10886 – Crash of gdb 7.0 as shipped with Unbuntu 9.10, probably due to a double free.

Bug 10886 - Crash of gdb 7.0 as shipped with Unbuntu 9.10, probably due to a double free.

Summary: Crash of gdb 7.0 as shipped with Unbuntu 9.10, probably due to a double free.

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	gdb
Classification:	Unclassified
Component:	gdb (show other bugs)
Version:	7.0

Importance:	P2 critical
Target Milestone:	7.1
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-11-02 12:03 UTC by Andre'
Modified:	2017-03-16 17:54 UTC (History)
CC List:	1 user (show)

See Also:
Host:	i486-linux-gnu
Target:	i486-linux-gnu
Build:	i486-linux-gnu
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andre' 2009-11-02 12:03:30 UTC

"GNU gdb (GDB) 7.0-ubuntu\n"
"Copyright (C) 2009 Free Software Foundation, Inc.\n"


The crash is not 100% reproducible, but as at the same time there are "double
free" messages sometimes too, I think this is to be expected.


Program received signal SIGSEGV, Segmentation fault.
free_command_lines (lptr=0x9a6b708) at /tmp/gdb-7.0/gdb/cli/cli-script.c:1227
1227          if (l->body_count > 0)


(gdb) p l
$1 = (struct command_line *) 0x6168732f
(gdb) p *l
Cannot access memory at address 0x6168732f


(gdb) bt full
#0  free_command_lines (lptr=0x9a6b708) at /tmp/gdb-7.0/gdb/cli/cli-script.c:1227
        l = 0x6168732f
        next = 0x9a6b6e0
        blist = 0x97dc858
        i = <value optimized out>
#1  0x0811bafd in delete_breakpoint (bpt=0x9a6b6e0)
    at /tmp/gdb-7.0/gdb/breakpoint.c:8005
        b = 0x0
        __PRETTY_FUNCTION__ = "delete_breakpoint"
#2  0x08093855 in do_my_cleanups (pmy_chain=0x8382850, old_chain=0x0)
    at /tmp/gdb-7.0/gdb/utils.c:391
        ptr = 0x97dc858
#3  0x08140db0 in print_command_1 (
    exp=0xbfe77505 "(void*)dlopen(\"/home/berlin/[[some]].so\", 0x00002)",
inspect=0,
    voidprint=<value optimized out>) at /tmp/gdb-7.0/gdb/printcmd.c:940
        expr = 0xa27dd78
        old_chain = 0x0
        format = <value optimized out>
        val = 0xa27df68
        cleanup = 1
#4  0x080928f2 in execute_command (p=0xbfe7757a ")", from_tty=1)
    at /tmp/gdb-7.0/gdb/top.c:453
        arg = 0xbfe77505 "(void*)dlopen(\"/home/berlin/[[some]].so\", 0x00002)"
        c = 0x9037610
        flang = <value optimized out>
        warned = 0
        line = 0xbfe77500 "call (void*)dlopen(\"/home/berlin/[[some]].so\",
0x00002)"
#5  0x0816abb2 in catch_exception (uiout=0x904d958,
    func=0x80ea980 <do_captured_execute_command>, func_args=0xbfe775b4, mask=6)
    at /tmp/gdb-7.0/gdb/exceptions.c:462
        exception = {reason = 0, error = GDB_NO_ERROR, message = 0x0}
#6  0x080ea90e in safe_execute_command (data=0x0,
    command_str=0x90f13f0 "call (void*)dlopen(\"/home/berlin/[[some]].so\",
0x00002)")
    at /tmp/gdb-7.0/gdb/cli/cli-interp.c:130
        e = {reason = -1075350056, error = 134821996,
          message = 0x90c1980 "8\374\n\t\260,\t\b"}
        args = {
          command = 0xbfe77500 "call (void*)dlopen(\"/home/berlin/[[some]].so\",
0x00002)",
          from_tty = 1}
#7  cli_interpreter_exec (data=0x0,
    command_str=0x90f13f0 "call (void*)dlopen(\"/home/berlin/[[some]].so\",
0x00002)")
    at /tmp/gdb-7.0/gdb/cli/cli-interp.c:110
        old_stream = <value optimized out>
#8  0x0816ad1a in interp_exec (interp=0x904d9c0,
d1a in interp_exec (interp=0x904d9c0,
    command_str=0x90f13f0 "call (void*)dlopen(\"/home/berlin/[[some]].so\",
0x00002)")
    at /tmp/gdb-7.0/gdb/interps.c:326
No locals.
#9  0x080ef756 in mi_cmd_interpreter_exec (command=0x82bc96a "-interpreter-exec",
    argv=0xbfe77684, argc=2) at /tmp/gdb-7.0/gdb/mi/mi-interp.c:206
        e = {reason = 0, error = 3219617352,
          message = 0x809666f
"\311\303\353\r\220\220\220\220\220\220\220\220\220\220\220\220\220U\211\345WVS\203\354\034\213u\f\213]\b\213}\020\200>\n\017\204\365\001"}
        interp_to_use = 0x904d9c0
        i = 1
        old_chain = 0x90afc38
#10 0x080f02b1 in captured_mi_execute_command (uiout=0x904e0b8, data=0x90c19b8)
    at /tmp/gdb-7.0/gdb/mi/mi-main.c:1232
        argv = {0x82a3148 "console",
          0x90f13f0 "call (void*)dlopen(\"/home/berlin/[[some]].so\", 0x00002)"}
        cleanup = 0x0
#11 0x0816abb2 in catch_exception (uiout=0x904e0b8,
    func=0x80f0070 <captured_mi_execute_command>, func_args=0x90c19b8, mask=6)
    at /tmp/gdb-7.0/gdb/exceptions.c:462
        exception = {reason = 0, error = GDB_NO_ERROR, message = 0x0}
#12 0x080efd38 in mi_execute_command (
    cmd=0xa223b88 "41call (void*)dlopen(\"/home/berlin/[[some]].so\", 0x00002)",
from_tty=1)
    at /tmp/gdb-7.0/gdb/mi/mi-main.c:1288
        result = {reason = 4961420, error = 5882912,
          message = 0x7e <Address 0x7e out of bounds>}
        previous_ptid = {pid = 27808, lwp = 27808, tid = 0}
        command = <value optimized out>
#13 0x080eecb6 in mi_execute_command_wrapper (
    cmd=0xa223b88 "41call (void*)dlopen(\"/home/berlin/[[some]].so\", 0x00002)")
    at /tmp/gdb-7.0/gdb/mi/mi-interp.c:251
No locals.
#14 0x0816ff89 in handle_file_event (data=...) at /tmp/gdb-7.0/gdb/event-loop.c:812
        file_ptr = 0x909e928
        mask = <value optimized out>
        error_mask_returned = 0
#15 0x0816f7cb in process_event () at /tmp/gdb-7.0/gdb/event-loop.c:394
        event_ptr = <value optimized out>
        proc = 0x816ff10 <handle_file_event>
        data = {ptr = 0x0, integer = 0}
#16 0x081704c6 in gdb_do_one_event (data=0x0) at /tmp/gdb-7.0/gdb/event-loop.c:447
        event_source_head = 0
        current = 3
#17 0x0816a993 in catch_errors (func=0x81703e0 <gdb_do_one_event>, func_args=0x0,
    errstring=0x82b3b14 "", mask=6) at /tmp/gdb-7.0/gdb/exceptions.c:510
        val = 0
        exception = {reason = 0, error = GDB_NO_ERROR, message = 0x0}
#18 0x0816fecc in start_event_loop () at /tmp/gdb-7.0/gdb/event-loop.c:483
        gdb_result = 161920776
d1a in interp_exec (interp=0x904d9c0,
    command_str=0x90f13f0 "call (void*)dlopen(\"/home/berlin/[[some]].so\",
0x00002)")
    at /tmp/gdb-7.0/gdb/interps.c:326
No locals.



/home/berlin/[[some]].so  is a real name, pointing do a valid, loadable shared
object

Comment 1 Andre' 2009-11-02 16:13:32 UTC

I am raising Severity to "critical". Injection of code into the inferior is
badly affected.

After reading some of our own bugreports I have the impression that the bug
might already have been present in 6.8 but far less prominent.

Comment 2 Paul Pluzhnikov 2009-11-09 17:43:42 UTC

I can not reproduce this problem on a trivial test case.
Andre, could you perhaps provide more detailed instructions?

Note: if you link with -lmcheck, or set MALLOC_CHECK_=2, the intermittent crash
should become deterministic (if it is due to double free).

I can however make gdb-cvs crash on a trivial related example by executing:

cat t.c
int main() { return 0; }

cat foo.c
int foo() { return 42; }

gcc -g t.c -ldl && gcc -g -fPIC -shared -o foo.so foo.c

gdb64-cvs -nx ./a.out
GNU gdb (GDB) 7.0.50.20091109-cvs
...
Reading symbols from /tmp/gdb-pr10886/a.out...done.
(gdb) b main
Breakpoint 1 at 0x40048c: file t.c, line 1.
(gdb) r
Starting program: /tmp/gdb-pr10886/a.out
Breakpoint 1, main () at t.c:1
1	int main() { return 0; }
(gdb) print dlopen("./foo.so", 2)
$1 = 6295632
(gdb) b foo
Breakpoint 2 at 0x7ffff76794f0: file foo.c, line 1.
(gdb) c
Continuing.

Program exited normally.
(gdb) r
Starting program: /tmp/gdb-pr10886/a.out 
Breakpoint 1, main () at t.c:1
1	int main() { return 0; }
(gdb) info b
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x000000000040048c in main at t.c:1
	breakpoint already hit 1 time
Segmentation fault (core dumped)

The crash is here:
(gdb) bt
#0  lookup_minimal_symbol_by_pc_section_1 (pc=140737344148720, section=0xd21390,
want_trampoline=<value optimized out>)
    at ../../src/gdb/minsyms.c:488
#1  0x00000000004ff3e9 in find_pc_sect_symtab (pc=140737344148720,
section=0xd21390) at ../../src/gdb/symtab.c:2071
#2  0x00000000004fd117 in blockvector_for_pc_sect (pc=140737344148720,
section=0xd21390, pblock=0x7fff5d7d9df0, symtab=0x0)
    at ../../src/gdb/block.c:106
#3  0x00000000004fd140 in block_for_pc_sect (pc=140737344148720,
section=0xd21390) at ../../src/gdb/block.c:182
#4  0x00000000004cd9f9 in find_pc_sect_function (pc=140737344148720,
section=0xd21390) at ../../src/gdb/blockframe.c:139
#5  0x00000000004d428d in print_breakpoint_location (b=0xcdf2d0, loc=0xcb6300,
loc_number=<value optimized out>, 
    last_loc=0x7fff5d7da038, print_address_bits=<value optimized out>,
allflag=0) at ../../src/gdb/breakpoint.c:3836
#6  print_one_breakpoint_location (b=0xcdf2d0, loc=0xcb6300, loc_number=<value
optimized out>, last_loc=0x7fff5d7da038, 
    print_address_bits=<value optimized out>, allflag=0) at
../../src/gdb/breakpoint.c:4053
#7  0x00000000004d4910 in print_one_breakpoint (b=0x7ffff76794f0, last_loc=0x0,
print_address_bits=64, allflag=0)
    at ../../src/gdb/breakpoint.c:4225
#8  0x00000000004d4bf4 in breakpoint_1 (bnum=-1, allflag=0) at
../../src/gdb/breakpoint.c:4403
#9  0x000000000045cb3a in execute_command (p=0xa62a06 "", from_tty=1) at
../../src/gdb/top.c:453
...

Comment 3 Andre' 2017-03-16 17:54:33 UTC

I guess that's not relevant anymore. Resolving as 'obsolete'