54:09 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_ASCII_DIVIDERS,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=ham version=3.3.2 spammy=4011, 1804, priv, 3699
X-HELO: mail-wr0-f194.google.com
Received: from mail-wr0-f194.google.com (HELO mail-wr0-f194.google.com) (209.85.128.194) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 27 Mar 2017 08:54:07 +0000
Received: by mail-wr0-f194.google.com with SMTP id w43so8074074wrb.1        for <gdb@sourceware.org>; Mon, 27 Mar 2017 01:54:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to         :message-id:user-agent:mime-version:content-transfer-encoding;        bh=NZBPnA1GsuSFgxzz9OKbzbxUr2VQFB7u3ZJRn+Mr5mY=;        b=Z5ONNoubahqb9tOi6MbpjUXxkeXEYHI3b8N7yXOIXWJmZd317d1T2uR562v+RTyr5I         fNFvrmFlByAooRhLwiSqEPBanO4YpjUzvgElx6Z0gsylUxS/jb/qwOK+E3ouCkwBtlyB         agaILew3Gy/tziFnZ+bj2RwjGYv71VHNlvWoW/MPEtg2s3y0Nx68W2XPMdXXqcdE1yYp         y2RZBk/q0Cqyx8RxhcUSMkE/59JoB2y5ynxjbJBXb6C6vCdVPclL3UvQ15s4XuwOEgyl         7hLZq0JJxvhl27ARx+VW3Zvb8L+4Cg1FJGmP6N1rHD6ocTIBTVjCh0xi05WjtbBnl42z         ocng==
X-Gm-Message-State: AFeK/H0N/teHMgX6mWgGYE9e+DmmT7bUdVim8Vl+F+w+boFWmcIIJwR8pfI0IQ8LrsJiyA==
X-Received: by 10.223.162.130 with SMTP id s2mr20607774wra.149.1490604846678;        Mon, 27 Mar 2017 01:54:06 -0700 (PDT)
Received: from E107787-LIN ([194.214.185.158])        by smtp.gmail.com with ESMTPSA id 94sm13960207wrp.34.2017.03.27.01.54.05        (version=TLS1_2 cipher=AES128-SHA bits=128/128);        Mon, 27 Mar 2017 01:54:06 -0700 (PDT)
From: Yao Qi <qiyaoltc@gmail.com>
To: RAJESH DASARI <raajeshdasari@gmail.com>
Cc: GDB <gdb@sourceware.org>
Subject: Re: Reg : gdb crash is seen while attaching a process to gdb.
References: <CAPXMrf8TH66vZtp+9riDpDR4fBizip5-LQtZ9+1nSfVaywTLxg@mail.gmail.com>	<CAH=s-PPcmOkY-yPuGsDbE0L=Q=SC9qjw9afTZnHfRE_oMPTzVA@mail.gmail.com>	<728178DD-B9FD-4695-A7FF-F13B829DFD2E@gmail.com>
Date: Mon, 27 Mar 2017 08:54:00 -0000
In-Reply-To: <728178DD-B9FD-4695-A7FF-F13B829DFD2E@gmail.com> (RAJESH DASARI's	message of "Sat, 25 Mar 2017 18:19:13 +0530")
Message-ID: <864lyfp0b7.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
X-SW-Source: 2017-03/txt/msg00062.txt.bz2

RAJESH DASARI <raajeshdasari@gmail.com> writes:

> Thanks for your quick response . Could you please share those patches
> , I will recompile the gdb with the patches and test the changes.

Could you try the patch below on 7.12?  If the patch doesn't work,
please provide the GDB's stack backtrace on internal error.

--=20
Yao (=E9=BD=90=E5=B0=A7)
=46rom 0621d3b4c0c665defc2166ee6240dc85f909275a Mon Sep 17 00:00:00 2001
From: Yao Qi <yao.qi@linaro.org>
Date: Mon, 27 Mar 2017 09:42:38 +0100
Subject: [PATCH] Fix refcount of thread_info

I build GDB with asan, and run test case hook-stop.exp, and threadapply.exp,
I got the following asan error,

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D^M
^[[1m^[[31m=3D=3D2291=3D=3DERROR: AddressSanitizer: heap-use-after-free on =
address 0x6160000999c4 at pc 0x000000826022 bp 0x7ffd28a8ff70 sp 0x7ffd28a8=
ff60^M
^[[1m^[[0m^[[1m^[[34mREAD of size 4 at 0x6160000999c4 thread T0^[[1m^[[0m^M
    #0 0x826021 in release_stop_context_cleanup ../../binutils-gdb/gdb/infr=
un.c:8203^M
    #1 0x72798a in do_my_cleanups ../../binutils-gdb/gdb/common/cleanups.c:=
154^M
    #2 0x727a32 in do_cleanups(cleanup*) ../../binutils-gdb/gdb/common/clea=
nups.c:176^M
    #3 0x826895 in normal_stop() ../../binutils-gdb/gdb/infrun.c:8381^M
    #4 0x815208 in fetch_inferior_event(void*) ../../binutils-gdb/gdb/infru=
n.c:4011^M
    #5 0x868aca in inferior_event_handler(inferior_event_type, void*) ../..=
/binutils-gdb/gdb/inf-loop.c:44^M
....
^[[1m^[[32m0x6160000999c4 is located 68 bytes inside of 568-byte region [0x=
616000099980,0x616000099bb8)^M
^[[1m^[[0m^[[1m^[[35mfreed by thread T0 here:^[[1m^[[0m^M
    #0 0x7fb0bc1312ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/liba=
san.so.2+0x982ca)^M
    #1 0xb8c62f in xfree(void*) ../../binutils-gdb/gdb/common/common-utils.=
c:100^M
    #2 0x83df67 in free_thread ../../binutils-gdb/gdb/thread.c:207^M
    #3 0x83dfd2 in init_thread_list() ../../binutils-gdb/gdb/thread.c:223^M
    #4 0x805494 in kill_command ../../binutils-gdb/gdb/infcmd.c:2595^M
....

Detaching from program: /home/yao.qi/SourceCode/gnu/build-with-asan/gdb/tes=
tsuite/outputs/gdb.threads/threadapply/threadapply, process 2399^M
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D^M
^[[1m^[[31m=3D=3D2387=3D=3DERROR: AddressSanitizer: heap-use-after-free on =
address 0x6160000a98c0 at pc 0x00000083fd28 bp 0x7ffd401c3110 sp 0x7ffd401c=
3100^M
^[[1m^[[0m^[[1m^[[34mREAD of size 4 at 0x6160000a98c0 thread T0^[[1m^[[0m^M
    #0 0x83fd27 in thread_alive ../../binutils-gdb/gdb/thread.c:741^M
    #1 0x844277 in thread_apply_all_command ../../binutils-gdb/gdb/thread.c=
:1804^M
....
^M
^[[1m^[[32m0x6160000a98c0 is located 64 bytes inside of 568-byte region [0x=
6160000a9880,0x6160000a9ab8)^M
^[[1m^[[0m^[[1m^[[35mfreed by thread T0 here:^[[1m^[[0m^M
    #0 0x7f59a7e322ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/liba=
san.so.2+0x982ca)^M
    #1 0xb8c62f in xfree(void*) ../../binutils-gdb/gdb/common/common-utils.=
c:100^M
    #2 0x83df67 in free_thread ../../binutils-gdb/gdb/thread.c:207^M
    #3 0x83dfd2 in init_thread_list() ../../binutils-gdb/gdb/thread.c:223^M

This patch fixes the issue by always checking refcount before decreasing it.
If it is zero already, free the thread_info.

gdb:

2017-03-27  Yao Qi  <yao.qi@linaro.org>

        PR gdb/19942
	* gdbthread.h (free_thread): Declare.
	* infrun.c (release_stop_context_cleanup): If refcount is zero
	call free_thread.
	* thread.c (free_thread): Remove "static".
	(init_thread_list): If refcount is zero, call free_thread.
	(restore_current_thread_cleanup_dtor): Likewise.
	(set_thread_refcount): Likewise.
---
 gdb/gdbthread.h |  3 +++
 gdb/infrun.c    |  7 ++++++-
 gdb/thread.c    | 21 +++++++++++++++++----
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/gdb/gdbthread.h b/gdb/gdbthread.h
index 455cfd8..f89c6e1 100644
--- a/gdb/gdbthread.h
+++ b/gdb/gdbthread.h
@@ -369,6 +369,9 @@ extern void delete_thread (ptid_t);
    exited, for example.  */
 extern void delete_thread_silent (ptid_t);
=20
+/* Free TP.  */
+extern void free_thread (struct thread_info *tp);
+
 /* Delete a step_resume_breakpoint from the thread database.  */
 extern void delete_step_resume_breakpoint (struct thread_info *);
=20
diff --git a/gdb/infrun.c b/gdb/infrun.c
index 5125ede..13b74bd 100644
--- a/gdb/infrun.c
+++ b/gdb/infrun.c
@@ -8200,7 +8200,12 @@ release_stop_context_cleanup (void *arg)
   struct stop_context *sc =3D (struct stop_context *) arg;
=20
   if (sc->thread !=3D NULL)
-    sc->thread->refcount--;
+    {
+      if (sc->thread->refcount =3D=3D 0)
+	free_thread (sc->thread);
+      else
+	sc->thread->refcount--;
+    }
   xfree (sc);
 }
=20
diff --git a/gdb/thread.c b/gdb/thread.c
index 1e39ac4..36dc40f 100644
--- a/gdb/thread.c
+++ b/gdb/thread.c
@@ -192,7 +192,7 @@ clear_thread_inferior_resources (struct thread_info *tp)
   thread_cancel_execution_command (tp);
 }
=20
-static void
+void
 free_thread (struct thread_info *tp)
 {
   if (tp->priv)
@@ -220,7 +220,10 @@ init_thread_list (void)
   for (tp =3D thread_list; tp; tp =3D tpnext)
     {
       tpnext =3D tp->next;
-      free_thread (tp);
+      if (tp->refcount =3D=3D 0)
+	free_thread (tp);
+      else
+	tp->refcount--;
     }
=20
   thread_list =3D NULL;
@@ -1612,7 +1615,12 @@ restore_current_thread_cleanup_dtor (void *arg)
=20
   tp =3D find_thread_ptid (old->inferior_ptid);
   if (tp)
-    tp->refcount--;
+    {
+      if (tp->refcount =3D=3D 0)
+	free_thread (tp);
+      else
+	tp->refcount--;
+    }
   inf =3D find_inferior_id (old->inf_id);
   if (inf !=3D NULL)
     inf->removable =3D old->was_removable;
@@ -1629,7 +1637,12 @@ set_thread_refcount (void *data)
     =3D (struct thread_array_cleanup *) data;
=20
   for (k =3D 0; k !=3D ta_cleanup->count; k++)
-    ta_cleanup->tp_array[k]->refcount--;
+    {
+      if (ta_cleanup->tp_array[k]->refcount =3D=3D 0)
+	free_thread (ta_cleanup->tp_array[k]);
+      else
+	ta_cleanup->tp_array[k]->refcount--;
+    }
 }
=20
 struct cleanup *
--=20
1.9.1