In non-stop mode, or rather, breakpoints always-inserted mode, the
code cache can easily end up with stale breakpoint instructions:
All it takes is filling a cache line when breakpoints already exist in
that memory region, and then delete the breakpoint.
Vis. (from the new test):
(gdb) set breakpoint always-inserted on
(gdb) b 23
Breakpoint 2 at 0x400540: file ../../../src/gdb/testsuite/gdb.base/breakpoint-shadow.c, line 23.
(gdb) b 24
Breakpoint 3 at 0x400547: file ../../../src/gdb/testsuite/gdb.base/breakpoint-shadow.c, line 24.
disass main
Dump of assembler code for function main:
0x000000000040053c <+0>: push %rbp
0x000000000040053d <+1>: mov %rsp,%rbp
=> 0x0000000000400540 <+4>: movl $0x1,-0x4(%rbp)
0x0000000000400547 <+11>: movl $0x2,-0x4(%rbp)
0x000000000040054e <+18>: mov $0x0,%eax
0x0000000000400553 <+23>: pop %rbp
0x0000000000400554 <+24>: retq
End of assembler dump.
So far so good. Now flush the code cache:
(gdb) set code-cache off
(gdb) set code-cache on
Requesting a disassembly works as expected, breakpoint shadowing is
applied:
(gdb) disass main
Dump of assembler code for function main:
0x000000000040053c <+0>: push %rbp
0x000000000040053d <+1>: mov %rsp,%rbp
=> 0x0000000000400540 <+4>: movl $0x1,-0x4(%rbp)
0x0000000000400547 <+11>: movl $0x2,-0x4(%rbp)
0x000000000040054e <+18>: mov $0x0,%eax
0x0000000000400553 <+23>: pop %rbp
0x0000000000400554 <+24>: retq
End of assembler dump.
However, now delete the breakpoints:
(gdb) delete
Delete all breakpoints? (y or n) y
And disassembly shows the old breakpoint instructions:
(gdb) disass main
Dump of assembler code for function main:
0x000000000040053c <+0>: push %rbp
0x000000000040053d <+1>: mov %rsp,%rbp
=> 0x0000000000400540 <+4>: int3
0x0000000000400541 <+5>: rex.RB cld
0x0000000000400543 <+7>: add %eax,(%rax)
0x0000000000400545 <+9>: add %al,(%rax)
0x0000000000400547 <+11>: int3
0x0000000000400548 <+12>: rex.RB cld
0x000000000040054a <+14>: add (%rax),%al
0x000000000040054c <+16>: add %al,(%rax)
0x000000000040054e <+18>: mov $0x0,%eax
0x0000000000400553 <+23>: pop %rbp
0x0000000000400554 <+24>: retq
End of assembler dump.
Those breakpoint instructions are no longer installed in target memory
they're stale in the code cache. Easily confirmed by just disabling
the code cache:
(gdb) set code-cache off
(gdb) disass main
Dump of assembler code for function main:
0x000000000040053c <+0>: push %rbp
0x000000000040053d <+1>: mov %rsp,%rbp
=> 0x0000000000400540 <+4>: movl $0x1,-0x4(%rbp)
0x0000000000400547 <+11>: movl $0x2,-0x4(%rbp)
0x000000000040054e <+18>: mov $0x0,%eax
0x0000000000400553 <+23>: pop %rbp
0x0000000000400554 <+24>: retq
End of assembler dump.
I stumbled upon this when writing a patch to infrun.c, that made
handle_inferior_event & co fill in the cache before breakpoints were
removed from the target. Recall that wait_for_inferior flushes the
dcache for every event. So in that case, always-inserted mode was not
necessary to trigger this. It's just a convenient way to expose the
issue.
The dcache works at the raw memory level. We need to update it
whenever memory is written, no matter what kind of target memory
object was originally passed down by the caller. The issue is that
the dcache update code isn't reached when a caller explicitly writes
raw memory. Breakpoint insertion/removal is one such case --
mem-break.c uses target_write_read_memory/target_write_raw_memory.
The fix is to move the dcache update code from memory_xfer_partial_1
to raw_memory_xfer_partial so that it's always reachable.
When we do that, we can actually simplify a series of things.
memory_xfer_partial_1 no longer needs to handle writes for any kind of
memory object, and therefore dcache_xfer_memory no longer needs to
handle writes either. So the latter (dcache_xfer_memory) and its
callees can be simplified to only care about reads. While we're
touching dcache_xfer_memory's prototype, might as well rename it to
reflect that fact that it only handles reads, and make it follow the
new target_xfer_status/xfered_len style. This made me notice that
dcache_xfer_memory loses the real error status if a memory read fails:
we could have failed to read due to TARGET_XFER_E_UNAVAILABLE, for
instance, but we always return TARGET_XFER_E_IO, hence the FIXME note.
I felt that fixing that fell out of the scope of this patch.
Currently dcache_xfer_memory handles the case of a write failing. The
whole cache line is invalidated when that happens. However,
dcache_update, the sole mechanism for handling writes that will remain
after the patch, does not presently handle that scenario. That's a
bug. The patch makes it handle that, by passing down the
target_xfer_status status from the caller, so that it can better
decide what to do itself. While I was changing the function's
prototype, I constified the myaddr parameter, getting rid of the need
for the cast as seen in its existing caller.
Tested on x86_64 Fedora 17, native and gdbserver.
gdb/
2014-03-05 Pedro Alves <palves@redhat.com>
PR gdb/16575
* dcache.c (dcache_poke_byte): Constify ptr parameter. Return
void. Update comment.
(dcache_xfer_memory): Delete.
(dcache_read_memory_partial): New, based on the read bits of
dcache_xfer_memory.
(dcache_update): Add status parameter. Use ULONGEST for len, and
adjust. Discard cache lines if the reason for the update was
error.
* dcache.h (dcache_xfer_memory): Delete declaration.
(dcache_read_memory_partial): New declaration.
(dcache_update): Update prototype.
* target.c (raw_memory_xfer_partial): Update the dcache here.
(memory_xfer_partial_1): Don't handle dcache writes here.
gdb/testsuite/
2014-03-05 Pedro Alves <palves@redhat.com>
PR gdb/16575
* gdb.base/breakpoint-shadow.exp (compare_disassembly): New
procedure.
(top level): Adjust to use it. Add tests that exercise breakpoint
interaction with the code-cache.
This adds support for "func@localentry", an expression that returns the
ELFv2 local entry point address of function "func". I've excluded
dynamic relocation support because that obviously would require glibc
changes.
include/elf/
* ppc64.h (R_PPC64_REL24_NOTOC, R_PPC64_ADDR64_LOCAL): Define.
bfd/
* elf64-ppc.c (ppc64_elf_howto_raw): Add R_PPC64_ADDR64_LOCAL entry.
(ppc64_elf_reloc_type_lookup): Support R_PPC64_ADDR64_LOCAL.
(ppc64_elf_check_relocs): Likewise.
(ppc64_elf_relocate_section): Likewise.
* Add BFD_RELOC_PPC64_ADDR64_LOCAL.
* bfd-in2.h: Regenerate.
* libbfd.h: Regenerate.
gas/
* config/tc-ppc.c (ppc_elf_suffix): Support @localentry.
(md_apply_fix): Support R_PPC64_ADDR64_LOCAL.
ld/testsuite/
* ld-powerpc/elfv2-2a.s, ld-powerpc/elfv2-2b.s: New files.
* ld-powerpc/elfv2-2exe.d, ld-powerpc/elfv2-2so.d: New files.
* ld-powerpc/powerpc.exp: Run new test.
elfcpp/
* powerpc.h (R_PPC64_REL24_NOTOC, R_PPC64_ADDR64_LOCAL): Define.
gold/
* powerpc.cc (Target_powerpc::Scan::local, global): Support
R_PPC64_ADDR64_LOCAL.
(Target_powerpc::Relocate::relocate): Likewise.
This patch allows gas to assemble a testcase like
li 3,ext_sym
which oddly was not accepted while the following is OK:
li 3,ext_sym@l
* config/tc-ppc.c (md_assemble): Move code adjusting reloc types
later. Merge absolute and relative branch reloc selection.
Generate 16-bit relocs for most 16-bit insn fields given a
non-constant expression.
The XCOFF assembler does some wierd things with instructions like
`lwz 9,sym(30'. See the comment in md_apply_fix. From an ELF
perspective, it's weird even to magically select a TOC16 reloc
when a symbol is in the TOC/GOT. ELF assemblers generally use
modifiers like @toc to select relocs, so remove this "feature"
for ELF. I believe this was to support gcc -m32 -mcall-aixdesc
but that combination of gcc options has been broken for a long
time.
* config/tc-ppc.c (ppc_is_toc_sym): Remove OBJ_ELF support.
(md_assemble): Don't call ppc_is_toc_sym for ELF.
2014-02-04 Heiher <r@hev.cc>
* elfxx-mips.c (mips_set_isa_flags): Use E_MIPS_ARCH_64R2 for
Loongson-3A.
(mips_mach_extensions): Make bfd_mach_mips_loongson_3a an
extension of bfd_mach_mipsisa64r2.
opcodes/
2014-02-04 Heiher <r@hev.cc>
* mips-dis.c (mips_arch_choices): Usee ISA_MIPS64R2 for Loongson-3A.
gas/
2014-02-04 Heiher <r@hev.cc>
* config/tc-mips.c (mips_cpu_info_table): Use ISA_MIPS64R2 for
Loongson-3A.
built when constructing a toolchain configued from all targets.
* Makefile.am (ALL_EMUL_EXTRA_BINARIES): Remove default-manifest.
* Makefile.in: Regenerate.
using Thumb2 instructions for those cores which do not support the ARM ISA.
* elf32-arm.c (elf32_thumb2_plt0_entry): New array.
(elf32_thumb2_plt_entry): New array.
(elf32_arm_create_dynamic_sections): Set PLT entry sizes when
using thumb2 based PLT.
(elf32_arm_populate_plt_entry): Handle generating Thumb2 based PLT
entries.
(elf32_arm_final_link_relocate): Do not bias jumps to Thumb based
PLT entries.
(elf32_arm_finish_dynamic_sections): Handle creation of Thumb2
based PLT 0-entry.
(elf32_arm_output_plt_map_1): Handle creation of local symbols for
Thumb2 based PLT 0-entry.
(elf32_arm_output_arch_local_syms): Handle creation of local
symbols for Thumb2 based PLT entries.
This patch moves the probe data from the objfile to the per-BFD
object. This lets the probes be shared between different inferiors
(and different objfiles when dlmopen is in use, should gdb ever handle
that).
2014-03-03 Tom Tromey <tromey@redhat.com>
* elfread.c (probe_key): Change to bfd_data.
(elf_get_probes, probe_key_free, _initialize_elfread): Probes are
now per-BFD, not per-objfile.
* stap-probe.c (stap_probe_destroy): Update comment.
(handle_stap_probe): Allocate on the per-BFD obstack.
This changes the probes to be independent of the program space.
After this, when a probe's address is needed, it is determined by
applying offsets at the point of use.
This introduces a bound_probe object, similar to bound minimal
symbols. Objects of this type are used when it's necessary to pass a
probe and its corresponding objfile.
This removes the backlink from probe to objfile, which was primarily
used to fetch the architecture to use.
This adds a get_probe_address function which calls a probe method to
compute the probe's relocated address. Similarly, it adds an objfile
parameter to the semaphore methods so they can do the relocation
properly as well.
2014-03-03 Tom Tromey <tromey@redhat.com>
* break-catch-throw.c (fetch_probe_arguments): Use bound probes.
* breakpoint.c (create_longjmp_master_breakpoint): Use
get_probe_address.
(add_location_to_breakpoint, bkpt_probe_insert_location)
(bkpt_probe_remove_location): Update.
* breakpoint.h (struct bp_location) <probe>: Now a bound_probe.
* elfread.c (elf_symfile_relocate_probe): Remove.
(elf_probe_fns): Update.
(insert_exception_resume_breakpoint): Change type of "probe"
parameter to bound_probe.
(check_exception_resume): Update.
* objfiles.c (objfile_relocate1): Don't relocate probes.
* probe.c (bound_probe_s): New typedef.
(parse_probes): Use get_probe_address. Set sal's objfile.
(find_probe_by_pc): Return a bound_probe.
(collect_probes): Return a VEC(bound_probe_s).
(compare_probes): Update.
(gen_ui_out_table_header_info): Change type of "probes"
parameter. Update.
(info_probes_for_ops): Update.
(get_probe_address): New function.
(probe_safe_evaluate_at_pc): Update.
* probe.h (struct probe_ops) <get_probe_address>: New field.
<set_semaphore, clear_semaphore>: Add objfile parameter.
(struct probe) <objfile>: Remove field.
<arch>: New field.
<address>: Update comment.
(struct bound_probe): New.
(find_probe_by_pc): Return a bound_probe.
(get_probe_address): Declare.
* solib-svr4.c (struct probe_and_action) <address>: New field.
(hash_probe_and_action, equal_probe_and_action): Update.
(register_solib_event_probe): Add address parameter.
(solib_event_probe_at): Update.
(svr4_create_probe_breakpoints): Add objfile parameter. Use
get_probe_address.
* stap-probe.c (struct stap_probe) <sem_addr>: Update comment.
(stap_get_probe_address): New function.
(stap_can_evaluate_probe_arguments, compute_probe_arg)
(compile_probe_arg): Update.
(stap_set_semaphore, stap_clear_semaphore): Compute semaphore's
address.
(handle_stap_probe): Don't relocate the probe.
(stap_relocate): Remove.
(stap_gen_info_probes_table_values): Update.
(stap_probe_ops): Remove stap_relocate.
* symfile-debug.c (debug_sym_relocate_probe): Remove.
(debug_sym_probe_fns): Update.
* symfile.h (struct sym_probe_fns) <sym_relocate_probe>: Remove.
* symtab.c (init_sal): Use memset.
* symtab.h (struct symtab_and_line) <objfile>: New field.
* tracepoint.c (start_tracing, stop_tracing): Update.
This fixes up a few mildly erroneous comments in probe.h.
2014-03-03 Tom Tromey <tromey@redhat.com>
* probe.h (parse_probes, find_probe_by_pc)
(find_probes_in_objfile): Fix comments.
generate warning messages about an instruction that changes the interrupt
state not being followed by a NOP instruction.
* config/msp430/msp430.c: Replace known mcu array with known
msp430 ISA mcu name array.
Accept any name for -mmcu option.
Add -mz option to warn about missing NOP following an interrupt
status change.
(check_for_nop): New.
(msp430_operands): Emit a warning, if requested, when an interrupt
changing instruction is not followed by a NOP.
* doc/c-msp430.c: Document -mz option.
* gas/msp430/bad.d: Add -mz option.
* gas/msp430/bad.s: Add more cases where warnings should be
generated.
* gas/msp430/bad.l: Add expected warning messages.
OpenBSD 5.2 and later have a proper threads implementation based on
kernel threads. Debugging support is provided through additional
ptrace(2) requests, so this diff extends the generic code in
inf-ptrace.c with OpenBSD-specific code to discover additional threads.
gdb/ChangeLog:
* obsd-nat.h: New file.
* obsd-nat.c: New file.
* Makefile.in (HFILES_NO_SRCDIR): Add obsd-nat.h.
(ALLDEPFILES): Add obsd-nat.c.
This patch constifies ui_out_impl in struct ui_out, and various
instances of ui_out_impl.
This removes a couple of FIXME comments (near cli_ui_out_impl and
mi_ui_out_impl) that did not make sense to me.
Tested by rebuilding.
2014-02-28 Tom Tromey <tromey@redhat.com>
* cli-out.c (cli_ui_out_impl): Now const. Remove comment.
* cli-out.h (cli_ui_out_impl): Now const.
* mi/mi-out.c (mi_ui_out_impl): Now const. Remove comment.
* ui-out.c (struct ui_out) <impl>: Now const.
(default_ui_out_impl): Now const.
(ui_out_new): Make 'impl' parameter const.
* ui-out.h (ui_out_new): Update.
Don't be clever, calculate the length directly as the difference of
two symbols.
* dwarf2dbg.c (out_debug_line): Correct .debug_line header_length
field for 64-bit dwarf.
GCC 4.2.1 complains about first_l_name may be used uninitialized, and my brain
agrees.
gdb/ChangeLog:
* solib-svr4.c (svr4_read_so_list): Initialize first_l_name to 0.
runtest gdb.base/corefile.exp
==23174== ERROR: AddressSanitizer: heap-use-after-free on address 0x604400008c88 at pc 0x68f0be bp 0x7fffae9d7490 sp
0x7fffae9d7480
READ of size 8 at 0x604400008c88 thread T0
#0 0x68f0bd in svr4_read_so_list (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x68f0bd)
#1 0x68f64e in svr4_current_sos_direct (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x68f64e)
#2 0x68f757 in svr4_current_sos (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x68f757)
#3 0xcebbff in update_solib_list (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xcebbff)
0x604400008c88 is located 8 bytes inside of 1104-byte region [0x604400008c80,0x6044000090d0)
freed by thread T0 here:
#0 0x7f52677500f9 (/lib64/libasan.so.0+0x160f9)
#1 0xd2c68a in xfree (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xd2c68a)
#2 0xceb364 in free_so (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xceb364)
#3 0xca59f8 in do_free_so (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0xca59f8)
#4 0x93432a in do_my_cleanups (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x93432a)
#5 0x934406 in do_cleanups (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x934406)
#6 0x68efa9 in svr4_read_so_list (/home/jkratoch/redhat/gdb-clean/gdb/gdb+0x68efa9)
I did not notice it during my review in:
Re: [PATCH v2] Skip vDSO when reading SO list (PR 8882)
https://sourceware.org/ml/gdb-patches/2013-09/msg00888.html
gdb/
2014-02-27 Jan Kratochvil <jan.kratochvil@redhat.com>
Additional PR 8882 fix.
* solib-svr4.c (svr4_read_so_list): Change first to first_l_name.
Message-ID: <20140226220918.GA10431@host2.jankratochvil.net>
