Bug 16156 - crash when breakpoint with condition that causes exit is hit
Summary: crash when breakpoint with condition that causes exit is hit
Status: NEW
Alias: None
Product: gdb
Classification: Unclassified
Component: gdb (show other bugs)
Version: HEAD
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-11 18:00 UTC by Pedro Alves
Modified: 2013-11-11 18:00 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro Alves 2013-11-11 18:00:44 UTC 
Set a breakpoint that is conditional on the result of a function that causes an exit.  continue or next over the breakpoint line.  GDB will sometimes crash.

Reproducer:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#include <stdlib.h>
#include <stdio.h>

int
do_exit (void)
{
  exit (0);
  return 0;
}

int
main (void)
{
  volatile unsigned int count = 0;

  count = 1;
  while (1)
    count++;

  return 0;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(gdb) start
...
(gdb) b 18 if do_exit ()
Breakpoint 2 at 0x4004fc: file exiter.c, line 18.
(gdb) c
Continuing.
[Inferior 1 (process 24977) exited normally]
Error in testing breakpoint condition:
The program being debugged exited while in a function called from GDB.
Evaluation of the expression containing the function
(do_exit) will be abandoned.
No registers.
(gdb) 

With a more complicated test I was consistently getting a crash.
With this one, I'm "lucky", and things don't actually crash, but valgrind
does show bad things:

(gdb) b 18 if do_exit ()
Breakpoint 2 at 0x4004fc: file exiter.c, line 18.
(gdb) c
Continuing.
[Inferior 1 (process 24940) exited normally]
Error in testing breakpoint condition:
The program being debugged exited while in a function called from GDB.
Evaluation of the expression containing the function
(do_exit) will be abandoned.
==24937== Invalid write of size 8
==24937==    at 0x5D2541: handle_inferior_event (infrun.c:4257)
==24937==    by 0x5CF0A9: wait_for_inferior (infrun.c:2762)
==24937==    by 0x5CE45D: proceed (infrun.c:2342)
==24937==    by 0x5C66FA: continue_1 (infcmd.c:726)
==24937==    by 0x5C6973: continue_command (infcmd.c:818)
==24937==    by 0x4DCDFA: do_cfunc (cli-decode.c:107)
==24937==    by 0x4DFE8F: cmd_func (cli-decode.c:1882)
==24937==    by 0x6EA5D8: execute_command (top.c:467)
==24937==    by 0x5F08B6: command_handler (event-top.c:435)
==24937==    by 0x5F0E99: command_line_handler (event-top.c:633)
==24937==    by 0x743AF1: rl_callback_read_char (callback.c:220)
==24937==    by 0x5F03D8: rl_callback_read_char_wrapper (event-top.c:164)
==24937==  Address 0xbf69770 is 192 bytes inside a block of size 400 free'd
==24937==    at 0x4A07786: free (vg_replace_malloc.c:446)
==24937==    by 0x724A20: xfree (common-utils.c:108)
==24937==    by 0x5E130C: free_thread (thread.c:151)
==24937==    by 0x5E17E7: delete_thread_1 (thread.c:316)
==24937==    by 0x5E181B: delete_thread (thread.c:326)
==24937==    by 0x714DFE: delete_thread_of_inferior (inferior.c:182)
==24937==    by 0x5E193C: iterate_over_threads (thread.c:383)
==24937==    by 0x714F9C: exit_inferior_1 (inferior.c:260)
==24937==    by 0x715064: exit_inferior (inferior.c:289)
==24937==    by 0x617064: generic_mourn_inferior (target.c:3790)
==24937==    by 0x492CB8: inf_ptrace_mourn_inferior (inf-ptrace.c:180)
==24937==    by 0x49F416: linux_nat_mourn_inferior (linux-nat.c:3831)
==24937== 
==24937== Invalid read of size 4
==24937==    at 0x5D25BF: handle_inferior_event (infrun.c:4302)
==24937==    by 0x5CF0A9: wait_for_inferior (infrun.c:2762)
==24937==    by 0x5CE45D: proceed (infrun.c:2342)
==24937==    by 0x5C66FA: continue_1 (infcmd.c:726)
==24937==    by 0x5C6973: continue_command (infcmd.c:818)
==24937==    by 0x4DCDFA: do_cfunc (cli-decode.c:107)
==24937==    by 0x4DFE8F: cmd_func (cli-decode.c:1882)
==24937==    by 0x6EA5D8: execute_command (top.c:467)
==24937==    by 0x5F08B6: command_handler (event-top.c:435)
==24937==    by 0x5F0E99: command_line_handler (event-top.c:633)
==24937==    by 0x743AF1: rl_callback_read_char (callback.c:220)
==24937==    by 0x5F03D8: rl_callback_read_char_wrapper (event-top.c:164)
==24937==  Address 0xbf69780 is 208 bytes inside a block of size 400 free'd
==24937==    at 0x4A07786: free (vg_replace_malloc.c:446)
==24937==    by 0x724A20: xfree (common-utils.c:108)
==24937==    by 0x5E130C: free_thread (thread.c:151)
==24937==    by 0x5E17E7: delete_thread_1 (thread.c:316)
==24937==    by 0x5E181B: delete_thread (thread.c:326)
==24937==    by 0x714DFE: delete_thread_of_inferior (inferior.c:182)
==24937==    by 0x5E193C: iterate_over_threads (thread.c:383)
==24937==    by 0x714F9C: exit_inferior_1 (inferior.c:260)
==24937==    by 0x715064: exit_inferior (inferior.c:289)
==24937==    by 0x617064: generic_mourn_inferior (target.c:3790)
==24937==    by 0x492CB8: inf_ptrace_mourn_inferior (inf-ptrace.c:180)
==24937==    by 0x49F416: linux_nat_mourn_inferior (linux-nat.c:3831)