[PATCH 2/2] gdb/dwarf: fix UBsan crash in read_subrange_type
Andrew Burgess
aburgess@redhat.com
Fri Jan 20 13:03:09 GMT 2023
Simon Marchi via Gdb-patches <gdb-patches@sourceware.org> writes:
> When running gdb.ada/arrayptr.exp (and others) on Ubuntu 22.04, with the
> `gnat-11` package installed (not `gnat`), with UBSan activated, I get:
>
> (gdb) break foo.adb:40
> /home/smarchi/src/binutils-gdb/gdb/dwarf2/read.c:17689:20: runtime error: shift exponent 127 is too large for 64-bit type 'long unsigned int'
>
> The problematic DIEs are:
>
> 0x00001460: DW_TAG_subrange_type
> DW_AT_lower_bound [DW_FORM_data1] (0x00)
> DW_AT_upper_bound [DW_FORM_data16] (ffffffffffffffff3f00000000000000)
> DW_AT_name [DW_FORM_strp] ("foo__packed_array___XP7___XDLU_0__1180591620717411303423")
> DW_AT_type [DW_FORM_ref4] (0x0000153f "long_long_long_unsigned")
> DW_AT_GNAT_descriptive_type [DW_FORM_ref4] (0x0000147e)
> DW_AT_artificial [DW_FORM_flag_present] (true)
>
> 0x0000153f: DW_TAG_base_type
> DW_AT_byte_size [DW_FORM_data1] (0x10)
> DW_AT_encoding [DW_FORM_data1] (DW_ATE_unsigned)
> DW_AT_name [DW_FORM_strp] ("long_long_long_unsigned")
> DW_AT_artificial [DW_FORM_flag_present] (true)
>
> When processed by this code:
>
> negative_mask =
> -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
> if (low.kind () == PROP_CONST
> && !base_type->is_unsigned () && (low.const_val () & negative_mask))
> low.set_const_val (low.const_val () | negative_mask);
>
> When the base type's length (16 bytes in this case) is larger than a
> ULONGEST (typically 8 bytes), the bit shift is too large.
>
> My obvious fix is just to skip the fixup for base types larger than a
> ULONGEST (8 bytes). I don't think we really handle constant attribute
> values larger than 8 bytes anyway, so this is part of a much larger
> problem.
>
> Add a test that replicates this situation, but uses bounds that fit in a
> signed 64 bit, so we get a sensible result.
>
> Change-Id: I8d0a24f3edd83b44e0761a0ce38922d3e2e112fb
> Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29386
> ---
> gdb/dwarf2/read.c | 29 ++++++++++++++++++---------
> gdb/testsuite/gdb.dwarf2/subrange.exp | 22 ++++++++++++++++++++
> 2 files changed, 41 insertions(+), 10 deletions(-)
>
> diff --git a/gdb/dwarf2/read.c b/gdb/dwarf2/read.c
> index 44b54f77de9..87846788604 100644
> --- a/gdb/dwarf2/read.c
> +++ b/gdb/dwarf2/read.c
> @@ -17588,7 +17588,6 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
> int low_default_is_valid;
> int high_bound_is_count = 0;
> const char *name;
> - ULONGEST negative_mask;
>
> orig_base_type = read_subrange_index_type (die, cu);
>
> @@ -17684,15 +17683,25 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
> with GCC, for instance, where the ambiguous DW_FORM_dataN form
> is used instead. To work around that ambiguity, we treat
> the bounds as signed, and thus sign-extend their values, when
> - the base type is signed. */
> - negative_mask =
> - -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
> - if (low.kind () == PROP_CONST
> - && !base_type->is_unsigned () && (low.const_val () & negative_mask))
> - low.set_const_val (low.const_val () | negative_mask);
> - if (high.kind () == PROP_CONST
> - && !base_type->is_unsigned () && (high.const_val () & negative_mask))
> - high.set_const_val (high.const_val () | negative_mask);
> + the base type is signed.
> +
> + Skip it if the base type's length is largest than ULONGEST, to avoid
s/largest/larger/
> + the undefined behavior of a too large left shift. We don't really handle
> + constants larger than 8 bytes anyway, at the moment. */
> +
> + if (base_type->length () <= sizeof (ULONGEST))
> + {
> + ULONGEST negative_mask
> + = -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
> +
> + if (low.kind () == PROP_CONST
> + && !base_type->is_unsigned () && (low.const_val () & negative_mask))
> + low.set_const_val (low.const_val () | negative_mask);
> +
> + if (high.kind () == PROP_CONST
> + && !base_type->is_unsigned () && (high.const_val () & negative_mask))
> + high.set_const_val (high.const_val () | negative_mask);
> + }
>
> /* Check for bit and byte strides. */
> struct dynamic_prop byte_stride_prop;
> diff --git a/gdb/testsuite/gdb.dwarf2/subrange.exp b/gdb/testsuite/gdb.dwarf2/subrange.exp
> index 8a8443f31a8..556422629a3 100644
> --- a/gdb/testsuite/gdb.dwarf2/subrange.exp
> +++ b/gdb/testsuite/gdb.dwarf2/subrange.exp
> @@ -77,6 +77,26 @@ Dwarf::assemble $asm_file {
> {name subrange_with_buggy_negative_bounds_variable}
> {type :$subrange_with_buggy_negative_bounds_label}
> }
> +
> + # This subrange's base type is 16-bytes long (although the bounds fit in
> + # signed 64-bit). This is to test the fix for PR 29386.
> + declare_labels a_16_byte_integer_label a_16_byte_subrange_label
> +
> + a_16_byte_integer_label: base_type {
> + {byte_size 16 udata}
> + {encoding @DW_ATE_signed}
> + }
> +
> + a_16_byte_subrange_label: subrange_type {
> + {lower_bound -9223372036854775808 DW_FORM_sdata}
> + {upper_bound 9223372036854775807 DW_FORM_sdata}
> + {type :$a_16_byte_integer_label}
> + }
> +
> + DW_TAG_variable {
> + {name a_16_byte_subrange_variable}
> + {type :$a_16_byte_subrange_label}
> + }
> }
> }
> }
> @@ -92,3 +112,5 @@ gdb_test "ptype TByteArray" \
> "type = array \\\[0\\.\\.191\\\] of byte"
> gdb_test "ptype subrange_with_buggy_negative_bounds_variable" \
> "type = -16..-12"
> +gdb_test "ptype a_16_byte_subrange_variable" \
> + "type = -9223372036854775808..9223372036854775807"
As before, I'd use "\\.\\." here.
Looks good with those nits fixed.
Thanks,
Andrew
> --
> 2.39.1
More information about the Gdb-patches
mailing list