gdb/2129: data moved into char array corrupts DWARF expression

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

gdb/2129: data moved into char array corrupts DWARF expression

stephen.branch

>Number:         2129
>Category:       gdb
>Synopsis:       data moved into char array corrupts DWARF expression
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 25 17:08:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Steve Branch
>Release:        GNU gdb Red Hat Linux (6.3.0.0-1.96rh)
>Organization:
>Environment:
uname -a
Linux nggf460test2 2.6.9-34.ELlargesmp #1 SMP Fri Feb 24 17:06:55 EST 2006 x86_64 x86_64 x86_64 GNU/Linux

gcc -v
Reading specs from /usr/lib/gcc/x86_64-redhat-linux/3.4.5/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=x86_64-redhat-linux
Thread model: posix
gcc version 3.4.5 20051201 (Red Hat 3.4.5-2)

This GDB was configured as "x86_64-redhat-linux-gnu"
>Description:
On return from a function that returns a string address in a provided char ** on input, the code does a strncpy to move the result into an 8 byte character array.  Upon completion of the strncpy, the display of the destination variable is disabled.  examination of code seems to indicate that the move was sucsessful.

Trace data (notice that the move appears to have taken place)

653                     strncpy(Bcet,StringArea,sizeof(Bcet));
1: StringArea = 0xf8d3848 "00000000"
(gdb) display Bcet
3: Bcet = "4F1\000øfp\021"
(gdb) display &Bcet
4: &Bcet = (char (*)[8]) 0xfeef522c
(gdb) x/20c 0xf8d3848
0xf8d3848 <bcet_prologStringArea1>:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
0xf8d3850 <bcet_prologStringArea1+8>:   0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'
0xf8d3858 <bcet_prologStringArea1+16>:  0 '\0'  0 '\0'  0 '\0'  0 '\0'
(gdb) x/20c 0xfeef522c
0xfeef522c:     52 '4'  70 'F'  49 '1'  0 '\0'  -8 'ø'  102 'f' 112 'p' 17 '\021'
0xfeef5234:     12 '\f' 0 '\0'  0 '\0'  0 '\0'  1 '\001'        0 '\0'  -1 'ÿ'  -1 'ÿ'
0xfeef523c:     0 '\0'  0 '\0'  0 '\0'  0 '\0'
(gdb) next
654                     c_get_supplier_code(FarePtr,&StringArea);
4: &Bcet = dwarf2_read_address: Corrupted DWARF expression.
Disabling display 4 to avoid infinite recursion.
(gdb) x/20c 0xf8d3848
0xf8d3848 <bcet_prologStringArea1>:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
0xf8d3850 <bcet_prologStringArea1+8>:   0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'
0xf8d3858 <bcet_prologStringArea1+16>:  0 '\0'  0 '\0'  0 '\0'  0 '\0'
(gdb) x/20c 0xfeef522c
0xfeef522c:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
0xfeef5234:     12 '\f' 0 '\0'  0 '\0'  0 '\0'  1 '\001'        0 '\0'  -1 'ÿ'  -1 'ÿ'
0xfeef523c:     0 '\0'  0 '\0'  0 '\0'  0 '\0'


Code in table999.prolog.c: (code being traced)

    593 char Bcet[8];
    594 char R6Bcet[8];
    595 char Supplier[5];
    596 char RuleNum[4];
    597 char FareTariff[3];
    598 char const *StringArea;

    652                 c_get_record1_v02_bcet(R1Ptr,R1SegNbr,&StringArea);
    653                 strncpy(Bcet,StringArea,sizeof(Bcet));        <- causes corruption of DWARF
    654                 c_get_supplier_code(FarePtr,&StringArea);
    655                 strncpy(Supplier,StringArea,sizeof(Supplier));

Code in record1.v02.prolog.c:

     60 char bcet_prologStringArea1[20];
     61 static char prologStringArea1[20];
     62 static char prologStringArea2[20];
     63 static char prologStringArea3[20];
     64 static char prologStringArea4[20];
     65 static char prologStringArea5[20];


    296 void c_get_record1_v02_bcet(struct R1Table *r1tp,
    297                             long segnbr,
    298                             char const **bcetOut)
    299 {
    300 char *bcet = bcet_prologStringArea1; <-- originally the static copy (prologStringArea1),  this did not make a difference.
    301 struct record1_V02 *r1;
    302
    303         *bcetOut = bcet_prologStringArea1;
    304         memset(bcet_prologStringArea1,0,sizeof(bcet_prologStringArea1));
    305
    306         r1 = r1tp->R1;
    307         memcpy(bcet,r1->rec1.segment[segnbr].rbdtblno,sizeof(r1->rec1.segment[segnbr].rbdtblno));
    308         stripTrailingBlanks(bcet_prologStringArea1);
    309 }
>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:
Reply | Threaded
Open this post in threaded view
|

Re: gdb/2129: data moved into char array corrupts DWARF expression

Daniel Jacobowitz-2
The following reply was made to PR gdb/2129; it has been noted by GNATS.

From: Daniel Jacobowitz <[hidden email]>
To: [hidden email]
Cc: [hidden email]
Subject: Re: gdb/2129: data moved into char array corrupts DWARF expression
Date: Thu, 25 May 2006 13:13:18 -0400

 On Thu, May 25, 2006 at 05:01:55PM -0000, [hidden email] wrote:
 > 4: &Bcet = dwarf2_read_address: Corrupted DWARF expression.
 > Disabling display 4 to avoid infinite recursion.
 
 Can you supply the object file for table999.prolog.c, or even better, a
 fully linked executable that shows the problem?  Exactly
 reproducing this sort of problem can depend on everything from the
 compiler being used to the command line options; we need to work out if
 the debug info is bad or if gdb is confused.
 
 > (gdb) x/20c 0xf8d3848
 > 0xf8d3848 <bcet_prologStringArea1>:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
 > 0xf8d3850 <bcet_prologStringArea1+8>:   0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'
 > 0xf8d3858 <bcet_prologStringArea1+16>:  0 '\0'  0 '\0'  0 '\0'  0 '\0'
 > (gdb) x/20c 0xfeef522c
 > 0xfeef522c:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
 > 0xfeef5234:     12 '\f' 0 '\0'  0 '\0'  0 '\0'  1 '\001'        0 '\0'  -1 'ÿ'  -1 'ÿ'
 > 0xfeef523c:     0 '\0'  0 '\0'  0 '\0'  0 '\0'
 >
 >
 > Code in table999.prolog.c: (code being traced)
 >
 >     593 char Bcet[8];
 >     594 char R6Bcet[8];
 >     595 char Supplier[5];
 >     596 char RuleNum[4];
 >     597 char FareTariff[3];
 >     598 char const *StringArea;
 >
 >     652                 c_get_record1_v02_bcet(R1Ptr,R1SegNbr,&StringArea);
 >     653                 strncpy(Bcet,StringArea,sizeof(Bcet));        <- causes corruption of DWARF
 >     654                 c_get_supplier_code(FarePtr,&StringArea);
 >     655                 strncpy(Supplier,StringArea,sizeof(Supplier));
 >
 > Code in record1.v02.prolog.c:
 >
 >      60 char bcet_prologStringArea1[20];
 >      61 static char prologStringArea1[20];
 >      62 static char prologStringArea2[20];
 >      63 static char prologStringArea3[20];
 >      64 static char prologStringArea4[20];
 >      65 static char prologStringArea5[20];
 >
 >
 >     296 void c_get_record1_v02_bcet(struct R1Table *r1tp,
 >     297                             long segnbr,
 >     298                             char const **bcetOut)
 >     299 {
 >     300 char *bcet = bcet_prologStringArea1; <-- originally the static copy (prologStringArea1),  this did not make a difference.
 >     301 struct record1_V02 *r1;
 >     302
 >     303         *bcetOut = bcet_prologStringArea1;
 >     304         memset(bcet_prologStringArea1,0,sizeof(bcet_prologStringArea1));
 >     305
 >     306         r1 = r1tp->R1;
 >     307         memcpy(bcet,r1->rec1.segment[segnbr].rbdtblno,sizeof(r1->rec1.segment[segnbr].rbdtblno));
 >     308         stripTrailingBlanks(bcet_prologStringArea1);
 >     309 }
 > >How-To-Repeat:
 >
 > >Fix:
 >
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted:
 >
 
 --
 Daniel Jacobowitz
 CodeSourcery