From patchwork Mon Apr  8 12:57:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom de Vries <tdevries@suse.de>
X-Patchwork-Id: 88173
Return-Path: <gdb-patches-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 533093858424
	for <patchwork@sourceware.org>; Mon,  8 Apr 2024 12:57:36 +0000 (GMT)
X-Original-To: gdb-patches@sourceware.org
Delivered-To: gdb-patches@sourceware.org
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
 by sourceware.org (Postfix) with ESMTPS id 0765E3858D20
 for <gdb-patches@sourceware.org>; Mon,  8 Apr 2024 12:57:05 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0765E3858D20
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=suse.de
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 0765E3858D20
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=195.135.223.131
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712581029; cv=none;
 b=f30uvf9XqlM8uIhjuflQ+BOtccEyNAKkWiQDgHHnv6MA+DdJJbWRGw4LTAWLdyS9zo0n+ckB6ahA+bsWsWJKIFDRPzeGVuVWN3QQ5o4nWcULvrydGUDpE7W3O+pse8QGOoGKNfwSlF4tQpcupHOF0mqUdaAT+dJOusyPHmGiXUw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1712581029; c=relaxed/simple;
 bh=J29R54s8OuzGl5cwe7PFfdi4AzcnIqsl45dzDITxssU=;
 h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature:From:
 To:Subject:Date:Message-Id:MIME-Version;
 b=p81UXnm+NihMA1qiIVBajSxoeGRKX28qlvgTO6DVRmOMaZ1RXc06e649ttZ/nukfJF5GArxfZSk/Nr9H2aeMe0+qUXSdiixl8QVZ94J5hX45igtu3XRdCp7rJUvp89y4Cd7QkFupqOSauX3zyJSitTD6CkxNwDQuAQylAigLyA4=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
 [10.150.64.97])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-out2.suse.de (Postfix) with ESMTPS id 795F82033B
 for <gdb-patches@sourceware.org>; Mon,  8 Apr 2024 12:57:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1712581023; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=8TWEJKe+xx/P2Yl3uDTchxDxb7S3R1VWawrYKx4HhfU=;
 b=HnFYj/IWpBCeC/FiigXNYVmzstAaLrRM6IprxpSOcM19ddwhRkrhErTZi4QY42vaebSTPS
 4hyl83oarvJezHRM9FalyDPrker0/7szVmJNRO1ULiVBGyppQ5KeHi4z7WP6p9iITVHXmn
 nQf7WsFl2Zmgdzv44sQL7cM5xLwq8Nc=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1712581023;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=8TWEJKe+xx/P2Yl3uDTchxDxb7S3R1VWawrYKx4HhfU=;
 b=eRFaWUgXSxPTZPd4Pf71ELyM/D4ULFehWNioyzpbw+Ue1KyavU1RYkIs9u3ocxghfkzVXd
 HQyEI+GmwCNo8jBw==
Authentication-Results: smtp-out2.suse.de;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1712581022; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=8TWEJKe+xx/P2Yl3uDTchxDxb7S3R1VWawrYKx4HhfU=;
 b=HzcJaj2X++aO0EHKNYC4M18+SWdmNMInFLJPxVxkKKutqECf+jHzmGlPdi6DkHk2FDDIPb
 OUrhO4+jvV0IpOiLq3RrGo4oTj2MP5fZsl1lnZfzTyb/z/djhaifL7OEOndvC8+6hiE+8E
 OiLIj1wX/B5Efkm1iJ7PmMREubgG5hM=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1712581022;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=8TWEJKe+xx/P2Yl3uDTchxDxb7S3R1VWawrYKx4HhfU=;
 b=x2m9eBxSEB2qojHxIDE4KY0wOO1+w6DyAQtKFpMeEuKH4dvGJfwkZSi88jQ/NBLN7rrv1k
 2+Doyxu4r1V+QQBA==
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 649DD13675
 for <gdb-patches@sourceware.org>; Mon,  8 Apr 2024 12:57:02 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
 by imap1.dmz-prg2.suse.org with ESMTPSA id yJxMF57pE2amLwAAD6G6ig
 (envelope-from <tdevries@suse.de>)
 for <gdb-patches@sourceware.org>; Mon, 08 Apr 2024 12:57:02 +0000
From: Tom de Vries <tdevries@suse.de>
To: gdb-patches@sourceware.org
Subject: [PATCH v4] [gdb/symtab] Fix an out of bounds array access in
 find_epilogue_using_linetable
Date: Mon,  8 Apr 2024 14:57:16 +0200
Message-Id: <20240408125716.14399-1-tdevries@suse.de>
X-Mailer: git-send-email 2.35.3
MIME-Version: 1.0
X-Spam-Level: 
X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%];
 NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[];
 R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-0.998];
 MIME_GOOD(-0.10)[text/plain]; FUZZY_BLOCKED(0.00)[rspamd.com];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 ARC_NA(0.00)[];
 DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];
 DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:email,sourceware.org:url,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,hotmail.de:email];
 FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[gdb-patches@sourceware.org];
 RCVD_TLS_ALL(0.00)[]
X-Spam-Score: -2.80
X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE,
 SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gdb-patches@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gdb-patches mailing list <gdb-patches.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb-patches>,
 <mailto:gdb-patches-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb-patches>,
 <mailto:gdb-patches-request@sourceware.org?subject=subscribe>
Errors-To: gdb-patches-bounces+patchwork=sourceware.org@sourceware.org

From: Bernd Edlinger <bernd.edlinger@hotmail.de>

An out of bounds array access in find_epilogue_using_linetable causes random
test failures like these:

FAIL: gdb.base/unwind-on-each-insn-amd64.exp: foo: instruction 6: $fba_value == $fn_fba
FAIL: gdb.base/unwind-on-each-insn-amd64.exp: foo: instruction 6: check frame-id matches
FAIL: gdb.base/unwind-on-each-insn-amd64.exp: foo: instruction 6: bt 2
FAIL: gdb.base/unwind-on-each-insn-amd64.exp: foo: instruction 6: up
FAIL: gdb.base/unwind-on-each-insn-amd64.exp: foo: instruction 6: $sp_value == $::main_sp
FAIL: gdb.base/unwind-on-each-insn-amd64.exp: foo: instruction 6: $fba_value == $::main_fba
FAIL: gdb.base/unwind-on-each-insn-amd64.exp: foo: instruction 6: [string equal $fid $::main_fid]

Here the read happens below the first element of the line
table, and the test failure depends on the value that is
read from there.

It also happens that std::lower_bound returns a pointer exactly at the upper
bound of the line table, also here the read value is undefined, that happens
in this test:

FAIL: gdb.dwarf2/dw2-epilogue-begin.exp: confirm watchpoint doesn't trigger

Fixes: 528b729be1a2 ("gdb/dwarf2: Add support for DW_LNS_set_epilogue_begin in line-table")

Co-Authored-By: Tom de Vries <tdevries@suse.de>

PR symtab/31268
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=31268
---
 gdb/symtab.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 77 insertions(+), 10 deletions(-)


base-commit: 94a94c904da29bb733c19b5a0a168557c1819720

diff --git a/gdb/symtab.c b/gdb/symtab.c
index 86603dfebc3..427d7b9f8b2 100644
--- a/gdb/symtab.c
+++ b/gdb/symtab.c
@@ -4166,10 +4166,14 @@ find_epilogue_using_linetable (CORE_ADDR func_addr)
 	= unrelocated_addr (end_pc - objfile->text_section_offset ());
 
       const linetable *linetable = sal.symtab->linetable ();
-      /* This should find the last linetable entry of the current function.
-	 It is probably where the epilogue begins, but since the DWARF 5
-	 spec doesn't guarantee it, we iterate backwards through the function
-	 until we either find it or are sure that it doesn't exist.  */
+      if (linetable == nullptr || linetable->nitems == 0)
+	{
+	  /* Empty line table.  */
+	  return {};
+	}
+
+      /* Find the first linetable entry after the current function.  Note that
+	 this also may be an end_sequence entry.  */
       auto it = std::lower_bound
 	(linetable->item, linetable->item + linetable->nitems, unrel_end,
 	 [] (const linetable_entry &lte, unrelocated_addr pc)
@@ -4177,13 +4181,76 @@ find_epilogue_using_linetable (CORE_ADDR func_addr)
 	   return lte.unrelocated_pc () < pc;
 	 });
 
-      while (it->unrelocated_pc () >= unrel_start)
-      {
-	if (it->epilogue_begin)
-	  return {it->pc (objfile)};
-	it --;
-      }
+      if (it == linetable->item + linetable->nitems)
+	{
+	  /* We couldn't find either:
+	     - a linetable entry starting the function after the current
+	       function, or
+	     - an end_sequence entry that terminates the current function
+	       at unrel_end.
+	     This can happen when the linetable doesn't describe the full
+	     extent of the function, which shouldn't happen with
+	     compiler-generated debug info.  Handle the corner case
+	     conservatively.  */
+	  return {};
+	}
+      else
+	{
+	  if (unrel_end < it->unrelocated_pc ())
+	    {
+	      /* We found a line entry that starts past the end of the
+		 function.  This can happen if the previous entry straddles
+		 two functions, which shouldn't happen with compiler-generated
+		 debug info.  Handle the corner case conservatively.  */
+	      return {};
+	    }
+	  gdb_assert (unrel_end == it->unrelocated_pc ());
+	}
+
+      /* Move to the last linetable entry of the current function.  */
+      if (it == &linetable->item[0])
+	{
+	  /* Doing it-- would introduce undefined behaviour, avoid it by
+	     explicitly handling this case.  */
+	  return {};
+	}
+      it--;
+      if (it->unrelocated_pc () < unrel_start)
+	{
+	  /* Not in the current function.  */
+	  return {};
+	}
+      gdb_assert (it->unrelocated_pc () < unrel_end);
+
+      /* We're at the the last linetable entry of the current function.  This
+	 is probably where the epilogue begins, but since the DWARF 5 spec
+	 doesn't guarantee it, we iterate backwards through the current
+	 function until we either find the epilogue beginning, or are sure
+	 that it doesn't exist.  */
+      for (; it >= &linetable->item[0]; it--)
+	{
+	  if (it->unrelocated_pc () < unrel_start)
+	    {
+	      /* No longer in the current function.  */
+	      break;
+	    }
+
+	  if (it->epilogue_begin)
+	    {
+	      /* Found the beginning of the epilogue.  */
+	      return {it->pc (objfile)};
+	    }
+
+	  if (it == &linetable->item[0])
+	    {
+	      /* No more entries in the current function.
+		 Doing it-- would introduce undefined behaviour, avoid it by
+		 explicitly handling this case.  */
+	      break;
+	    }
+	}
     }
+
   return {};
 }