This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
Re: [PATCH] Remove MAX_REGISTER_SIZE from py-unwind.c
- From: Pedro Alves <palves at redhat dot com>
- To: Alan Hayward <Alan dot Hayward at arm dot com>, Yao Qi <qiyaoltc at gmail dot com>
- Cc: "gdb-patches at sourceware dot org" <gdb-patches at sourceware dot org>, nd <nd at arm dot com>
- Date: Thu, 22 Jun 2017 14:22:07 +0100
- Subject: Re: [PATCH] Remove MAX_REGISTER_SIZE from py-unwind.c
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=palves at redhat dot com
- Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 97B6C30AF5D
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 97B6C30AF5D
- References: <E4218BDE-2A92-490F-9443-27E25F4237C4@arm.com> <86bmpgjso6.fsf@gmail.com> <82556349-1E8C-44C3-9FC9-68F15E36D4D4@arm.com>
On 06/22/2017 02:13 PM, Alan Hayward wrote:
> Ok, pushed with changes as suggested.
>
> Patch below.
Sorry, but this looks broken to me.
cached_frame_info is using the trailing array idiom ...
> @@ -93,7 +84,7 @@ typedef struct
> /* Length of the `reg' array below. */
> int reg_count;
>
> - struct reg_info reg[];
> + cached_reg_t reg[];
> } cached_frame_info;
>
>
> - cached_frame
> - = ((cached_frame_info *)
> - xmalloc (sizeof (*cached_frame)
> - + reg_count * sizeof (cached_frame->reg[0])));
> + cached_frame = XNEW (cached_frame_info);
but now you're not allocating enough space for the array elements...
> cached_frame->gdbarch = gdbarch;
> cached_frame->frame_id = unwind_info->frame_id;
> cached_frame->reg_count = reg_count;
> @@ -580,13 +568,14 @@ pyuw_sniffer (const struct frame_unwind *self, struct frame_info *this_frame,
> struct value *value = value_object_to_value (reg->value);
> size_t data_size = register_size (gdbarch, reg->number);
>
> - cached_frame->reg[i].number = reg->number;
> + cached_frame->reg[i].num = reg->number;
... that you're accessing here and below.
Valgrind probably shows the now-out-of-bounds accesses.
>
> /* `value' validation was done before, just assert. */
> gdb_assert (value != NULL);
> gdb_assert (data_size == TYPE_LENGTH (value_type (value)));
> gdb_assert (data_size <= MAX_REGISTER_SIZE);
>
> + cached_frame->reg[i].data = (gdb_byte *) xmalloc (data_size);
> memcpy (cached_frame->reg[i].data, value_contents (value), data_size);
> }
> }
> @@ -601,6 +590,11 @@ static void
> pyuw_dealloc_cache (struct frame_info *this_frame, void *cache)
> {
> TRACE_PY_UNWIND (3, "%s: enter", __FUNCTION__);
> + cached_frame_info *cached_frame = (cached_frame_info *) cache;
> +
> + for (int i = 0; cached_frame->reg_count; i++)
> + xfree (cached_frame->reg[i].data);
> +
> xfree (cache);
> }
>