This is the mail archive of the
gdb-testers@sourceware.org
mailing list for the GDB project.
[binutils-gdb] Remove dwarf2_per_objfile_free and use after free of dwarf2_per_objfile
- From: sergiodj+buildbot at sergiodj dot net
- To: gdb-testers at sourceware dot org
- Date: Sun, 28 Jan 2018 12:24:23 -0500
- Subject: [binutils-gdb] Remove dwarf2_per_objfile_free and use after free of dwarf2_per_objfile
- Authentication-results: sourceware.org; auth=none
*** TEST RESULTS FOR COMMIT fc8e7e75c2be02237a7961688b06869814f36a18 ***
Author: Simon Marchi <simon.marchi@ericsson.com>
Branch: master
Commit: fc8e7e75c2be02237a7961688b06869814f36a18
Remove dwarf2_per_objfile_free and use after free of dwarf2_per_objfile
I got some crashes while doing some work with dwarf2_per_objfile. It
turns out that dwarf2_per_objfile_free is using the dwarf2_per_objfile
objects after their destructor has ran.
The easiest way to reproduce this is to run the inferior twice (do
"start" twice). Currently, it goes unnoticed, but when I tried to
change all_comp_units and all_type_units to std::vectors, things started
crashing.
The dwarf2_per_objfile objects get destroyed here:
#0 dwarf2_per_objfile::~dwarf2_per_objfile (this=0x35afe70, __in_chrg=<optimized out>) at /home/emaisin/src/binutils-gdb/gdb/dwarf2read.c:2422
#1 0x0000000000833282 in dwarf2_free_objfile (objfile=0x356cff0) at /home/emaisin/src/binutils-gdb/gdb/dwarf2read.c:25363
#2 0x0000000000699255 in elf_symfile_finish (objfile=0x356cff0) at /home/emaisin/src/binutils-gdb/gdb/elfread.c:1309
#3 0x0000000000911ed3 in objfile::~objfile (this=0x356cff0, __in_chrg=<optimized out>) at /home/emaisin/src/binutils-gdb/gdb/objfiles.c:674
and just after that the dwarf2read per-objfile registry cleanup function
gets called:
#0 dwarf2_per_objfile_free (objfile=0x356cff0, d=0x35afe70) at /home/emaisin/src/binutils-gdb/gdb/dwarf2read.c:25667
... registry boilerplate ...
#4 0x00000000009103ea in objfile_free_data (container=0x356cff0) at /home/emaisin/src/binutils-gdb/gdb/objfiles.c:61
#5 0x0000000000911ee2 in objfile::~objfile (this=0x356cff0, __in_chrg=<optimized out>) at /home/emaisin/src/binutils-gdb/gdb/objfiles.c:678
In dwarf2_per_objfile_free, we access fields of the dwarf2_per_objfile
object, which is invalid since its destructor has been executed.
This patch moves the content of dwarf2_per_objfile_free to the
destructor of dwarf2_per_objfile. The call to
register_objfile_data_with_cleanup in _initialize_dwarf2_read can be
changed to the simpler register_objfile_data.
gdb/ChangeLog:
* dwarf2read.c (free_dwo_files): Add forward-declaration.
(dwarf2_per_objfile::~dwarf2_per_objfile): Move content from
dwarf2_per_objfile_free here.
(dwarf2_per_objfile_free): Remove.
(_initialize_dwarf2_read): Don't register
dwarf2_per_objfile_free as a registry cleanup.
- Follow-Ups:
- Failures on Debian-s390x-m64, branch master
- Failures on Fedora-x86_64-native-gdbserver-m32, branch master
- Failures on Ubuntu-AArch32-native-extended-gdbserver-m32, branch master
- Failures on Ubuntu-AArch64-native-gdbserver-m64, branch master
- Failures on Fedora-x86_64-native-extended-gdbserver-m32, branch master
- Failures on Ubuntu-AArch32-native-gdbserver-m32, branch master
- Failures on Fedora-x86_64-native-extended-gdbserver-m64, branch master
- Failures on Fedora-x86_64-native-gdbserver-m64, branch master
- Failures on Fedora-x86_64-m64, branch master
- Failures on Ubuntu-AArch64-m64, branch master
- Failures on Debian-s390x-native-gdbserver-m64, branch master
- Failures on Ubuntu-AArch32-m32, branch master