Discussion:
[Bug breakpoints/22736] New: [aarch64] gdb crashes on a conditional breakpoint with cast return type
weimin.pan at oracle dot com
2018-01-20 00:15:41 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

Bug ID: 22736
Summary: [aarch64] gdb crashes on a conditional breakpoint with
cast return type
Product: gdb
Version: 8.1
Status: NEW
Severity: normal
Priority: P2
Component: breakpoints
Assignee: unassigned at sourceware dot org
Reporter: weimin.pan at oracle dot com
Target Milestone: ---

$ ./gdb ./gdb
GNU gdb (GDB) 8.1.50.20180118-git
Copyright (C) 2018 Free Software Foundation, Inc.
...
(gdb) b dwarf2_physname if (int)strcmp (name, "another_thread_local") == 0
Breakpoint 1 at 0x5557ec: file dwarf2read.c, line 11096.
(gdb) run a.out // use any a.out
Starting program: /tmp/binutils-gdb/gdb/gdb a.out
GNU gdb (GDB) 8.1.50.20180118-git
...
Reading symbols from a.out...done.
Segmentation fault (core dumped)

Below is the traceback at the crash site:

Program received signal SIGSEGV, Segmentation fault.
check_typedef (type=0x0) at gdbtypes.c:2392
2392 while (TYPE_CODE (type) == TYPE_CODE_TYPEDEF)

#0 check_typedef (type=0x0) at gdbtypes.c:2392
#1 0x000000000059b920 in gnuv3_pass_by_reference (type=<optimized out>)
at gnu-v3-abi.c:1254
#2 0x000000000051598c in cp_pass_by_reference (type=<optimized out>)
at cp-abi.c:229
#3 0x00000000005b91f0 in language_pass_by_reference (type=<optimized out>)
at language.c:662
#4 0x0000000000413094 in aarch64_push_dummy_call (gdbarch=0x14c8320,
function=<optimized out>, regcache=0xe1d5b0, bp_addr=4253512, nargs=2,
args=0x7fffffe938, sp=549755809776, struct_return=0, struct_addr=0)
at aarch64-tdep.c:1427
#5 0x0000000000586f98 in gdbarch_push_dummy_call (
gdbarch=***@entry=0x14c8320, function=***@entry=0xb908a0,
regcache=<optimized out>, bp_addr=<optimized out>, nargs=***@entry=2,
args=***@entry=0x7fffffe938, sp=***@entry=549755809776,
struct_return=***@entry=0, struct_addr=***@entry=0)
at gdbarch.c:2377
#6 0x00000000005a060c in call_function_by_hand_dummy (function=0xb908a0,
default_return_type=0x28657d0, nargs=2, args=0x7fffffe938,
dummy_dtor=***@entry=0x0,
dummy_dtor_data=***@entry=0x0) at infcall.c:1078
#7 0x00000000005a12c4 in call_function_by_hand (function=<optimized out>,
default_return_type=<optimized out>, nargs=<optimized out>,
args=<optimized out>) at infcall.c:695
#8 0x000000000056c5b4 in eval_call (noside=***@entry=EVAL_NORMAL,
nargs=***@entry=2, argvec=***@entry=0x7fffffe930,
function_name=***@entry=0x3330975 "strcmp",
default_return_type=***@entry=0x28657d0, exp=0xbd0070,
exp=0xbd0070) at eval.c:831
#9 0x000000000056dbe8 in evaluate_funcall (
expect_type=***@entry=0x28657d0, exp=***@entry=0xbd0070,
pos=***@entry=0x7ffffff2dc, noside=***@entry=EVAL_NORMAL)
at eval.c:1236
...
--
You are receiving this mail because:
You are on the CC list for the bug.
alan.hayward at arm dot com
2018-02-22 14:37:04 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

Alan Hayward <alan.hayward at arm dot com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |alan.hayward at arm dot com

--- Comment #1 from Alan Hayward <alan.hayward at arm dot com> ---
Tested this with 8.1.50.20180220-git
Reproduced error exactly as stated on aarch64.

Interestingly, the bug does not occur on any of:

1) Remove the cast:
$ ./gdb ./gdb
(gdb) b dwarf2_physname if strcmp (name, "another_thread_local") == 0
(gdb) run a.out

2) Provide the args on the shell command line:
$ ./gdb ./gdb -r ./a.out
(gdb) b dwarf2_physname if (int)strcmp (name, "another_thread_local") == 0
(gdb) run

3) Using x86

4) Using distro provided gdb 7.1.1:
$ /usr/bin/gdb ./gdb
(gdb) b dwarf2_physname if (int)strcmp (name, "another_thread_local") == 0
(gdb) run a.out
--
You are receiving this mail because:
You are on the CC list for the bug.
alahay01 at gcc dot gnu.org
2018-02-22 19:55:19 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

Alan Hayward <alahay01 at gcc dot gnu.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |alahay01 at gcc dot gnu.org
Assignee|unassigned at sourceware dot org |alahay01 at gcc dot gnu.org
--
You are receiving this mail because:
You are on the CC list for the bug.
alahay01 at gcc dot gnu.org
2018-02-22 19:57:13 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

Alan Hayward <alahay01 at gcc dot gnu.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target| |aarch64
--
You are receiving this mail because:
You are on the CC list for the bug.
alahay01 at gcc dot gnu.org
2018-03-02 15:06:37 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

--- Comment #2 from Alan Hayward <alahay01 at gcc dot gnu.org> ---
A simpler way of reproducing this bug without needing to gdb gdb:

#include <string.h>

int foo(char *name)
{
return strcmp(name, "3") == 1;
}

int main(void)
{
foo("a");
}


g++ -g -fno-inline test.c

$ gdb ~/a.out
(gdb) b foo if (int)strcmp(name,"abc") == 0
(gdb) r
--
You are receiving this mail because:
You are on the CC list for the bug.
weimin.pan at oracle dot com
2018-03-05 22:44:54 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

--- Comment #3 from weimin.pan at oracle dot com ---
The test case can be reduced to:

int foo(char *name)
{
return name[0] == '3';
}

int main(void)
{
foo("a");
}

and causes gdb to crash on aarch64.
--
You are receiving this mail because:
You are on the CC list for the bug.
alahay01 at gcc dot gnu.org
2018-08-29 10:34:31 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

Alan Hayward <alahay01 at gcc dot gnu.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED

--- Comment #4 from Alan Hayward <alahay01 at gcc dot gnu.org> ---
Tom:
I initially wasn't going to suggest this because this a bug that has always
been in the aarch64 port and it hadn't been noticed until the test suite was
added. However, it could quite easily trip up anyone doing a "call" on a
function that is passing around structs by value.

Joel:
What do you think?
Changes are restricted to the aarch64 port. It's quite a complex change - but
it is based on exisiting gcc code.
--
You are receiving this mail because:
You are on the CC list for the bug.
alahay01 at gcc dot gnu.org
2018-08-29 16:05:12 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

Alan Hayward <alahay01 at gcc dot gnu.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---

--- Comment #5 from Alan Hayward <alahay01 at gcc dot gnu.org> ---
Sorry, wrong bug. Bugzilla diverted me.
--
You are receiving this mail because:
You are on the CC list for the bug.
cvs-commit at gcc dot gnu.org
2018-11-16 13:47:44 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Alan Hayward <***@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=38a72da0f1d968432ae6a2a9697ba55932dc075e

commit 38a72da0f1d968432ae6a2a9697ba55932dc075e
Author: Alan Hayward <***@arm.com>
Date: Thu Oct 11 14:47:30 2018 +0100

Aarch64: Fix segfault when casting dummy calls

The following will segfault on aarch64 if foo is in another object,
was compiled as c++ and has no debug symbols:
(gdb) p (int)foo()

This is because aarch64_push_dummy_call determines the return type
of the function and then does not check for null pointer.

A null pointer for the return type means the call has no debug
information. For the code to get here, then the call must have
been cast, otherwise we'd error out sooner. In the case of a
no-debug-info call cast, the return type is the type the user
had cast the call to, but we do not have that information
available here.

However, aarch64_push_dummy_call only requires the return type in
order to calculate lang_struct_return. This information is available
in the return_method enum. The fix is to simply use this instead.

Adds testcase to check calls across objects, with all combinations
of c, c++, debug and no debug.

gdb/ChangeLog:

PR gdb/22736:
* aarch64-tdep.c (aarch64_push_dummy_call): Remove
lang_struct_return code.

gdb/testsuite/ChangeLog:

PR gdb/22736:
* gdb.cp/infcall-nodebug-lib.c: New test.
* gdb.cp/infcall-nodebug-main.c: New test.
* gdb.cp/infcall-nodebug.exp: New file.
--
You are receiving this mail because:
You are on the CC list for the bug.
alahay01 at gcc dot gnu.org
2018-11-16 13:53:03 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=22736

Alan Hayward <alahay01 at gcc dot gnu.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED

--- Comment #7 from Alan Hayward <alahay01 at gcc dot gnu.org> ---
Also see previous two commits for the groundwork for the fix.
--
You are receiving this mail because:
You are on the CC list for the bug.
Loading...