(top) fil gdb Reading symbols from linux/gdb/gdb...done. warning: File "gdb-gdb.gdb" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load". (top) b main Breakpoint 1 at 0x456f53: file ../../gdb/gdb/gdb.c, line 29. (top) commands 1 Type commands for breakpoint(s) 1, one per line. End with a line saying just "end". >set confirm off >kill >end (top) r Starting program: linux/gdb/gdb [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Breakpoint 1, main (argc=1, argv=0x7fffffffe048) at ../../gdb/gdb/gdb.c:29 29 memset (&args, 0, sizeof args); Segmentation fault (core dumped) Backtrace: 0x000000000054678a in bpstat_do_actions_1 (bsp=0x12b25c8) at ../../archer/gdb/breakpoint.c:4265 4265 ccmd = bs->commands; (top) p bs $1 = (struct bpstats *) 0x9595959595959595 (top) bt #0 0x000000000054678a in bpstat_do_actions_1 (bsp=0x12b25c8) at ../../gdb/gdb/breakpoint.c:4265 #1 0x000000000054688e in bpstat_do_actions () at ../../gdb/gdb/breakpoint.c:4331 #2 0x00000000005dd677 in command_handler (command=0xc4b730 "") at ../../gdb/gdb/event-top.c:438 #3 0x00000000005ddd07 in command_line_handler (rl=0xd14e00 "r") at ../../gdb/gdb/event-top.c:636 #4 0x000000000071daa2 in rl_callback_read_char () at ../../gdb/readline/callback.c:220 #5 0x00000000005dd119 in rl_callback_read_char_wrapper (client_data=0x0) at ../../gdb/gdb/event-top.c:169 #6 0x00000000005dd584 in stdin_event_handler (error=0, client_data=0x0) at ../../gdb/gdb/event-top.c:375 #7 0x00000000005dc0ba in handle_file_event (data=...) at ../../gdb/gdb/event-loop.c:827 #8 0x00000000005db580 in process_event () at ../../gdb/gdb/event-loop.c:401 #9 0x00000000005db647 in gdb_do_one_event () at ../../gdb/gdb/event-loop.c:465 #10 0x00000000005db698 in start_event_loop () at ../../gdb/gdb/event-loop.c:490 #11 0x00000000005dd143 in cli_command_loop () at ../../gdb/gdb/event-top.c:182 #12 0x00000000005d40a3 in current_interp_command_loop () at ../../gdb/gdb/interps.c:332 #13 0x00000000005d49ce in captured_command_loop (data=0x0) at ../../gdb/gdb/main.c:226 #14 0x00000000005d2eb3 in catch_errors (func=0x5d49b3 <captured_command_loop>, ---Type <return> to continue, or q <return> to quit--- func_args=0x0, errstring=0x87de25 "", mask=6) at ../../archer/gdb/exceptions.c:546 #15 0x00000000005d5d9f in captured_main (data=0x7fffffffdf10) at ../../gdb/gdb/main.c:1001 #16 0x00000000005d2eb3 in catch_errors (func=0x5d4c64 <captured_main>, func_args=0x7fffffffdf10, errstring=0x87de25 "", mask=6) at ../../gdb/gdb/exceptions.c:546 #17 0x00000000005d5dd5 in gdb_main (args=0x7fffffffdf10) at ../../gdb/gdb/main.c:1010 #18 0x0000000000456f9f in main (argc=1, argv=0x7fffffffe018) at ../../gdb/gdb/gdb.c:34
Dup. *** This bug has been marked as a duplicate of bug 13728 ***
The master branch has been updated by Hannes Domani <ssbssa@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39c9aaea70056290e48da6e430b9d1328888c4c4 commit 39c9aaea70056290e48da6e430b9d1328888c4c4 Author: Hannes Domani <ssbssa@yahoo.de> Date: Mon Dec 22 12:06:43 2025 +0100 Fix crash if breakpoint commands contain detach or kill If breakpoint commands contain detach or kill, then gdb tries to access freed memory: (gdb) b main Breakpoint 1 at 0x111d: file main.c, line 21. (gdb) commands Type commands for breakpoint(s) 1, one per line. End with a line saying just "end". >detach >end (gdb) run Starting program: /home/src/lappy/binutils-gdb.git/gdb/testsuite/gdb.base/main [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/../lib/libthread_db.so.1". main () at main.c:21 21 return 0; [Inferior 1 (process 241852) detached] ================================================================= ==241817==ERROR: AddressSanitizer: heap-use-after-free on address 0x7b7a3de0b760 at pc 0x55fcb92613fe bp 0x7ffec2d524f0 sp 0x7ffec2d524e0 READ of size 8 at 0x7b7a3de0b760 thread T0 #0 0x55fcb92613fd in bpstat_do_actions_1 ../../gdb/breakpoint.c:4898 #1 0x55fcb92617da in bpstat_do_actions() ../../gdb/breakpoint.c:5012 #2 0x55fcba3180e7 in inferior_event_handler(inferior_event_type) ../../gdb/inf-loop.c:71 #3 0x55fcba3ba1e1 in fetch_inferior_event() ../../gdb/infrun.c:4769 0x7b7a3de0b760 is located 0 bytes inside of 56-byte region [0x7b7a3de0b760,0x7b7a3de0b798) freed by thread T0 here: #0 0x7f1a43522a2d in operator delete(void*, unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:155 #1 0x55fcb925d5cd in bpstat_clear(bpstat**) ../../gdb/breakpoint.c:4646 #2 0x55fcbb69ea6a in clear_thread_inferior_resources ../../gdb/thread.c:185 #3 0x55fcbb69f4cb in set_thread_exited(thread_info*, std::optional<unsigned long>, bool) ../../gdb/thread.c:244 #4 0x55fcba368d64 in operator() ../../gdb/inferior.c:269 #5 0x55fcba375e2b in clear_and_dispose<inferior::clear_thread_list()::<lambda(thread_info*)> > ../../gdb/../gdbsupport/intrusive_list.h:529 #6 0x55fcba368f19 in inferior::clear_thread_list() ../../gdb/inferior.c:265 #7 0x55fcba3694ba in exit_inferior(inferior*) ../../gdb/inferior.c:322 #8 0x55fcba369e35 in detach_inferior(inferior*) ../../gdb/inferior.c:358 #9 0x55fcba319d9f in inf_ptrace_target::detach_success(inferior*) ../../gdb/inf-ptrace.c:214 #10 0x55fcba56a2f6 in linux_nat_target::detach(inferior*, int) ../../gdb/linux-nat.c:1582 #11 0x55fcba62121c in thread_db_target::detach(inferior*, int) ../../gdb/linux-thread-db.c:1381 #12 0x55fcbb5ca49e in target_detach(inferior*, int) ../../gdb/target.c:2557 #13 0x55fcba356ba4 in detach_command(char const*, int) ../../gdb/infcmd.c:2894 #14 0x55fcb9597eea in do_simple_func ../../gdb/cli/cli-decode.c:94 #15 0x55fcb95b10b5 in cmd_func(cmd_list_element*, char const*, int) ../../gdb/cli/cli-decode.c:2831 #16 0x55fcbb6f5282 in execute_command(char const*, int) ../../gdb/top.c:563 #17 0x55fcb95eedb9 in execute_control_command_1 ../../gdb/cli/cli-script.c:526 #18 0x55fcb95f04dd in execute_control_command(command_line*, int) ../../gdb/cli/cli-script.c:702 #19 0x55fcb9261175 in bpstat_do_actions_1 ../../gdb/breakpoint.c:4940 #20 0x55fcb92617da in bpstat_do_actions() ../../gdb/breakpoint.c:5012 #21 0x55fcba3180e7 in inferior_event_handler(inferior_event_type) ../../gdb/inf-loop.c:71 #22 0x55fcba3ba1e1 in fetch_inferior_event() ../../gdb/infrun.c:4769 previously allocated by thread T0 here: #0 0x7f1a435218cd in operator new(unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:86 #1 0x55fcb927061f in build_bpstat_chain(address_space const*, unsigned long, target_waitstatus const&) ../../gdb/breakpoint.c:5880 #2 0x55fcba3d63b6 in handle_signal_stop ../../gdb/infrun.c:7083 #3 0x55fcba3d01c7 in handle_inferior_event ../../gdb/infrun.c:6574 #4 0x55fcba3b9918 in fetch_inferior_event() ../../gdb/infrun.c:4713 This checks after executing commands of each breakpoint if the bpstat was deleted already, and stops any further processing immediately. Now the result looks like this: (gdb) b main Breakpoint 1 at 0x111d: file main.c, line 21. (gdb) commands Type commands for breakpoint(s) 1, one per line. End with a line saying just "end". >detach >end (gdb) run Starting program: /home/src/lappy/binutils-gdb.git/gdb/testsuite/gdb.base/main [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/../lib/libthread_db.so.1". main () at main.c:21 21 return 0; [Inferior 1 (process 242940) detached] (gdb) Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=14354 Approved-By: Andrew Burgess <aburgess@redhat.com>
Fixed.
*** Bug 13728 has been marked as a duplicate of this bug. ***