This is the mail archive of the gdb-prs@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

gdb/2129: data moved into char array corrupts DWARF expression


>Number:         2129
>Category:       gdb
>Synopsis:       data moved into char array corrupts DWARF expression
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 25 17:08:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Steve Branch
>Release:        GNU gdb Red Hat Linux (6.3.0.0-1.96rh)
>Organization:
>Environment:
uname -a
Linux nggf460test2 2.6.9-34.ELlargesmp #1 SMP Fri Feb 24 17:06:55 EST 2006 x86_64 x86_64 x86_64 GNU/Linux

gcc -v
Reading specs from /usr/lib/gcc/x86_64-redhat-linux/3.4.5/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=x86_64-redhat-linux
Thread model: posix
gcc version 3.4.5 20051201 (Red Hat 3.4.5-2)

This GDB was configured as "x86_64-redhat-linux-gnu"
>Description:
On return from a function that returns a string address in a provided char ** on input, the code does a strncpy to move the result into an 8 byte character array.  Upon completion of the strncpy, the display of the destination variable is disabled.  examination of code seems to indicate that the move was sucsessful.

Trace data (notice that the move appears to have taken place)

653                     strncpy(Bcet,StringArea,sizeof(Bcet));
1: StringArea = 0xf8d3848 "00000000"
(gdb) display Bcet
3: Bcet = "4F1\000øfp\021"
(gdb) display &Bcet
4: &Bcet = (char (*)[8]) 0xfeef522c
(gdb) x/20c 0xf8d3848
0xf8d3848 <bcet_prologStringArea1>:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
0xf8d3850 <bcet_prologStringArea1+8>:   0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'
0xf8d3858 <bcet_prologStringArea1+16>:  0 '\0'  0 '\0'  0 '\0'  0 '\0'
(gdb) x/20c 0xfeef522c
0xfeef522c:     52 '4'  70 'F'  49 '1'  0 '\0'  -8 'ø'  102 'f' 112 'p' 17 '\021'
0xfeef5234:     12 '\f' 0 '\0'  0 '\0'  0 '\0'  1 '\001'        0 '\0'  -1 'ÿ'  -1 'ÿ'
0xfeef523c:     0 '\0'  0 '\0'  0 '\0'  0 '\0'
(gdb) next
654                     c_get_supplier_code(FarePtr,&StringArea);
4: &Bcet = dwarf2_read_address: Corrupted DWARF expression.
Disabling display 4 to avoid infinite recursion.
(gdb) x/20c 0xf8d3848
0xf8d3848 <bcet_prologStringArea1>:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
0xf8d3850 <bcet_prologStringArea1+8>:   0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'
0xf8d3858 <bcet_prologStringArea1+16>:  0 '\0'  0 '\0'  0 '\0'  0 '\0'
(gdb) x/20c 0xfeef522c
0xfeef522c:     48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'  48 '0'
0xfeef5234:     12 '\f' 0 '\0'  0 '\0'  0 '\0'  1 '\001'        0 '\0'  -1 'ÿ'  -1 'ÿ'
0xfeef523c:     0 '\0'  0 '\0'  0 '\0'  0 '\0'


Code in table999.prolog.c: (code being traced)

    593 char Bcet[8];
    594 char R6Bcet[8];
    595 char Supplier[5];
    596 char RuleNum[4];
    597 char FareTariff[3];
    598 char const *StringArea;

    652                 c_get_record1_v02_bcet(R1Ptr,R1SegNbr,&StringArea);
    653                 strncpy(Bcet,StringArea,sizeof(Bcet));        <- causes corruption of DWARF
    654                 c_get_supplier_code(FarePtr,&StringArea);
    655                 strncpy(Supplier,StringArea,sizeof(Supplier));

Code in record1.v02.prolog.c:

     60 char bcet_prologStringArea1[20];
     61 static char prologStringArea1[20];
     62 static char prologStringArea2[20];
     63 static char prologStringArea3[20];
     64 static char prologStringArea4[20];
     65 static char prologStringArea5[20];


    296 void c_get_record1_v02_bcet(struct R1Table *r1tp,
    297                             long segnbr,
    298                             char const **bcetOut)
    299 {
    300 char *bcet = bcet_prologStringArea1;				<-- originally the static copy (prologStringArea1),  this did not make a difference.
    301 struct record1_V02 *r1;
    302 
    303         *bcetOut = bcet_prologStringArea1;
    304         memset(bcet_prologStringArea1,0,sizeof(bcet_prologStringArea1));
    305 
    306         r1 = r1tp->R1;
    307         memcpy(bcet,r1->rec1.segment[segnbr].rbdtblno,sizeof(r1->rec1.segment[segnbr].rbdtblno));
    308         stripTrailingBlanks(bcet_prologStringArea1);
    309 }
>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]