This is the mail archive of the
gdb-prs@sourceware.org
mailing list for the GDB project.
[Bug gdb/22404] New: read after free in dwarf2read.c
- From: "qiyao at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: gdb-prs at sourceware dot org
- Date: Mon, 06 Nov 2017 17:08:27 +0000
- Subject: [Bug gdb/22404] New: read after free in dwarf2read.c
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22404
Bug ID: 22404
Summary: read after free in dwarf2read.c
Product: gdb
Version: HEAD
Status: NEW
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: qiyao at gcc dot gnu.org
Target Milestone: ---
$ valgrind ./gdb
./testsuite/outputs/gdb.dwarf2/dw2-bad-parameter-type/dw2-bad-parameter-type
(gdb) ptype f
==5804== Invalid read of size 1
==5804== at 0x57696E: ~process_die_scope (dwarf2read.c:8537)
==5804== by 0x57696E: process_die(die_info*, dwarf2_cu*) (dwarf2read.c:8559)
==5804== by 0x575F48: read_file_scope (dwarf2read.c:9539)
==5804== by 0x575F48: process_die(die_info*, dwarf2_cu*) (dwarf2read.c:8567)
==5804== by 0x5784BF: process_full_comp_unit (dwarf2read.c:8337)
==5804== by 0x5784BF: process_queue (dwarf2read.c:7828)
==5804== by 0x5784BF: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2931)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804== by 0x647423: lookup_symbol_aux (symtab.c:2024)
==5804== by 0x647423: lookup_symbol_in_language(char const*, block const*,
domain_enum_tag, language, field_of_this_result*) (symtab.c:1819)
==5804== by 0x6474B5: lookup_symbol(char const*, block const*,
domain_enum_tag, field_of_this_result*) (symtab.c:1831)
==5804== by 0x4B12BC: classify_name(parser_state*, block const*, int)
(c-exp.y:2892)
==5804== by 0x4B3B39: c_yylex (c-exp.y:3092)
==5804== by 0x4B3B39: c_yyparse() (c-exp.c:1903)
==5804== Address 0x62a1233 is 291 bytes inside a block of size 4,064 free'd
==5804== at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x777B43: _obstack_free (obstack.c:280)
==5804== by 0x556BCA: free_heap_comp_unit(void*) (dwarf2read.c:22844)
==5804== by 0x556C66: free_one_cached_comp_unit(dwarf2_per_cu_data*)
(dwarf2read.c:22929)
==5804== by 0x556CBF: dwarf2_release_queue(void*) (dwarf2read.c:7865)
==5804== by 0x523445: do_my_cleanups(cleanup**, cleanup*) (cleanups.c:154)
==5804== by 0x528A6D: throw_exception_cxx(gdb_exception)
(common-exceptions.c:289)
==5804== by 0x528B54: throw_exception (common-exceptions.c:317)
==5804== by 0x528B54: throw_it(return_reason, errors, char const*,
__va_list_tag*) (common-exceptions.c:373)
==5804== by 0x528D95: throw_verror(errors, char const*, __va_list_tag*)
(common-exceptions.c:379)
==5804== by 0x673EC3: verror(char const*, __va_list_tag*) (utils.c:249)
==5804== by 0x57DAA8: error(char const*, ...) (errors.c:43)
==5804== by 0x567365: follow_die_ref(die_info*, attribute const*,
dwarf2_cu**) [clone .isra.251] (dwarf2read.c:20728)
==5804== Block was alloc'd at
==5804== at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x528FB7: xmalloc (common-utils.c:44)
==5804== by 0x777907: _obstack_begin_worker (obstack.c:141)
==5804== by 0x5669FF: init_cutu_and_read_dies(dwarf2_per_cu_data*,
abbrev_table*, int, int, void (*)(die_reader_specs const*, unsigned char
const*, die_info*, int, void*), void*) (dwarf2read.c:5733)
==5804== by 0x567119: load_full_comp_unit(dwarf2_per_cu_data*, language)
(dwarf2read.c:7991)
==5804== by 0x569761: load_cu(dwarf2_per_cu_data*) (dwarf2read.c:2889)
==5804== by 0x578383: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2916)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804==
==5804== Invalid read of size 8
==5804== at 0x576973: ~process_die_scope (dwarf2read.c:8541)
==5804== by 0x576973: process_die(die_info*, dwarf2_cu*) (dwarf2read.c:8559)
==5804== by 0x575F48: read_file_scope (dwarf2read.c:9539)
==5804== by 0x575F48: process_die(die_info*, dwarf2_cu*) (dwarf2read.c:8567)
==5804== by 0x5784BF: process_full_comp_unit (dwarf2read.c:8337)
==5804== by 0x5784BF: process_queue (dwarf2read.c:7828)
==5804== by 0x5784BF: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2931)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804== by 0x647423: lookup_symbol_aux (symtab.c:2024)
==5804== by 0x647423: lookup_symbol_in_language(char const*, block const*,
domain_enum_tag, language, field_of_this_result*) (symtab.c:1819)
==5804== by 0x6474B5: lookup_symbol(char const*, block const*,
domain_enum_tag, field_of_this_result*) (symtab.c:1831)
==5804== by 0x4B12BC: classify_name(parser_state*, block const*, int)
(c-exp.y:2892)
==5804== by 0x4B3B39: c_yylex (c-exp.y:3092)
==5804== by 0x4B3B39: c_yyparse() (c-exp.c:1903)
==5804== Address 0x62a1090 is 256 bytes inside a block of size 312 free'd
==5804== at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x556C66: free_one_cached_comp_unit(dwarf2_per_cu_data*)
(dwarf2read.c:22929)
==5804== by 0x556CBF: dwarf2_release_queue(void*) (dwarf2read.c:7865)
==5804== by 0x523445: do_my_cleanups(cleanup**, cleanup*) (cleanups.c:154)
==5804== by 0x528A6D: throw_exception_cxx(gdb_exception)
(common-exceptions.c:289)
==5804== by 0x528B54: throw_exception (common-exceptions.c:317)
==5804== by 0x528B54: throw_it(return_reason, errors, char const*,
__va_list_tag*) (common-exceptions.c:373)
==5804== by 0x528D95: throw_verror(errors, char const*, __va_list_tag*)
(common-exceptions.c:379)
==5804== by 0x673EC3: verror(char const*, __va_list_tag*) (utils.c:249)
==5804== by 0x57DAA8: error(char const*, ...) (errors.c:43)
==5804== by 0x567365: follow_die_ref(die_info*, attribute const*,
dwarf2_cu**) [clone .isra.251] (dwarf2read.c:20728)
==5804== by 0x56D738: lookup_die_type(die_info*, attribute const*,
dwarf2_cu*) (dwarf2read.c:19743)
==5804== by 0x56CF19: read_subroutine_type (dwarf2read.c:15083)
==5804== by 0x56CF19: read_type_die_1 (dwarf2read.c:19802)
==5804== by 0x56CF19: read_type_die(die_info*, dwarf2_cu*)
(dwarf2read.c:19777)
==5804== Block was alloc'd at
==5804== at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x528FB7: xmalloc (common-utils.c:44)
==5804== by 0x5669F1: init_cutu_and_read_dies(dwarf2_per_cu_data*,
abbrev_table*, int, int, void (*)(die_reader_specs const*, unsigned char
const*, die_info*, int, void*), void*) (dwarf2read.c:5732)
==5804== by 0x567119: load_full_comp_unit(dwarf2_per_cu_data*, language)
(dwarf2read.c:7991)
==5804== by 0x569761: load_cu(dwarf2_per_cu_data*) (dwarf2read.c:2889)
==5804== by 0x578383: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2916)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804== by 0x647423: lookup_symbol_aux (symtab.c:2024)
==5804== by 0x647423: lookup_symbol_in_language(char const*, block const*,
domain_enum_tag, language, field_of_this_result*) (symtab.c:1819)
==5804==
==5804== Invalid read of size 1
==5804== at 0x57696E: ~process_die_scope (dwarf2read.c:8537)
==5804== by 0x57696E: process_die(die_info*, dwarf2_cu*) (dwarf2read.c:8559)
==5804== by 0x5784BF: process_full_comp_unit (dwarf2read.c:8337)
==5804== by 0x5784BF: process_queue (dwarf2read.c:7828)
==5804== by 0x5784BF: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2931)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804== by 0x647423: lookup_symbol_aux (symtab.c:2024)
==5804== by 0x647423: lookup_symbol_in_language(char const*, block const*,
domain_enum_tag, language, field_of_this_result*) (symtab.c:1819)
==5804== by 0x6474B5: lookup_symbol(char const*, block const*,
domain_enum_tag, field_of_this_result*) (symtab.c:1831)
==5804== by 0x4B12BC: classify_name(parser_state*, block const*, int)
(c-exp.y:2892)
==5804== by 0x4B3B39: c_yylex (c-exp.y:3092)
==5804== by 0x4B3B39: c_yyparse() (c-exp.c:1903)
==5804== by 0x4B6A52: c_parse(parser_state*) (c-exp.y:3264)
==5804== Address 0x62a1123 is 19 bytes inside a block of size 4,064 free'd
==5804== at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x777B43: _obstack_free (obstack.c:280)
==5804== by 0x556BCA: free_heap_comp_unit(void*) (dwarf2read.c:22844)
==5804== by 0x556C66: free_one_cached_comp_unit(dwarf2_per_cu_data*)
(dwarf2read.c:22929)
==5804== by 0x556CBF: dwarf2_release_queue(void*) (dwarf2read.c:7865)
==5804== by 0x523445: do_my_cleanups(cleanup**, cleanup*) (cleanups.c:154)
==5804== by 0x528A6D: throw_exception_cxx(gdb_exception)
(common-exceptions.c:289)
==5804== by 0x528B54: throw_exception (common-exceptions.c:317)
==5804== by 0x528B54: throw_it(return_reason, errors, char const*,
__va_list_tag*) (common-exceptions.c:373)
==5804== by 0x528D95: throw_verror(errors, char const*, __va_list_tag*)
(common-exceptions.c:379)
==5804== by 0x673EC3: verror(char const*, __va_list_tag*) (utils.c:249)
==5804== by 0x57DAA8: error(char const*, ...) (errors.c:43)
==5804== by 0x567365: follow_die_ref(die_info*, attribute const*,
dwarf2_cu**) [clone .isra.251] (dwarf2read.c:20728)
==5804== Block was alloc'd at
==5804== at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x528FB7: xmalloc (common-utils.c:44)
==5804== by 0x777907: _obstack_begin_worker (obstack.c:141)
==5804== by 0x5669FF: init_cutu_and_read_dies(dwarf2_per_cu_data*,
abbrev_table*, int, int, void (*)(die_reader_specs const*, unsigned char
const*, die_info*, int, void*), void*) (dwarf2read.c:5733)
==5804== by 0x567119: load_full_comp_unit(dwarf2_per_cu_data*, language)
(dwarf2read.c:7991)
==5804== by 0x569761: load_cu(dwarf2_per_cu_data*) (dwarf2read.c:2889)
==5804== by 0x578383: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2916)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804==
==5804== Invalid read of size 8
==5804== at 0x576973: ~process_die_scope (dwarf2read.c:8541)
==5804== by 0x576973: process_die(die_info*, dwarf2_cu*) (dwarf2read.c:8559)
==5804== by 0x5784BF: process_full_comp_unit (dwarf2read.c:8337)
==5804== by 0x5784BF: process_queue (dwarf2read.c:7828)
==5804== by 0x5784BF: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2931)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804== by 0x647423: lookup_symbol_aux (symtab.c:2024)
==5804== by 0x647423: lookup_symbol_in_language(char const*, block const*,
domain_enum_tag, language, field_of_this_result*) (symtab.c:1819)
==5804== by 0x6474B5: lookup_symbol(char const*, block const*,
domain_enum_tag, field_of_this_result*) (symtab.c:1831)
==5804== by 0x4B12BC: classify_name(parser_state*, block const*, int)
(c-exp.y:2892)
==5804== by 0x4B3B39: c_yylex (c-exp.y:3092)
==5804== by 0x4B3B39: c_yyparse() (c-exp.c:1903)
==5804== by 0x4B6A52: c_parse(parser_state*) (c-exp.y:3264)
==5804== Address 0x62a1090 is 256 bytes inside a block of size 312 free'd
==5804== at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x556C66: free_one_cached_comp_unit(dwarf2_per_cu_data*)
(dwarf2read.c:22929)
==5804== by 0x556CBF: dwarf2_release_queue(void*) (dwarf2read.c:7865)
==5804== by 0x523445: do_my_cleanups(cleanup**, cleanup*) (cleanups.c:154)
==5804== by 0x528A6D: throw_exception_cxx(gdb_exception)
(common-exceptions.c:289)
==5804== by 0x528B54: throw_exception (common-exceptions.c:317)
==5804== by 0x528B54: throw_it(return_reason, errors, char const*,
__va_list_tag*) (common-exceptions.c:373)
==5804== by 0x528D95: throw_verror(errors, char const*, __va_list_tag*)
(common-exceptions.c:379)
==5804== by 0x673EC3: verror(char const*, __va_list_tag*) (utils.c:249)
==5804== by 0x57DAA8: error(char const*, ...) (errors.c:43)
==5804== by 0x567365: follow_die_ref(die_info*, attribute const*,
dwarf2_cu**) [clone .isra.251] (dwarf2read.c:20728)
==5804== by 0x56D738: lookup_die_type(die_info*, attribute const*,
dwarf2_cu*) (dwarf2read.c:19743)
==5804== by 0x56CF19: read_subroutine_type (dwarf2read.c:15083)
==5804== by 0x56CF19: read_type_die_1 (dwarf2read.c:19802)
==5804== by 0x56CF19: read_type_die(die_info*, dwarf2_cu*)
(dwarf2read.c:19777)
==5804== Block was alloc'd at
==5804== at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5804== by 0x528FB7: xmalloc (common-utils.c:44)
==5804== by 0x5669F1: init_cutu_and_read_dies(dwarf2_per_cu_data*,
abbrev_table*, int, int, void (*)(die_reader_specs const*, unsigned char
const*, die_info*, int, void*), void*) (dwarf2read.c:5732)
==5804== by 0x567119: load_full_comp_unit(dwarf2_per_cu_data*, language)
(dwarf2read.c:7991)
==5804== by 0x569761: load_cu(dwarf2_per_cu_data*) (dwarf2read.c:2889)
==5804== by 0x578383: dw2_do_instantiate_symtab(dwarf2_per_cu_data*)
(dwarf2read.c:2916)
==5804== by 0x579665: dwarf2_read_symtab(partial_symtab*, objfile*)
(dwarf2read.c:7694)
==5804== by 0x60A816: psymtab_to_symtab(objfile*, partial_symtab*)
(psymtab.c:768)
==5804== by 0x60CF20: psym_lookup_symbol(objfile*, int, char const*,
domain_enum_tag) (psymtab.c:519)
==5804== by 0x64670B: lookup_symbol_via_quick_fns (symtab.c:2299)
==5804== by 0x64670B: lookup_symbol_in_objfile(objfile*, int, char const*,
domain_enum_tag) (symtab.c:2471)
==5804== by 0x647049: lookup_static_symbol(char const*, domain_enum_tag)
(symtab.c:2508)
==5804== by 0x647423: lookup_symbol_aux (symtab.c:2024)
==5804== by 0x647423: lookup_symbol_in_language(char const*, block const*,
domain_enum_tag, language, field_of_this_result*) (symtab.c:1819)
==5804==
Dwarf Error: Cannot find DIE at 0x0 referenced from DIE at 0x29 [in module
/home/yao.qi/SourceCode/gnu/build-without-python-guile/gdb/testsuite/outputs/gdb.dwarf2/dw2-bad-parameter-type/dw2-bad-parameter-type]
--
You are receiving this mail because:
You are on the CC list for the bug.