[PATCH] gdb/linux-nat: Fix mem access ptrace fallback (PR threads/31579)

Pedro Alves pedro@palves.net
Thu Apr 11 11:39:41 GMT 2024


Old RHEL systems have a kernel that does not support writing memory
via /proc/pid/mem.  On such systems, we fallback to accessing memory
via ptrace.  That has a few downsides described in the "Accessing
inferior memory" section at the top of linux-nat.c.

The target_xfer interface for memory access uses inferior_ptid as
sideband argument to indicate which process to access.  Memory access
is process-wide, it is not thread-specific, so inferior_ptid is
sometimes pointed at a process-wide ptid_t for the memory access
(i.e., a ptid that looks like {pid, 0, 0}).  That is the case for any
code that uses scoped_restore_current_inferior_for_memory, for
example.

That is what causes the issue described in PR 31579, where thread_db
calls into the debugger to read memory, which reaches our
ps_xfer_memory function, which does:

  static ps_err_e
  ps_xfer_memory (const struct ps_prochandle *ph, psaddr_t addr,
		  gdb_byte *buf, size_t len, int write)
  {
    scoped_restore_current_inferior_for_memory save_inferior (ph->thread->inf);

    ...
      ret = target_read_memory (core_addr, buf, len);
    ...
  }

If linux_nat_target::xfer_partial falls back to inf_ptrace_target with
a pid-ptid, then the ptrace code will do the ptrace call targeting
pid, the leader LWP.  That may fail with ESRCH if the leader is
currently running, or zombie.  That is the case in the scenario in
question, because thread_db is consulted for an event of a non-leader
thread, before we've stopped the whole process.

Fix this by having the ptrace fallback code try to find a stopped LWP
to use with ptrace.

I chose to handle this in the linux-nat target instead of in common
code because (global) memory is a process-wide property, and this
avoids having to teach all the code paths that use
scoped_restore_current_inferior_for_memory to find some stopped thread
to access memory through, which is a ptrace quirk.  That is
effectively what we used to do before we started relying on writable
/proc/pid/mem.  I'd rather not go back there.

To trigger this on modern kernels you have to hack linux-nat.c to
force the ptrace fallback code, like so:

 --- a/gdb/linux-nat.c
 +++ b/gdb/linux-nat.c
 @@ -3921,7 +3921,7 @@ linux_nat_target::xfer_partial (enum target_object object,
	  poke would incorrectly write memory to the post-exec address
	  space, while the core was trying to write to the pre-exec
	  address space.  */
 -      if (proc_mem_file_is_writable ())
 +      if (0 && proc_mem_file_is_writable ())

With that hack, I was able to confirm that the fix fixes hundreds of
testsuite failures.  Compared to a test run with pristine master, the
hack above + this commit's fix shows that some non-stop-related tests
fail, but that is expected, because those are tests that need to write
memory while the program is running.  (I made no effort to temporarily
pause an lwp if no ptrace-stopped lwp is found.)

Change-Id: I24a4f558e248aff7bc7c514a88c698f379f23180
---
 gdb/linux-nat.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 58 insertions(+), 3 deletions(-)

diff --git a/gdb/linux-nat.c b/gdb/linux-nat.c
index 2602e1f240d..d2b9aea724d 100644
--- a/gdb/linux-nat.c
+++ b/gdb/linux-nat.c
@@ -296,6 +296,8 @@ static struct lwp_info *find_lwp_pid (ptid_t ptid);
 
 static int lwp_status_pending_p (struct lwp_info *lp);
 
+static bool is_lwp_marked_dead (lwp_info *lp);
+
 static void save_stop_reason (struct lwp_info *lp);
 
 static bool proc_mem_file_is_writable ();
@@ -1467,9 +1469,7 @@ detach_one_lwp (struct lwp_info *lp, int *signo_p)
 
   /* If the lwp has exited or was terminated due to a signal, there's
      nothing left to do.  */
-  if (lp->waitstatus.kind () == TARGET_WAITKIND_EXITED
-      || lp->waitstatus.kind () == TARGET_WAITKIND_THREAD_EXITED
-      || lp->waitstatus.kind () == TARGET_WAITKIND_SIGNALLED)
+  if (is_lwp_marked_dead (lp))
     {
       linux_nat_debug_printf
 	("Can't detach %s - it has exited or was terminated: %s.",
@@ -2199,6 +2199,21 @@ mark_lwp_dead (lwp_info *lp, int status)
   lp->stopped = 1;
 }
 
+/* Return true if LP is dead, with a pending exit/signalled event.  */
+
+static bool
+is_lwp_marked_dead (lwp_info *lp)
+{
+  switch (lp->waitstatus.kind ())
+    {
+    case TARGET_WAITKIND_EXITED:
+    case TARGET_WAITKIND_THREAD_EXITED:
+    case TARGET_WAITKIND_SIGNALLED:
+      return true;
+    }
+  return false;
+}
+
 /* Wait for LP to stop.  Returns the wait status, or 0 if the LWP has
    exited.  */
 
@@ -3879,6 +3894,20 @@ linux_proc_xfer_memory_partial (int pid, gdb_byte *readbuf,
 				const gdb_byte *writebuf, ULONGEST offset,
 				LONGEST len, ULONGEST *xfered_len);
 
+/* Look for an LWP of PID that we know is ptrace-stopped.  Returns
+   NULL if none is found.  */
+
+static lwp_info *
+find_stopped_lwp (int pid)
+{
+  for (lwp_info *lp : all_lwps ())
+    if (lp->ptid.pid () == pid
+	&& lp->stopped
+	&& !is_lwp_marked_dead (lp))
+      return lp;
+  return nullptr;
+}
+
 enum target_xfer_status
 linux_nat_target::xfer_partial (enum target_object object,
 				const char *annex, gdb_byte *readbuf,
@@ -3925,6 +3954,32 @@ linux_nat_target::xfer_partial (enum target_object object,
 	return linux_proc_xfer_memory_partial (inferior_ptid.pid (), readbuf,
 					       writebuf, offset, len,
 					       xfered_len);
+
+      /* Fallback to ptrace.  This should only really trigger on old
+	 systems.  See "Accessing inferior memory" at the top.
+
+	 The target_xfer interface for memory access uses
+	 inferior_ptid as sideband argument to indicate which process
+	 to access.  Memory access is process-wide, it is not
+	 thread-specific, so inferior_ptid sometimes points at a
+	 process ptid_t.  If we fallback to inf_ptrace_target with
+	 that inferior_ptid, then the ptrace code will do the ptrace
+	 call targeting inferior_ptid.pid(), the leader LWP.  That
+	 may fail with ESRCH if the leader is currently running, or
+	 zombie.  So if we get a pid-ptid, we try to find a stopped
+	 LWP to use with ptrace.
+
+	 Note that inferior_ptid may not exist in the lwp / thread /
+	 inferior lists.  This can happen when we're removing
+	 breakpoints from a fork child that we're not going to stay
+	 attached to.  So if we don't find a stopped LWP, still do the
+	 ptrace call, targeting the inferior_ptid we had on entry.  */
+      scoped_restore save_inferior_ptid = make_scoped_restore (&inferior_ptid);
+      lwp_info *stopped = find_stopped_lwp (inferior_ptid.pid ());
+      if (stopped != nullptr)
+	inferior_ptid = stopped->ptid;
+      return inf_ptrace_target::xfer_partial (object, annex, readbuf, writebuf,
+					      offset, len, xfered_len);
     }
 
   return inf_ptrace_target::xfer_partial (object, annex, readbuf, writebuf,

base-commit: cafca5eaa068eaaa3e3a2ffab356efb4714c2968
-- 
2.43.2



More information about the Gdb-patches mailing list