gdb crash: double free with free_objfile

Mathieu Lacage mathieu.lacage@gmail.com
Fri Feb 5 12:23:00 GMT 2010


Hi,

I have been trying to find a fix to avoid a gdb crash but I am not
sure which direction to follow so, hints would be welcome.

1) the problem

My inferior reports to gdb a linkmap which contains two entries with
the same name (they have different start and end addresses). gdb sees
both entries, creates corresponding duplicate entries in his copy of
the inferior's and then initializes the objfile field of the two
so_list entries to point to the same struct objfile. Later on, when
these entries disappear from the inferior's linkmap, gdb attempts to
call free_objfile twice on this shared struct objfile from
update_solib_list (solib.c).

2) what could be done

I assume that gdb should be able to deal with this case without
crashing so, I looked at 2 options:
  a. make the duplicate entries point to private duplicates of struct objfile *
  b. make the duplicate entries point to a shared struct objfile and
add refcounting or some means to detect when the struct objfile is
shared.

I could implement a. by removing the for loop at the top of
symbol_add_stub but I suspect that there is a good reason for its
presence and that removing it would create some waste of memory in
other cases so, it's probably not a good idea to do this.

I am not totally sure that b. is correct to do. i.e., I _think_ (but I
am not sure) that the content of struct objfile is not dependent upon
the base address of the corresponding binary so I _think_ that it
should be safe to reuse the same one between two so_list entries
loaded at different base addresses. Am I wrong ? If so, my only option
is a but I the proposed 'fix' described above is probably not good. Is
there anyone with a better suggestion ?

Mathieu

--
Mathieu Lacage <mathieu.lacage@gmail.com>



More information about the Gdb mailing list