Bug 25479 - AddressSanitizer: heap-buffer-overflow in lookup_minimal_symbol_by_pc_name
Summary: AddressSanitizer: heap-buffer-overflow in lookup_minimal_symbol_by_pc_name
Status: RESOLVED FIXED
Alias: None
Product: gdb
Classification: Unclassified
Component: gdb (show other bugs)
Version: HEAD
: P2 normal
Target Milestone: 13.1
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 15883 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-01-29 10:08 UTC by Tom de Vries
Modified: 2023-03-05 17:39 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom de Vries 2020-01-29 10:08:11 UTC 
With commit ee2a6fc6041 "[gdb/testsuite] Fix gdb.threads/watchpoint-fork.exp race" and the tentative patch from PR25478 comment 4, I ran into this FAIL:
...
FAIL: gdb.base/reread.exp: opts= "-fPIE" "ldflags=-pie" : run to foo() second time (GDB internal error)
...

In more detail:
...
(gdb) PASS: gdb.base/reread.exp: opts= "-fPIE" "ldflags=-pie" : run to foo()
shell sleep 1^M
(gdb) run ^M
The program being debugged has been started already.^M
Start it from the beginning? (y or n) y^M
`/data/gdb_versions/devel/build/gdb/testsuite/outputs/gdb.base/reread/reread' has changed; re-reading symbols.^M
Starting program: /data/gdb_versions/devel/build/gdb/testsuite/outputs/gdb.base/reread/reread ^M
/data/gdb_versions/devel/src/gdb/objfiles.c:1119: internal-error: int filter_overlapping_sections(obj_section**, int): Assertion `sect1_addr <= sect2_addr' failed.^M
A problem internal to GDB has been detected,^M
further debugging may prove unreliable.^M
Quit this debugging session? (y or n) FAIL: gdb.base/reread.exp: opts= "-fPIE" "ldflags=-pie" : run to foo() second time (GDB internal error)
...

I could not reproduce this when running the test individually.

Also repeating the individual test 10 time in conjunction with stress -c 5 resulted in PASSes only.

Also in a second full test run, the test PASSed.

AFAICT, the failure looks unrelated to the tentative patch.
Comment 1 Tom de Vries 2020-01-29 10:36:53 UTC 
Setting version to master.

Triggered presumably related problem without the tentative patch, by building gdb with address sanitizer:
...
14        x++;
(gdb) PASS: gdb.base/reread.exp: opts= "" "" : run to foo()
shell sleep 1
(gdb) run 
The program being debugged has been started already.
Start it from the beginning? (y or n) y
`/data/gdb_versions/devel/build/gdb/testsuite/outputs/gdb.base/reread/reread' has changed; re-reading symbols.
=================================================================
==17884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000031200 at pc 0x000001132d59 bp 0x7ffed52efbe0 sp 0x7ffed52efbd8
READ of size 8 at 0x612000031200 thread T0
    #0 0x1132d58 in lookup_minimal_symbol_by_pc_name(unsigned long, char const*, objfile*) /data/gdb_versions/devel/src/gdb/minsyms.c:616
    #1 0x142ac34 in fixup_section(general_symbol_info*, unsigned long, objfile*) /data/gdb_versions/devel/src/gdb/symtab.c:1676
    #2 0x142b637 in fixup_symbol_section(symbol*, objfile*) /data/gdb_versions/devel/src/gdb/symtab.c:1786
    #3 0xd5c874 in var_decode_location /data/gdb_versions/devel/src/gdb/dwarf2read.c:21767
    #4 0xd5dac4 in new_symbol /data/gdb_versions/devel/src/gdb/dwarf2read.c:21959
    #5 0xd2e421 in read_variable /data/gdb_versions/devel/src/gdb/dwarf2read.c:14259
    #6 0xd18b0a in process_die /data/gdb_versions/devel/src/gdb/dwarf2read.c:10688
    #7 0xd1d1f6 in read_file_scope /data/gdb_versions/devel/src/gdb/dwarf2read.c:11594
    #8 0xd18614 in process_die /data/gdb_versions/devel/src/gdb/dwarf2read.c:10601
    #9 0xd17269 in process_full_comp_unit /data/gdb_versions/devel/src/gdb/dwarf2read.c:10366
    #10 0xd0ef42 in process_queue /data/gdb_versions/devel/src/gdb/dwarf2read.c:9640
    #11 0xce52dc in dw2_do_instantiate_symtab /data/gdb_versions/devel/src/gdb/dwarf2read.c:2946
    #12 0xd0f29b in dwarf2_psymtab::expand_psymtab(objfile*) /data/gdb_versions/devel/src/gdb/dwarf2read.c:9682
    #13 0xd0e5be in dwarf2_psymtab::read_symtab(objfile*) /data/gdb_versions/devel/src/gdb/dwarf2read.c:9511
    #14 0x11ec654 in psymtab_to_symtab /data/gdb_versions/devel/src/gdb/psymtab.c:768
    #15 0x11eadd1 in psym_lookup_symbol /data/gdb_versions/devel/src/gdb/psymtab.c:491
    #16 0x142ef9a in lookup_symbol_via_quick_fns /data/gdb_versions/devel/src/gdb/symtab.c:2409
    #17 0x142f89b in lookup_symbol_in_objfile /data/gdb_versions/devel/src/gdb/symtab.c:2558
    #18 0x142fb62 in lookup_symbol_global_or_static_iterator_cb /data/gdb_versions/devel/src/gdb/symtab.c:2605
    #19 0x1381e2e in svr4_iterate_over_objfiles_in_search_order /data/gdb_versions/devel/src/gdb/solib-svr4.c:3258
    #20 0xe5df7a in gdbarch_iterate_over_objfiles_in_search_order(gdbarch*, int (*)(objfile*, void*), void*, objfile*) /data/gdb_versions/devel/src/gdb/gdbarch.c:4853
    #21 0x142ff23 in lookup_global_or_static_symbol /data/gdb_versions/devel/src/gdb/symtab.c:2650
    #22 0x14301f8 in lookup_global_symbol(char const*, block const*, domain_enum_tag) /data/gdb_versions/devel/src/gdb/symtab.c:2692
    #23 0x142f461 in basic_lookup_symbol_nonlocal(language_defn const*, char const*, block const*, domain_enum_tag) /data/gdb_versions/devel/src/gdb/symtab.c:2479
    #24 0x142d32b in lookup_symbol_aux /data/gdb_versions/devel/src/gdb/symtab.c:2120
    #25 0x142bf4c in lookup_symbol_in_language(char const*, block const*, domain_enum_tag, language, field_of_this_result*) /data/gdb_versions/devel/src/gdb/symtab.c:1916
    #26 0x142c071 in lookup_symbol(char const*, block const*, domain_enum_tag, field_of_this_result*) /data/gdb_versions/devel/src/gdb/symtab.c:1928
    #27 0xbf4ca2 in inspect_type /data/gdb_versions/devel/src/gdb/cp-support.c:160
    #28 0xbf680f in replace_typedefs /data/gdb_versions/devel/src/gdb/cp-support.c:475
    #29 0xbf6b5e in cp_canonicalize_string_full[abi:cxx11](char const*, char const* (*)(type*, void*), void*) /data/gdb_versions/devel/src/gdb/cp-support.c:527
    #30 0xbf6e4a in cp_canonicalize_string_no_typedefs[abi:cxx11](char const*) /data/gdb_versions/devel/src/gdb/cp-support.c:550
    #31 0xff0241 in find_linespec_symbols /data/gdb_versions/devel/src/gdb/linespec.c:3902
    #32 0xfe579b in convert_explicit_location_to_linespec /data/gdb_versions/devel/src/gdb/linespec.c:2407
    #33 0xfe5d9d in convert_explicit_location_to_sals /data/gdb_versions/devel/src/gdb/linespec.c:2448
    #34 0xfeae5f in event_location_to_sals /data/gdb_versions/devel/src/gdb/linespec.c:3185
    #35 0xfeb361 in decode_line_full(event_location const*, int, program_space*, symtab*, int, linespec_result*, char const*, char const*) /data/gdb_versions/devel/src/gdb/linespec.c:3232
    #36 0xa5499c in decode_location_default /data/gdb_versions/devel/src/gdb/breakpoint.c:13731
    #37 0xa4d581 in bkpt_decode_location /data/gdb_versions/devel/src/gdb/breakpoint.c:12533
    #38 0xa531e6 in location_to_sals /data/gdb_versions/devel/src/gdb/breakpoint.c:13583
    #39 0xa5422b in breakpoint_re_set_default /data/gdb_versions/devel/src/gdb/breakpoint.c:13669
    #40 0xa4bcdc in bkpt_re_set /data/gdb_versions/devel/src/gdb/breakpoint.c:12333
    #41 0xa54cb6 in breakpoint_re_set_one /data/gdb_versions/devel/src/gdb/breakpoint.c:13754
    #42 0xa54ec4 in breakpoint_re_set() /data/gdb_versions/devel/src/gdb/breakpoint.c:13792
    #43 0x13fde71 in clear_symtab_users(enum_flags<symfile_add_flag>) /data/gdb_versions/devel/src/gdb/symfile.c:2893
    #44 0x13fc814 in reread_symbols() /data/gdb_versions/devel/src/gdb/symfile.c:2640
    #45 0xf56504 in run_command_1 /data/gdb_versions/devel/src/gdb/infcmd.c:581
    #46 0xf573b1 in run_command /data/gdb_versions/devel/src/gdb/infcmd.c:688
    #47 0xb2f9a4 in do_const_cfunc /data/gdb_versions/devel/src/gdb/cli/cli-decode.c:107
    #48 0xb3726c in cmd_func(cmd_list_element*, char const*, int) /data/gdb_versions/devel/src/gdb/cli/cli-decode.c:1952
    #49 0x14fd27b in execute_command(char const*, int) /data/gdb_versions/devel/src/gdb/top.c:653
    #50 0xdf07fe in command_handler(char const*) /data/gdb_versions/devel/src/gdb/event-top.c:587
    #51 0xdf10cb in command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) /data/gdb_versions/devel/src/gdb/event-top.c:772
    #52 0xdef460 in gdb_rl_callback_handler /data/gdb_versions/devel/src/gdb/event-top.c:218
    #53 0x16e07a7 in rl_callback_read_char /data/gdb_versions/devel/src/readline/readline/callback.c:281
    #54 0xdef014 in gdb_rl_callback_read_char_wrapper_noexcept /data/gdb_versions/devel/src/gdb/event-top.c:176
    #55 0xdef1f5 in gdb_rl_callback_read_char_wrapper /data/gdb_versions/devel/src/gdb/event-top.c:193
    #56 0xdf03bd in stdin_event_handler(int, void*) /data/gdb_versions/devel/src/gdb/event-top.c:515
    #57 0xdeb0c7 in handle_file_event /data/gdb_versions/devel/src/gdb/event-loop.c:734
    #58 0xdeb8f1 in gdb_wait_for_event /data/gdb_versions/devel/src/gdb/event-loop.c:860
    #59 0xde9824 in gdb_do_one_event() /data/gdb_versions/devel/src/gdb/event-loop.c:346
    #60 0xde98c6 in start_event_loop() /data/gdb_versions/devel/src/gdb/event-loop.c:370
    #61 0x108f90b in captured_command_loop /data/gdb_versions/devel/src/gdb/main.c:360
    #62 0x1092dd5 in captured_main /data/gdb_versions/devel/src/gdb/main.c:1203
    #63 0x1092e65 in gdb_main(captured_main_args*) /data/gdb_versions/devel/src/gdb/main.c:1218
    #64 0x9018e0 in main /data/gdb_versions/devel/src/gdb/gdb.c:32
    #65 0x7f3e0e5c3f89 in __libc_start_main (/lib64/libc.so.6+0x20f89)
    #66 0x9016f9 in _start (/data/gdb_versions/devel/build/gdb/gdb+0x9016f9)

0x612000031200 is located 40 bytes to the right of 280-byte region [0x6120000310c0,0x6120000311d8)
freed by thread T0 here:
    #0 0x7f3e114fc07f in __interceptor_free (/usr/lib64/libasan.so.6+0xac07f)
    #1 0x173a643 in _bfd_delete_bfd /data/gdb_versions/devel/src/bfd/opncls.c:132
    #2 0x173bcdd in bfd_close_all_done /data/gdb_versions/devel/src/bfd/opncls.c:797
    #3 0x173bbdc in bfd_close /data/gdb_versions/devel/src/bfd/opncls.c:759
    #4 0xe3c936 in gdb_bfd_close_or_warn /data/gdb_versions/devel/src/gdb/gdb_bfd.c:510
    #5 0xe3d11b in gdb_bfd_unref(bfd*) /data/gdb_versions/devel/src/gdb/gdb_bfd.c:614
    #6 0x1176a08 in objfile::~objfile() /data/gdb_versions/devel/src/gdb/objfiles.c:591
    #7 0x1182ce2 in std::_Sp_counted_ptr<objfile*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() (/data/gdb_versions/devel/build/gdb/gdb+0x1182ce2)
    #8 0xa72e2a in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/10/bits/shared_ptr_base.h:155
    #9 0xa6953f in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/10/bits/shared_ptr_base.h:730
    #10 0x117e697 in std::__shared_ptr<objfile, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/10/bits/shared_ptr_base.h:1180
    #11 0x117e6b3 in std::shared_ptr<objfile>::~shared_ptr() /usr/include/c++/10/bits/shared_ptr.h:121
    #12 0x11e5289 in void __gnu_cxx::new_allocator<std::_List_node<std::shared_ptr<objfile> > >::destroy<std::shared_ptr<objfile> >(std::shared_ptr<objfile>*) /usr/include/c++/10/ext/new_allocator.h:157
    #13 0x11e4fd8 in void std::allocator_traits<std::allocator<std::_List_node<std::shared_ptr<objfile> > > >::destroy<std::shared_ptr<objfile> >(std::allocator<std::_List_node<std::shared_ptr<objfile> > >&, std::shared_ptr<objfile>*) /usr/include/c++/10/bits/alloc_traits.h:526
    #14 0x11e4d74 in std::__cxx11::list<std::shared_ptr<objfile>, std::allocator<std::shared_ptr<objfile> > >::_M_erase(std::_List_iterator<std::shared_ptr<objfile> >) /usr/include/c++/10/bits/stl_list.h:1921
    #15 0x11e467e in std::__cxx11::list<std::shared_ptr<objfile>, std::allocator<std::shared_ptr<objfile> > >::erase(std::_List_const_iterator<std::shared_ptr<objfile> >) /usr/include/c++/10/bits/list.tcc:158
    #16 0x11e116d in program_space::remove_objfile(objfile*) /data/gdb_versions/devel/src/gdb/progspace.c:207
    #17 0x1176595 in objfile::unlink() /data/gdb_versions/devel/src/gdb/objfiles.c:505
    #18 0x1179d23 in objfile_purge_solibs() /data/gdb_versions/devel/src/gdb/objfiles.c:912
    #19 0x138f8ed in no_shared_libraries(char const*, int) /data/gdb_versions/devel/src/gdb/solib.c:1247
    #20 0x14a6543 in target_pre_inferior(int) /data/gdb_versions/devel/src/gdb/target.c:1960
    #21 0xf564fa in run_command_1 /data/gdb_versions/devel/src/gdb/infcmd.c:571
    #22 0xf573b1 in run_command /data/gdb_versions/devel/src/gdb/infcmd.c:688
    #23 0xb2f9a4 in do_const_cfunc /data/gdb_versions/devel/src/gdb/cli/cli-decode.c:107
    #24 0xb3726c in cmd_func(cmd_list_element*, char const*, int) /data/gdb_versions/devel/src/gdb/cli/cli-decode.c:1952
    #25 0x14fd27b in execute_command(char const*, int) /data/gdb_versions/devel/src/gdb/top.c:653
    #26 0xdf07fe in command_handler(char const*) /data/gdb_versions/devel/src/gdb/event-top.c:587
    #27 0xdf10cb in command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) /data/gdb_versions/devel/src/gdb/event-top.c:772
    #28 0xdef460 in gdb_rl_callback_handler /data/gdb_versions/devel/src/gdb/event-top.c:218
    #29 0x16e07a7 in rl_callback_read_char /data/gdb_versions/devel/src/readline/readline/callback.c:281

previously allocated by thread T0 here:
    #0 0x7f3e114fc39f in malloc (/usr/lib64/libasan.so.6+0xac39f)
    #1 0x1737332 in bfd_malloc /data/gdb_versions/devel/src/bfd/libbfd.c:275
    #2 0x1737519 in bfd_zmalloc /data/gdb_versions/devel/src/bfd/libbfd.c:360
    #3 0x173a0e2 in _bfd_new_bfd /data/gdb_versions/devel/src/bfd/opncls.c:62
    #4 0x173a83e in bfd_fopen /data/gdb_versions/devel/src/bfd/opncls.c:200
    #5 0xe3c638 in gdb_bfd_open(char const*, char const*, int) /data/gdb_versions/devel/src/gdb/gdb_bfd.c:455
    #6 0x138b577 in solib_bfd_fopen(char const*, int) /data/gdb_versions/devel/src/gdb/solib.c:464
    #7 0x138b81f in solib_bfd_open(char const*) /data/gdb_versions/devel/src/gdb/solib.c:501
    #8 0x137d837 in enable_break /data/gdb_versions/devel/src/gdb/solib-svr4.c:2327
    #9 0x13814cb in svr4_solib_create_inferior_hook /data/gdb_versions/devel/src/gdb/solib-svr4.c:3033
    #10 0x138f84a in solib_create_inferior_hook(int) /data/gdb_versions/devel/src/gdb/solib.c:1211
    #11 0xf5600e in post_create_inferior(target_ops*, int) /data/gdb_versions/devel/src/gdb/infcmd.c:460
    #12 0xf56fd9 in run_command_1 /data/gdb_versions/devel/src/gdb/infcmd.c:665
    #13 0xf573b1 in run_command /data/gdb_versions/devel/src/gdb/infcmd.c:688
    #14 0xb2f9a4 in do_const_cfunc /data/gdb_versions/devel/src/gdb/cli/cli-decode.c:107
    #15 0xb3726c in cmd_func(cmd_list_element*, char const*, int) /data/gdb_versions/devel/src/gdb/cli/cli-decode.c:1952
    #16 0x14fd27b in execute_command(char const*, int) /data/gdb_versions/devel/src/gdb/top.c:653
    #17 0xdf07fe in command_handler(char const*) /data/gdb_versions/devel/src/gdb/event-top.c:587
    #18 0xdf10cb in command_line_handler(std::unique_ptr<char, gdb::xfree_deleter<char> >&&) /data/gdb_versions/devel/src/gdb/event-top.c:772
    #19 0xdef460 in gdb_rl_callback_handler /data/gdb_versions/devel/src/gdb/event-top.c:218
    #20 0x16e07a7 in rl_callback_read_char /data/gdb_versions/devel/src/readline/readline/callback.c:281
    #21 0xdef014 in gdb_rl_callback_read_char_wrapper_noexcept /data/gdb_versions/devel/src/gdb/event-top.c:176
    #22 0xdef1f5 in gdb_rl_callback_read_char_wrapper /data/gdb_versions/devel/src/gdb/event-top.c:193
    #23 0xdf03bd in stdin_event_handler(int, void*) /data/gdb_versions/devel/src/gdb/event-top.c:515
    #24 0xdeb0c7 in handle_file_event /data/gdb_versions/devel/src/gdb/event-loop.c:734
    #25 0xdeb8f1 in gdb_wait_for_event /data/gdb_versions/devel/src/gdb/event-loop.c:860
    #26 0xde9824 in gdb_do_one_event() /data/gdb_versions/devel/src/gdb/event-loop.c:346
    #27 0xde98c6 in start_event_loop() /data/gdb_versions/devel/src/gdb/event-loop.c:370
    #28 0x108f90b in captured_command_loop /data/gdb_versions/devel/src/gdb/main.c:360
    #29 0x1092dd5 in captured_main /data/gdb_versions/devel/src/gdb/main.c:1203

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/gdb_versions/devel/src/gdb/minsyms.c:616 in lookup_minimal_symbol_by_pc_name(unsigned long, char const*, objfile*)
Shadow bytes around the buggy address:
  0x0c247fffe1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffe200: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c247fffe210: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffe220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffe230: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c247fffe240:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffe250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffe260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c247fffe270: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffe280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffe290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==17884==ABORTING
...
Comment 2 Tom de Vries 2020-01-29 10:49:11 UTC 
Does not reproduce with commit 27f7b2f6406 "Fix typo, get_Frame_id -> get_frame_id" (branch point for gdb-9-branch).

Now bisecting.
Comment 3 Tom de Vries 2020-01-29 12:17:29 UTC 
(In reply to Tom de Vries from comment #2)
> Does not reproduce with commit 27f7b2f6406 "Fix typo, get_Frame_id ->
> get_frame_id" (branch point for gdb-9-branch).
> 
> Now bisecting.

One of:
...
6a053cb1ff6 Tom Tromey "Change section_offsets to a std::vector"
456e800a63d Tom Tromey "Use std::string in dwarf2read.c"
6dfa2fc2077 Tom Tromey "Use std::vector in abbrev_table_read_table"
...
Comment 4 Tom de Vries 2020-01-29 12:21:50 UTC 
(In reply to Tom de Vries from comment #3)
> (In reply to Tom de Vries from comment #2)
> > Does not reproduce with commit 27f7b2f6406 "Fix typo, get_Frame_id ->
> > get_frame_id" (branch point for gdb-9-branch).
> > 
> > Now bisecting.
> 
> One of:
> ...
> 6a053cb1ff6 Tom Tromey "Change section_offsets to a std::vector"
> 456e800a63d Tom Tromey "Use std::string in dwarf2read.c"
> 6dfa2fc2077 Tom Tromey "Use std::vector in abbrev_table_read_table"
> ...

Bisect done. This is the offending commit: 6a053cb1ff6 "Change section_offsets to a std::vector".
Comment 5 Tom Tromey 2020-02-03 14:37:17 UTC 
I can confirm this.

I've looked at it a little.  I tend to think it is a pre-existing
bug.  I suspect Address Sanitizer doesn't understand how to examine
objects allocated on an obstack (neither does valgrind...), which is
why this was never detected.

reread2.c (one of the programs used in reread.exp) says:

/* Ensure the new file will have more sections.  It may exploit code not
   updating its SECTION_COUNT on reread_symbols.  */


... but even before my patch, reread_symbols didn't seem to do this.
Comment 6 Tom Tromey 2020-02-03 15:28:22 UTC 
I am not sure how to fix this.

The main issue is a divergence between syms_from_objfile_1 and
reread_symbols.  As Jan pointed out years ago, the fact that
there are separate functions for this is just asking for trouble...
which is what we got.

Essentially, syms_from_objfile_1 calls:
  (*objfile->sf->sym_offsets) (objfile, *addrs);
... but reread_symbols, before my patch, did:
-	  /* We use the same section offsets as from last time.  I'm not
-	     sure whether that is always correct for shared libraries.  */
-	  objfile->section_offsets = (struct section_offsets *)
-	    obstack_alloc (&objfile->objfile_obstack,
-			   SIZEOF_N_SECTION_OFFSETS (num_offsets));
-	  memcpy (objfile->section_offsets, offsets,
-		  SIZEOF_N_SECTION_OFFSETS (num_offsets));
-	  objfile->num_sections = num_offsets;


However, this is wrong in the reread.exp case, as that specifically
tests re-reading a file where the number of sections changes.

I couldn't find a patch that regressed this area, so maybe the
test was written but the code was never really correct?

It would be simple to call sym_offsets from reread_symbols; or
even to unify the code here and avoid future problems.  However,
it was not clear to me what we should do if the objfile was
created via add-symbol-file.

Now I see that add-symbol-file has a "-o" option to set a default
offset.  This isn't preserved, but maybe we could preserve it.

I wonder if there are other cases I am missing.
Comment 7 Christian Biesinger 2020-02-05 18:35:06 UTC 
(In reply to Tom Tromey from comment #5)
> I've looked at it a little.  I tend to think it is a pre-existing
> bug.  I suspect Address Sanitizer doesn't understand how to examine
> objects allocated on an obstack (neither does valgrind...), which is
> why this was never detected.

Offtopic, but Valgrind can be taught this: http://valgrind.org/docs/manual/mc-manual.html#mc-manual.mempools
I've been meaning to look into that.
Comment 8 Tom Tromey 2020-03-26 02:06:41 UTC 
(In reply to Christian Biesinger from comment #7)
> (In reply to Tom Tromey from comment #5)
> > I've looked at it a little.  I tend to think it is a pre-existing
> > bug.  I suspect Address Sanitizer doesn't understand how to examine
> > objects allocated on an obstack (neither does valgrind...), which is
> > why this was never detected.
> 
> Offtopic, but Valgrind can be taught this:
> http://valgrind.org/docs/manual/mc-manual.html#mc-manual.mempools
> I've been meaning to look into that.

Yeah, me too.  We also use a similar thing, "objalloc", via BFD
(obstack was deemed too heavy, lol, by someone in ancient times).
I imagine marking that up would reveal all the lurking BFD bugs.
Comment 9 Tom Tromey 2023-03-05 17:35:12 UTC 
*** Bug 15883 has been marked as a duplicate of this bug. ***
Comment 10 Tom Tromey 2023-03-05 17:39:08 UTC 
It turns out this was fixed:

commit 9d428aae67a67087959822b0ffd81f7df96218c7
Author: Simon Marchi <simon.marchi@efficios.com>
Date:   Wed May 20 15:44:24 2020 -0400

    gdb: reset/recompute objfile section offsets in reread_symbols