30357 – Segmentation fault for the 'start' command

Bug 30357 - Segmentation fault for the 'start' command

Summary: Segmentation fault for the 'start' command

Status:	RESOLVED FIXED

Alias:	None

Product:	gdb
Classification:	Unclassified
Component:	symtab (show other bugs)
Version:	13.1

Importance:	P2 critical
Target Milestone:	13.2
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-04-15 03:28 UTC by Anonymous
Modified:	2023-04-18 03:48 UTC (History)
CC List:	3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2023-04-15 00:00:00

Attachments
triggering source code (457 bytes, text/plain) 2023-04-15 03:28 UTC, Anonymous	Details
Tentative patch (2.06 KB, patch) 2023-04-17 08:29 UTC, Tom de Vries	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anonymous 2023-04-15 03:28:04 UTC

Created attachment 14828 [details]
triggering source code

$ gcc --version
gcc (GCC) 13.0.0 20221107 (experimental)
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ gdb --version
GNU gdb (GDB) 13.0.50.20221107-git
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$ cat small.c

extern void abort (void);

int __RTL (startwith ("vregs")) test_return_42 (void)
{
  /* C code:
     return 42; */
(function "test_return_42"
  (insn-chain
    (cnote 1 NOTE_INSN_DELETED)
    (block 2
      (edge-from entry (flags "FALLTHRU"))
      (cnote 3 [bb 2] NOTE_INSN_BASIC_BLOCK)
      (cnote 2 NOTE_INSN_FUNCTION_BEG)
      (cinsn 5 (set (reg:SI <0> [ _1 ])
                    (const_int 42)) "../../src/test-return-const.c":3)
      (cinsn 8 (set (reg:SI <1> [ <retval> ])
                    (reg:SI <0> [ _1 ])) "../../src/test-return-const.c":3)
      (cinsn 12 (set (reg/i:SI ax)
                    (reg:SI <1> [ <retval> ])) "../../src/test-return-const.c":4)
      (cinsn 13 (use (reg/i:SI ax)) "../../src/test-return-const.c":4)
      (edge-to exit (flags "FALLTHRU"))
    ) ;; block 2
  ) ;; insn-chain
  (crtl
    (return_rtx 
      (reg/i:SI ax)
    ) ;; return_rtx
  ) ;; crtl
) ;; function "test_return_42"
}

int __RTL (startwith ("vregs")) test_return_43 (void)
{
  /* C code:
     return 43; */
(function "test_return_43"
  (insn-chain
    (cnote 1 NOTE_INSN_DELETED)
    (block 2
      (edge-from entry (flags "FALLTHRU"))
      (cnote 3 [bb 2] NOTE_INSN_BASIC_BLOCK)
      (cnote 2 NOTE_INSN_FUNCTION_BEG)
      (cinsn 5 (set (reg:SI <0> [ _1 ])
                    (const_int 43)) "../../src/test-return-const.c":3)
      (cinsn 8 (set (reg:SI <1> [ <retval> ])
                    (reg:SI <0> [ _1 ])) "../../src/test-return-const.c":3)
      (cinsn 12 (set (reg/i:SI ax)
                    (reg:SI <1> [ <retval> ])) "../../src/test-return-const.c":4)
      (cinsn 13 (use (reg/i:SI ax)) "../../src/test-return-const.c":4)
      (edge-to exit (flags "FALLTHRU"))
    ) ;; block 2
  ) ;; insn-chain
  (crtl
    (return_rtx 
      (reg/i:SI ax)
    ) ;; return_rtx
  ) ;; crtl
) ;; function "test_return_43"
}

int __RTL (startwith ("vregs")) test_return_44 (void)
{
  /* C code:
     return 44; */
(function "test_return_44"
  (insn-chain
    (cnote 1 NOTE_INSN_DELETED)
    (block 2
      (edge-from entry (flags "FALLTHRU"))
      (cnote 3 [bb 2] NOTE_INSN_BASIC_BLOCK)
      (cnote 2 NOTE_INSN_FUNCTION_BEG)
      (cinsn 5 (set (reg:SI <0> [ _1 ])
                    (const_int 44)) "../../src/test-return-const.c":3)
      (cinsn 8 (set (reg:SI <1> [ <retval> ])
                    (reg:SI <0> [ _1 ])) "../../src/test-return-const.c":3)
      (cinsn 12 (set (reg/i:SI ax)
                    (reg:SI <1> [ <retval> ])) "../../src/test-return-const.c":4)
      (cinsn 13 (use (reg/i:SI ax)) "../../src/test-return-const.c":4)
      (edge-to exit (flags "FALLTHRU"))
    ) ;; block 2
  ) ;; insn-chain
  (crtl
    (return_rtx 
      (reg/i:SI ax)
    ) ;; return_rtx
  ) ;; crtl
) ;; function "test_return_44"
}

int main (void)
{
  if (test_return_42 () != 42)
    abort ();
  if (test_return_43 () != 43)
    abort ();
  if (test_return_44 () != 44)
    abort ();
  return 0;
}


$ gcc -O0 -g small.c


$ gdb -q a.out
Reading symbols from a.out...
(gdb) start


Fatal signal: Segmentation fault
----- Backtrace -----
0x4d5512 gdb_internal_backtrace_1
	../../binutils-gdb/gdb/bt-utils.c:122
0x4d5512 _Z22gdb_internal_backtracev
	../../binutils-gdb/gdb/bt-utils.c:168
0x5de831 handle_fatal_signal
	../../binutils-gdb/gdb/event-top.c:964
0x5de974 handle_sigsegv
	../../binutils-gdb/gdb/event-top.c:1037
0x7f28da99097f ???
	/build/glibc-CVJwZb/glibc-2.27/nptl/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
0x5954ef dwarf2_start_subfile
	../../binutils-gdb/gdb/dwarf2/read.c:20654
0x5c01c8 dwarf_decode_lines
	../../binutils-gdb/gdb/dwarf2/read.c:20605
0x5c01c8 handle_DW_AT_stmt_list
	../../binutils-gdb/gdb/dwarf2/read.c:9621
0x5c01c8 read_file_scope
	../../binutils-gdb/gdb/dwarf2/read.c:9661
0x5bcbb6 process_die
	../../binutils-gdb/gdb/dwarf2/read.c:8660
0x5c3dd7 process_full_comp_unit
	../../binutils-gdb/gdb/dwarf2/read.c:8429
0x5c3dd7 process_queue
	../../binutils-gdb/gdb/dwarf2/read.c:7675
0x5c3dd7 dw2_do_instantiate_symtab
	../../binutils-gdb/gdb/dwarf2/read.c:2063
0x5c3dd7 dw2_instantiate_symtab
	../../binutils-gdb/gdb/dwarf2/read.c:2085
0x5c4abb dw2_expand_symtabs_matching_one
	../../binutils-gdb/gdb/dwarf2/read.c:3984
0x5c54df _ZN22cooked_index_functions23expand_symtabs_matchingEP7objfileN3gdb13function_viewIFbPKcbEEEPK16lookup_name_infoNS3_IFbS5_EEENS3_IFbP15compunit_symtabEEE10enum_flagsI24block_search_flag_valuesE11domain_enum13search_domain
	../../binutils-gdb/gdb/dwarf2/read.c:18781
0x7c001d _ZN7objfile13lookup_symbolE10block_enumPKc11domain_enum
	../../binutils-gdb/gdb/symfile-debug.c:276
0x7d8588 lookup_symbol_via_quick_fns
	../../binutils-gdb/gdb/symtab.c:2451
0x7d8588 lookup_symbol_in_objfile
	../../binutils-gdb/gdb/symtab.c:2599
0x7d878d operator()
	../../binutils-gdb/gdb/symtab.c:2648
0x7d878d operator()
	../../binutils-gdb/gdb/../gdbsupport/function-view.h:305
0x7d878d _FUN
	../../binutils-gdb/gdb/../gdbsupport/function-view.h:299
0x793d81 _ZNK3gdb13function_viewIFbP7objfileEEclES2_
	../../binutils-gdb/gdb/../gdbsupport/function-view.h:289
0x793d81 svr4_iterate_over_objfiles_in_search_order
	../../binutils-gdb/gdb/solib-svr4.c:3425
0x7d2234 lookup_global_or_static_symbol
	../../binutils-gdb/gdb/symtab.c:2645
0x7d801c _Z20lookup_global_symbolPKcPK5block11domain_enum
	../../binutils-gdb/gdb/symtab.c:2700
0x7d7c94 lookup_symbol_aux
	../../binutils-gdb/gdb/symtab.c:2170
0x7d7df2 _Z25lookup_symbol_in_languagePKcPK5block11domain_enum8languageP20field_of_this_result
	../../binutils-gdb/gdb/symtab.c:1962
0x545346 inspect_type
	../../binutils-gdb/gdb/cp-support.c:152
0x545214 _Z27cp_canonicalize_string_fullPKcPFS0_P4typePvES3_
	../../binutils-gdb/gdb/cp-support.c:594
0x545dec _Z34cp_canonicalize_string_no_typedefsPKc
	../../binutils-gdb/gdb/cp-support.c:618
0x6770db find_linespec_symbols
	../../binutils-gdb/gdb/linespec.c:3811
0x67a4d7 linespec_parse_basic
	../../binutils-gdb/gdb/linespec.c:1815
0x67a4d7 parse_linespec
	../../binutils-gdb/gdb/linespec.c:2597
0x67af20 location_spec_to_sals
	../../binutils-gdb/gdb/linespec.c:3073
0x67b2aa _Z16decode_line_fullP13location_speciP13program_spaceP6symtabiP15linespec_resultPKcS8_
	../../binutils-gdb/gdb/linespec.c:3149
0x4c71b9 parse_breakpoint_sals
	../../binutils-gdb/gdb/breakpoint.c:8564
0x4ccdac _Z17create_breakpointP7gdbarchP13location_specPKciS4_bii6bptypei12auto_booleanPK14breakpoint_opsiiij
	../../binutils-gdb/gdb/breakpoint.c:8843
0x4cd2cc break_command_1
	../../binutils-gdb/gdb/breakpoint.c:9027
0x645e47 run_command_1
	../../binutils-gdb/gdb/infcmd.c:427
0x505cac _Z8cmd_funcP16cmd_list_elementPKci
	../../binutils-gdb/gdb/cli/cli-decode.c:2543
0x815fda _Z15execute_commandPKci
	../../binutils-gdb/gdb/top.c:692
0x5df52c _Z15command_handlerPKc
	../../binutils-gdb/gdb/event-top.c:616
0x5df897 _Z20command_line_handlerOSt10unique_ptrIcN3gdb13xfree_deleterIcEEE
	../../binutils-gdb/gdb/event-top.c:860
0x5dfd7c gdb_rl_callback_handler
	../../binutils-gdb/gdb/event-top.c:246
0x89dbb4 rl_callback_read_char
	../../../binutils-gdb/readline/readline/callback.c:290
0x5dfe9d gdb_rl_callback_read_char_wrapper_noexcept
	../../binutils-gdb/gdb/event-top.c:188
0x5e001c gdb_rl_callback_read_char_wrapper
	../../binutils-gdb/gdb/event-top.c:221
0x5de71f stdin_event_handler
	../../binutils-gdb/gdb/event-top.c:541
0x97772d gdb_wait_for_event
	../../binutils-gdb/gdbsupport/event-loop.cc:716
0x977ef0 _Z16gdb_do_one_eventi
	../../binutils-gdb/gdbsupport/event-loop.cc:264
0x6a91c9 start_event_loop
	../../binutils-gdb/gdb/main.c:411
0x6a91c9 captured_command_loop
	../../binutils-gdb/gdb/main.c:471
0x6aab34 captured_main
	../../binutils-gdb/gdb/main.c:1330
0x6aab34 _Z8gdb_mainP18captured_main_args
	../../binutils-gdb/gdb/main.c:1345
0x43a044 main
	../../binutils-gdb/gdb/gdb.c:32
---------------------
A fatal error internal to GDB has been detected, further
debugging is not possible.  GDB will now terminate.

This is a bug, please report it.  For instructions, see:
<https://www.gnu.org/software/gdb/bugs/>.

Segmentation fault

Comment 1 Tom de Vries 2023-04-15 08:29:43 UTC

Confirmed on openSUSE Tumbleweed, using:
...
gcc version 13.0.1 20230314 (experimental) [revision 42630fadbe248717859d61c0244c821c32b4e52c] (SUSE Linux) 
...

Happens here:
...
Thread 1 "gdb" received signal SIGSEGV, Segmentation fault.
0x000000000072cd38 in dwarf2_start_subfile (cu=0x2badc50, fe=..., lh=...) at /data/vries/gdb/src/gdb/dwarf2/read.c:18716
18716     if (!IS_ABSOLUTE_PATH (filename) && dirname != NULL)
...
because:
...
(gdb) p filename
$1 = 0x0
...

It's probably triggered by an empty file name in the file name table:
...
 The File Name Table (offset 0x219, lines 2, columns 2):
  Entry Dir     Name
  0     0       (indirect line string, offset: 0x3c):
  1     0       (indirect line string, offset: 0x14d): test.c
...

Comment 2 Tom de Vries 2023-04-16 06:34:09 UTC

Fixed by:
...
diff --git a/gdb/dwarf2/line-header.c b/gdb/dwarf2/line-header.c
index 9d74c8fe75b..d59b63588d0 100644
--- a/gdb/dwarf2/line-header.c
+++ b/gdb/dwarf2/line-header.c
@@ -51,6 +51,9 @@ line_header::add_file_name (const char *name,
   file_name_index index
     = version >= 5 ? file_names_size (): file_names_size () + 1;
 
+  if (name == nullptr)
+    name = "";
+
   if (dwarf_line_debug >= 2)
     gdb_printf (gdb_stdlog, "Adding file %d: %s\n", index, name);
...

Comment 3 Anonymous 2023-04-16 13:23:16 UTC

(In reply to Tom de Vries from comment #2)
> Fixed by:
> ...
> diff --git a/gdb/dwarf2/line-header.c b/gdb/dwarf2/line-header.c
> index 9d74c8fe75b..d59b63588d0 100644
> --- a/gdb/dwarf2/line-header.c
> +++ b/gdb/dwarf2/line-header.c
> @@ -51,6 +51,9 @@ line_header::add_file_name (const char *name,
>    file_name_index index
>      = version >= 5 ? file_names_size (): file_names_size () + 1;
>  
> +  if (name == nullptr)
> +    name = "";
> +
>    if (dwarf_line_debug >= 2)
>      gdb_printf (gdb_stdlog, "Adding file %d: %s\n", index, name);
> ...

Thanks. I will update gdb to the latest version.

Comment 4 Tom Tromey 2023-04-16 13:51:55 UTC

read_direct_string replaces "" with NULL, which seems a little weird.
Anyway maybe read_formatted_entries should undo this.
Or perhaps there should be a non-transforming variant of read_direct_string.

Comment 5 Tom de Vries 2023-04-17 08:29:11 UTC

Created attachment 14830 [details]
Tentative patch

Currently testing.

Comment 6 Tom de Vries 2023-04-17 08:36:48 UTC

(In reply to Tom Tromey from comment #4)
> Anyway maybe read_formatted_entries should undo this.

With the tentative patch taking this approach.

Comment 7 Tom de Vries 2023-04-17 09:18:13 UTC

https://sourceware.org/pipermail/gdb-patches/2023-April/198908.html

Comment 8 Sourceware Commits 2023-04-17 16:09:37 UTC

The master branch has been updated by Tom de Vries <vries@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fb12bc1e8e7c5246e4eabcebdb4644c43bc7e6b9

commit fb12bc1e8e7c5246e4eabcebdb4644c43bc7e6b9
Author: Tom de Vries <tdevries@suse.de>
Date:   Mon Apr 17 18:09:32 2023 +0200

    [gdb/symtab] Handle empty file name in .debug_line section
    
    With DWARF 5, it's possible to produce an empty file name in the File Name
    Table of the .debug_line section:
    ...
     The File Name Table (offset 0x112, lines 1, columns 2):
      Entry Dir     Name
      0     1       (indirect line string, offset: 0x2d):
    ...
    
    Currently, when gdb reads an exec containing such debug info, it segfaults:
    ...
    Thread 1 "gdb" received signal SIGSEGV, Segmentation fault.
    0x000000000072cd38 in dwarf2_start_subfile (cu=0x2badc50, fe=..., lh=...) at \
      gdb/dwarf2/read.c:18716
    18716     if (!IS_ABSOLUTE_PATH (filename) && dirname != NULL)
    ...
    because read_direct_string transforms "" into a nullptr, and we end up
    dereferencing the nullptr.
    
    Note that the behaviour of read_direct_string has been present since repo
    creation.
    
    Fix this in read_formatted_entries, by transforming nullptr filenames in to ""
    filenames.
    
    Tested on x86_64-linux.
    
    Reviewed-By: Tom Tromey <tom@tromey.com>
    
    PR symtab/30357
    Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30357

Comment 9 Tom de Vries 2023-04-17 16:12:47 UTC

Fixed by commit.

Comment 10 Sourceware Commits 2023-04-18 03:47:25 UTC

The gdb-13-branch branch has been updated by Tom de Vries <vries@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69eedc8e312685d9c0055098e9c461b95a2e832f

commit 69eedc8e312685d9c0055098e9c461b95a2e832f
Author: Tom de Vries <tdevries@suse.de>
Date:   Tue Apr 18 05:47:21 2023 +0200

    [gdb/symtab] Handle empty file name in .debug_line section
    
    With DWARF 5, it's possible to produce an empty file name in the File Name
    Table of the .debug_line section:
    ...
     The File Name Table (offset 0x112, lines 1, columns 2):
      Entry Dir     Name
      0     1       (indirect line string, offset: 0x2d):
    ...
    
    Currently, when gdb reads an exec containing such debug info, it segfaults:
    ...
    Thread 1 "gdb" received signal SIGSEGV, Segmentation fault.
    0x000000000072cd38 in dwarf2_start_subfile (cu=0x2badc50, fe=..., lh=...) at \
      gdb/dwarf2/read.c:18716
    18716     if (!IS_ABSOLUTE_PATH (filename) && dirname != NULL)
    ...
    because read_direct_string transforms "" into a nullptr, and we end up
    dereferencing the nullptr.
    
    Note that the behaviour of read_direct_string has been present since repo
    creation.
    
    Fix this in read_formatted_entries, by transforming nullptr filenames in to ""
    filenames.
    
    Tested on x86_64-linux.
    
    Reviewed-By: Tom Tromey <tom@tromey.com>
    
    PR symtab/30357
    Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30357