31694 – heap-use-after-free in index-cache

Bug 31694 - heap-use-after-free in index-cache

Summary: heap-use-after-free in index-cache

Status:	RESOLVED FIXED

Alias:	None

Product:	gdb
Classification:	Unclassified
Component:	symtab (show other bugs)
Version:	HEAD

Importance:	P2 normal
Target Milestone:	15.1
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-05-02 14:06 UTC by Hannes Domani
Modified:	2024-05-04 16:58 UTC (History)
CC List:	3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
heob output as html (2.26 KB, text/html) 2024-05-03 11:48 UTC, Hannes Domani	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hannes Domani 2024-05-02 14:06:52 UTC

On current master (75d933919d8) gdb crashes on windows for all executables, with heob I see it's because it tries to access already-freed memory:

> unhandled exception code: 0xC0000005 (ACCESS_VIOLATION)
>   exception on: '1 [17676]'
>     0x00007FF73CE30000   c:\src\repos\gdb64\bin\gdb.exe
>       0x00007FF73CF586F8   C:\src\repos\binutils-gdb.git\gdb\dwarf2\index-cache.c:163:3 [index_cache_store_context::store() const]
>       0x00007FF73CF46CB5   C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:601:27 [cooked_index_worker::write_to_cache(cooked_index const*, deferred_warnings*) const]
>                            C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:657:29 [operator()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
>       0x00007FF73D7FFD2F   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
>       0x00007FF73D37DE59   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
>       0x00007FF73CF45E32   C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:667:20 [cooked_index::set_contents(std::vector<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> >, std::allocator<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> > > >&&, deferred_warnings*, parent_map_map const*)]
>       0x00007FF73CF832D5   C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4916:23 [cooked_index_debug_info::done_reading()]
>       0x00007FF73D7FFD2F   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
>       0x00007FF73D37DE59   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
>       0x00007FF73CF91777   C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4989:17 [cooked_index_debug_info::do_reading()]
>       0x00007FF73CF45F48   C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:473:13 [operator()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index_worker::start()::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index_worker::start()::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\thread-pool.h:159:10 [gdb::thread_pool::post_task(std::function<void ()>&&)]
>                            C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:469:46 [cooked_index_worker::start()]
>       0x00007FF73CF84376   C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:16754:22 [start_debug_info_reader]
>                            C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:3262:31 [dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool)]
>       0x00007FF73CEF7B66   C:\src\repos\binutils-gdb.git\gdb\coffread.c:720:33 [coff_symfile_read]
>       0x00007FF73D184C46   C:\src\repos\binutils-gdb.git\gdb\symfile.c:772:28 [read_symbols]
>       0x00007FF73D184290   C:\src\repos\binutils-gdb.git\gdb\symfile.c:964:16 [syms_from_objfile_1]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:981:23 [syms_from_objfile]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1084:21 [symbol_file_add_with_addrs]
>       0x00007FF73D185E23   C:\src\repos\binutils-gdb.git\gdb\symfile.c:1158:37 [symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1171:35 [symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>)]
>       0x00007FF73D186109   C:\src\repos\binutils-gdb.git\gdb\symfile.c:1195:45 [symbol_file_add_main_1]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1186:26 [symbol_file_add_main(char const*, enum_flags<symfile_add_flag>)]
>       0x00007FF73D05C19E   C:\src\repos\binutils-gdb.git\gdb\main.c:507:15 [catch_command_errors]
>       0x00007FF73D05FF55   C:\src\repos\binutils-gdb.git\gdb\main.c:1218:29 [captured_main_1]
>       0x00007FF73D06018C   C:\src\repos\binutils-gdb.git\gdb\main.c:1329:19 [captured_main]
>                            C:\src\repos\binutils-gdb.git\gdb\main.c:1358:21 [gdb_main(captured_main_args*)]
>       0x00007FF73D86D76F   C:\src\repos\binutils-gdb.git\gdb\gdb.c:38:19 [main]
>       0x00007FF73CE31430   C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup]
>       0x00007FF73CE315B5   C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup]
>   read access violation at 0x000002357C810F48
>   freed block 0x000002357C810E60 (size 416, offset +232)
>   allocated on: (#9257) '1 [17676]'
>                            [malloc]
>     0x00007FF73CE30000   c:\src\repos\gdb64\bin\gdb.exe
>       0x00007FF73D37AEFD   C:\src\repos\binutils-gdb.git\gdbsupport\new-op.cc:58:20 [operator new(unsigned long long)]
>       0x00007FF73CF84325   C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:16749:46 [start_debug_info_reader]
>                            C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:3262:31 [dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool)]
>       0x00007FF73CEF7B66   C:\src\repos\binutils-gdb.git\gdb\coffread.c:720:33 [coff_symfile_read]
>       0x00007FF73D184C46   C:\src\repos\binutils-gdb.git\gdb\symfile.c:772:28 [read_symbols]
>       0x00007FF73D184290   C:\src\repos\binutils-gdb.git\gdb\symfile.c:964:16 [syms_from_objfile_1]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:981:23 [syms_from_objfile]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1084:21 [symbol_file_add_with_addrs]
>       0x00007FF73D185E23   C:\src\repos\binutils-gdb.git\gdb\symfile.c:1158:37 [symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1171:35 [symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>)]
>       0x00007FF73D186109   C:\src\repos\binutils-gdb.git\gdb\symfile.c:1195:45 [symbol_file_add_main_1]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1186:26 [symbol_file_add_main(char const*, enum_flags<symfile_add_flag>)]
>       0x00007FF73D05C19E   C:\src\repos\binutils-gdb.git\gdb\main.c:507:15 [catch_command_errors]
>       0x00007FF73D05FF55   C:\src\repos\binutils-gdb.git\gdb\main.c:1218:29 [captured_main_1]
>       0x00007FF73D06018C   C:\src\repos\binutils-gdb.git\gdb\main.c:1329:19 [captured_main]
>                            C:\src\repos\binutils-gdb.git\gdb\main.c:1358:21 [gdb_main(captured_main_args*)]
>       0x00007FF73D86D76F   C:\src\repos\binutils-gdb.git\gdb\gdb.c:38:19 [main]
>       0x00007FF73CE31430   C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup]
>       0x00007FF73CE315B5   C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup]
>   freed on: '1 [17676]'
>                            [free]
>     0x00007FF73CE30000   c:\src\repos\gdb64\bin\gdb.exe
>       0x00007FF73CF46C99   C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.h:689:10 [cooked_index::index_for_writing()]
>                            C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:657:48 [operator()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index::set_contents(cooked_index::vec_type&&, deferred_warnings*, const parent_map_map*)::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
>       0x00007FF73D7FFD2F   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
>       0x00007FF73D37DE59   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
>       0x00007FF73CF45E32   C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:667:20 [cooked_index::set_contents(std::vector<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> >, std::allocator<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> > > >&&, deferred_warnings*, parent_map_map const*)]
>       0x00007FF73CF832D5   C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4916:23 [cooked_index_debug_info::done_reading()]
>       0x00007FF73D7FFD2F   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:38:14 [gdb::task_group::impl::~impl()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:348:9 [std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose()]
>       0x00007FF73D37DE59   c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:168:16 [std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:705:21 [std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1154:7 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\shared_ptr_base.h:1272:9 [std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset()]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\task-group.cc:90:16 [gdb::task_group::start()]
>       0x00007FF73CF91777   C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:4989:17 [cooked_index_debug_info::do_reading()]
>       0x00007FF73CF45F48   C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:473:13 [operator()]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:61:36 [__invoke_impl<void, cooked_index_worker::start()::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\invoke.h:111:28 [__invoke_r<void, cooked_index_worker::start()::<lambda()>&>]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:291:30 [_M_invoke]
>                            c:\msys64\mingw64\x86_64-w64-mingw32\include\c++\11.2.0\bits\std_function.h:560:9 [std::function<void ()>::operator()() const]
>                            C:\src\repos\binutils-gdb.git\gdbsupport\thread-pool.h:159:10 [gdb::thread_pool::post_task(std::function<void ()>&&)]
>                            C:\src\repos\binutils-gdb.git\gdb\dwarf2\cooked-index.c:469:46 [cooked_index_worker::start()]
>       0x00007FF73CF84376   C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:16754:22 [start_debug_info_reader]
>                            C:\src\repos\binutils-gdb.git\gdb\dwarf2\read.c:3262:31 [dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool)]
>       0x00007FF73CEF7B66   C:\src\repos\binutils-gdb.git\gdb\coffread.c:720:33 [coff_symfile_read]
>       0x00007FF73D184C46   C:\src\repos\binutils-gdb.git\gdb\symfile.c:772:28 [read_symbols]
>       0x00007FF73D184290   C:\src\repos\binutils-gdb.git\gdb\symfile.c:964:16 [syms_from_objfile_1]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:981:23 [syms_from_objfile]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1084:21 [symbol_file_add_with_addrs]
>       0x00007FF73D185E23   C:\src\repos\binutils-gdb.git\gdb\symfile.c:1158:37 [symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*)]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1171:35 [symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>)]
>       0x00007FF73D186109   C:\src\repos\binutils-gdb.git\gdb\symfile.c:1195:45 [symbol_file_add_main_1]
>                            C:\src\repos\binutils-gdb.git\gdb\symfile.c:1186:26 [symbol_file_add_main(char const*, enum_flags<symfile_add_flag>)]
>       0x00007FF73D05C19E   C:\src\repos\binutils-gdb.git\gdb\main.c:507:15 [catch_command_errors]
>       0x00007FF73D05FF55   C:\src\repos\binutils-gdb.git\gdb\main.c:1218:29 [captured_main_1]
>       0x00007FF73D06018C   C:\src\repos\binutils-gdb.git\gdb\main.c:1329:19 [captured_main]
>                            C:\src\repos\binutils-gdb.git\gdb\main.c:1358:21 [gdb_main(captured_main_args*)]
>       0x00007FF73D86D76F   C:\src\repos\binutils-gdb.git\gdb\gdb.c:38:19 [main]
>       0x00007FF73CE31430   C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:345:15 [__tmainCRTStartup]
>       0x00007FF73CE315B5   C:\gcc\src\mingw-w64-v8.0.2\mingw-w64-crt\crt\crtexe.c:220:9 [mainCRTStartup]

On linux I can reproduce it with an ASAN build, and gdb configured with --disable-threading:

> $ gdb/gdb-test/build-asan/gdb/gdb -q comma-digits
> Reading symbols from comma-digits...
> =================================================================
> ==7310==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000002128 at pc 0x00000098794a bp 0x7ffe37e6af70 sp 0x7ffe37e6af68
> READ of size 1 at 0x614000002128 thread T0
>     #0 0x987949 in index_cache_store_context::store() const ../../gdb/dwarf2/index-cache.c:163
>     #1 0x943467 in cooked_index_worker::write_to_cache(cooked_index const*, deferred_warnings*) const ../../gdb/dwarf2/cooked-index.c:601
>     #2 0x1705e39 in std::function<void ()>::operator()() const /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:690
>     #3 0x1705e39 in gdb::task_group::impl::~impl() ../../gdbsupport/task-group.cc:38
>     #4 0x1705e39 in std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:377
>     #5 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:155
>     #6 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:148
>     #7 0x17057f3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:730
>     #8 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1169
>     #9 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1287
>     #10 0x17057f3 in gdb::task_group::start() ../../gdbsupport/task-group.cc:90
>     #11 0x9470ba in cooked_index::set_contents(std::vector<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> >, std::allocator<std::unique_ptr<cooked_index_shard, std::default_delete<cooked_index_shard> > > >&&, deferred_warnings*, parent_map_map const*) ../../gdb/dwarf2/cooked-index.c:667
>     #12 0xa40211 in cooked_index_debug_info::done_reading() ../../gdb/dwarf2/read.c:4916
>     #13 0x1705e39 in std::function<void ()>::operator()() const /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:690
>     #14 0x1705e39 in gdb::task_group::impl::~impl() ../../gdbsupport/task-group.cc:38
>     #15 0x1705e39 in std::_Sp_counted_ptr<gdb::task_group::impl*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:377
>     #16 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:155
>     #17 0x17057f3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:148
>     #18 0x17057f3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:730
>     #19 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1169
>     #20 0x17057f3 in std::__shared_ptr<gdb::task_group::impl, (__gnu_cxx::_Lock_policy)2>::reset() /lisec/gcc/9/include/c++/9.2.0/bits/shared_ptr_base.h:1287
>     #21 0x17057f3 in gdb::task_group::start() ../../gdbsupport/task-group.cc:90
>     #22 0xa8bffa in cooked_index_debug_info::do_reading() ../../gdb/dwarf2/read.c:4989
>     #23 0x943aee in operator() ../../gdb/dwarf2/cooked-index.c:473
>     #24 0x943aee in _M_invoke /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:300
>     #25 0x943aee in std::function<void ()>::operator()() const /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:690
>     #26 0x943aee in gdb::thread_pool::post_task(std::function<void ()>&&) ../../gdb/../gdbsupport/thread-pool.h:159
>     #27 0x943aee in cooked_index_worker::start() ../../gdb/dwarf2/cooked-index.c:482
>     #28 0xa37105 in start_debug_info_reader ../../gdb/dwarf2/read.c:16754
>     #29 0xa37105 in dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool) ../../gdb/dwarf2/read.c:3262
>     #30 0xac6c4e in elf_symfile_read_dwarf2 ../../gdb/elfread.c:1199
>     #31 0xac6c4e in elf_symfile_read ../../gdb/elfread.c:1311
>     #32 0x115162c in read_symbols ../../gdb/symfile.c:772
>     #33 0x114fb86 in syms_from_objfile_1 ../../gdb/symfile.c:964
>     #34 0x114fb86 in syms_from_objfile ../../gdb/symfile.c:981
>     #35 0x114fb86 in symbol_file_add_with_addrs ../../gdb/symfile.c:1084
>     #36 0x115501d in symbol_file_add_from_bfd(gdb::ref_ptr<bfd, gdb_bfd_ref_policy> const&, char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>, objfile*) ../../gdb/symfile.c:1158
>     #37 0x115501d in symbol_file_add(char const*, enum_flags<symfile_add_flag>, std::vector<other_sections, std::allocator<other_sections> >*, enum_flags<objfile_flag>) ../../gdb/symfile.c:1171
>     #38 0x1155206 in symbol_file_add_main_1 ../../gdb/symfile.c:1195
>     #39 0x11553c2 in symbol_file_add_main(char const*, enum_flags<symfile_add_flag>) ../../gdb/symfile.c:1186
>     #40 0xdd6953 in symbol_file_add_main_adapter ../../gdb/main.c:538
>     #41 0xdd6a26 in catch_command_errors ../../gdb/main.c:507
>     #42 0xddbb2c in captured_main_1 ../../gdb/main.c:1218
>     #43 0xddc5ea in captured_main ../../gdb/main.c:1329
>     #44 0xddc5ea in gdb_main(captured_main_args*) ../../gdb/main.c:1358
>     #45 0x4b3333 in main ../../gdb/gdb.c:38
>     #46 0x3ee6c1ed1f in __libc_start_main (/lib64/libc.so.6+0x3ee6c1ed1f)
>     #47 0x4e76d0  (/home/domanjoh/gdb/gdb-test/build-asan/gdb/gdb+0x4e76d0)
> 
> 0x614000002128 is located 232 bytes inside of 408-byte region [0x614000002040,0x6140000021d8)
> freed by thread T0 here:
>     #0 0x7fd75ccf8ea5 in operator delete(void*, unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:177
>     #1 0x9462e5 in cooked_index::index_for_writing() ../../gdb/dwarf2/cooked-index.h:689
>     #2 0x9462e5 in operator() ../../gdb/dwarf2/cooked-index.c:657
>     #3 0x9462e5 in _M_invoke /lisec/gcc/9/include/c++/9.2.0/bits/std_function.h:300
> 
> previously allocated by thread T0 here:
>     #0 0x7fd75ccf7a1f in operator new(unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:104
>     #1 0xa36cf9 in start_debug_info_reader ../../gdb/dwarf2/read.c:16749
>     #2 0xa36cf9 in dwarf2_initialize_objfile(objfile*, dwarf2_debug_sections const*, bool) ../../gdb/dwarf2/read.c:3262
> 
> SUMMARY: AddressSanitizer: heap-use-after-free ../../gdb/dwarf2/index-cache.c:163 in index_cache_store_context::store() const
> Shadow bytes around the buggy address:
>   0x0c287fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c287fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
>   0x0c287fff8400: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c287fff8410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c287fff8420: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
>   0x0c287fff8430: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
>   0x0c287fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c287fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==7310==ABORTING

Comment 1 Hannes Domani 2024-05-03 11:48:42 UTC

Created attachment 15488 [details]
heob output as html

Comment 2 Bernd Edlinger 2024-05-04 07:29:34 UTC

ed29a346be439466ff2a5ce33e715e02c49fbdac is the first bad commit
commit ed29a346be439466ff2a5ce33e715e02c49fbdac
Author: Tom Tromey <tom@tromey.com>
Date:   Sun Jan 28 09:14:04 2024 -0700

    Avoid race when writing to index cache
    
    The background DWARF reader changes introduced a race when writing to
    the index cache.  The problem here is that constructing the
    index_cache_store_context object should only happen on the main
    thread, to ensure that the various value captures do not race.
    
    This patch adds an assert to the construct to that effect, and then
    arranges for this object to be constructed by the cooked_index_worker
    constructor -- which is only invoked on the main thread.
    
    Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31262

 gdb/dwarf2/cooked-index.c | 27 ++++++++++++---------------
 gdb/dwarf2/cooked-index.h | 15 ++++++++++-----
 gdb/dwarf2/index-cache.c  |  4 ++++
 3 files changed, 26 insertions(+), 20 deletions(-)

Comment 3 Hannes Domani 2024-05-04 12:10:34 UTC

https://sourceware.org/pipermail/gdb-patches/2024-May/208833.html

Comment 4 Sourceware Commits 2024-05-04 16:55:57 UTC

The master branch has been updated by Hannes Domani <ssbssa@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5140d8e013b0d8ab560b1bb8c72e0a8b2e96ac4b

commit 5140d8e013b0d8ab560b1bb8c72e0a8b2e96ac4b
Author: Hannes Domani <ssbssa@yahoo.de>
Date:   Sat May 4 18:55:20 2024 +0200

    Fix heap-use-after-free in index-cached with --disable-threading
    
    If threads are disabled, either by --disable-threading explicitely, or by
    missing std::thread support, you get the following ASAN error when
    loading symbols:
    
    ==7310==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000002128 at pc 0x00000098794a bp 0x7ffe37e6af70 sp 0x7ffe37e6af68
    READ of size 1 at 0x614000002128 thread T0
        #0 0x987949 in index_cache_store_context::store() const ../../gdb/dwarf2/index-cache.c:163
        #1 0x943467 in cooked_index_worker::write_to_cache(cooked_index const*, deferred_warnings*) const ../../gdb/dwarf2/cooked-index.c:601
        #2 0x1705e39 in std::function<void ()>::operator()() const /gcc/9/include/c++/9.2.0/bits/std_function.h:690
        #3 0x1705e39 in gdb::task_group::impl::~impl() ../../gdbsupport/task-group.cc:38
    
    0x614000002128 is located 232 bytes inside of 408-byte region [0x614000002040,0x6140000021d8)
    freed by thread T0 here:
        #0 0x7fd75ccf8ea5 in operator delete(void*, unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:177
        #1 0x9462e5 in cooked_index::index_for_writing() ../../gdb/dwarf2/cooked-index.h:689
        #2 0x9462e5 in operator() ../../gdb/dwarf2/cooked-index.c:657
        #3 0x9462e5 in _M_invoke /gcc/9/include/c++/9.2.0/bits/std_function.h:300
    
    It's happening because cooked_index_worker::wait always returns true in
    this case, which tells cooked_index::wait it can delete the m_state
    cooked_index_worker member, but cooked_index_worker::write_to_cache tries
    to access it immediately afterwards.
    
    Fixed by making cooked_index_worker::wait only return true if desired_state
    is CACHE_DONE, same as if threading was enabled, so m_state will not be
    prematurely deleted.
    
    Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31694
    Approved-By: Tom Tromey <tom@tromey.com>

Comment 5 Hannes Domani 2024-05-04 16:58:01 UTC

Fixed.