This is the mail archive of the gdb-prs@sources.redhat.com mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

varobj/1873: -var-create on invalid expression causes seg. fault


>Number:         1873
>Category:       varobj
>Synopsis:       -var-create on invalid expression causes seg. fault
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 19 00:58:00 UTC 2005
>Closed-Date:
>Last-Modified:
>Originator:     ross@tensilica.com
>Release:        5.2.1
>Organization:
>Environment:
Linux RH 7.3
>Description:
-var-create on an expression that's invalid (eg. "(*1)")
creates a variable and retains a ptr in var->value. That
gets freed by free_all_values() next command. Later a 
-var-update or -var-evaluate-expression on that variable
dereferences the freed memory, causing a seg. fault.

Here's the relevant code snippet from varobj_create():

  /* We definitively need to catch errors here.
     If evaluate_expression succeeds we got the value we wanted.
     But if it fails, we still go on with a call to evaluate_type()  */
  if (gdb_evaluate_expression (var->root->exp, &var->value))
    {
      /* no error */
      release_value (var->value);
      if (VALUE_LAZY (var->value))
    gdb_value_fetch_lazy (var->value);
    }
  else
    var->value = evaluate_type (var->root->exp);

  var->type = VALUE_TYPE (var->value);

gdb_evaluate_expression() fails, and GDB goes on to 
evaluate_type(). I don't think simply clearing var->value
is correct. Maybe release_value()? I don't have the time 
to acquire enough knowledge of GDB varobj.

I looked at the GDB 6.3 source and it seems to be the same.

Now why would anyone try to evaluate *1? It's some tool that
uses MI, one of our customers reported. I'm not clear on why
GDB even creates the variable in this case, but it does.
GDB should report an error, not crash.
>How-To-Repeat:
gdb -i=mi foo

-break-insert main
-exec-run
-var-create - * (*1)
-var-evaluate-expression var1
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]