View Issue Details

IDProjectCategoryView StatusLast Update
0038302FPCRTLpublic2021-01-31 18:55
ReporterMartin Friebe Assigned ToFlorian  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
PlatformWin / LInuxOSany 
Product Version3.2.0 
Summary0038302: DynArray[-1] bad mem access in unit InfoDwrf
DescriptionBelow valgrind is from linux. // Code review from Windows

InfoDwrf line 964
      Abbrev_Attrs[nr]:=nil;

This is in

procedure ReadAbbrevTable;
  var
   nr,
...
   PrevHigh : Int64;

  begin
...
      nr:=ReadULEB128;
...
      Abbrev_Attrs[nr]:=nil;

ReadULEB128 returns QWord => so this could be cast to -1 or -2 ....
If nr is -2 or -3 (dyn-array header is part of alloc mem) then below valgrind traces could maybe be explained.

==105501== Address 0x1e8ebdf8 is 8 bytes before a block of size 152 alloc'd
points to a negative index



------------------------
Not checked if any other ReadULEB128 call is affected....
Steps To Reproduce==105501== Invalid read of size 8
==105501== at 0x43C994: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1123)
==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183)
==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225)
==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324)
==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100)
==105501== by 0x432AB6: fpc_dynarray_setlength (dynarr.inc:208)
==105501== by 0x449516: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:964)
==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220)
==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346)
==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386)
==105501== by 0x50CBE8: SYSUTILS_$$_CATCHUNHANDLEDEXCEPTION$TOBJECT$POINTER$LONGINT$PCODEPOINTER (sysutils.inc:321)
==105501== by 0x436312: SYSTEM_$$_DOUNHANDLEDEXCEPTION (except.inc:144)
==105501== Address 0x1e8ebdf8 is 8 bytes before a block of size 152 alloc'd
==105501== at 0x483BCE8: realloc (vg_replace_malloc.c:834)
==105501== by 0x44BB3D: CMEM_$$_CREALLOCMEM$POINTER$QWORD$$POINTER (cmem.pp:123)
==105501== by 0x43B52E: SYSTEM_$$_REALLOCMEM$POINTER$QWORD$$POINTER (heap.inc:350)
==105501== by 0x432CBF: fpc_dynarray_setlength (dynarr.inc:270)
==105501== by 0x449560: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:970)
==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220)
==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346)
==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386)
==105501== by 0x91EC37: FPCUNIT_$$_POINTERTOLOCATIONINFO$POINTER$$ANSISTRING (fpcunit.pp:399)
==105501== by 0x91F611: FPCUNIT$_$TTESTFAILURE_$__$$_GETLOCATIONINFO$$ANSISTRING (fpcunit.pp:501)
==105501== by 0x475D15: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_ADDFAILURE$TTEST$TTESTFAILURE (guitestrunner.pas:883)
==105501== by 0x926EFA: FPCUNIT$_$TTESTRESULT_$__$$_ADDFAILURE$TTEST$EASSERTIONFAILEDERROR$TFPLIST$POINTER (fpcunit.pp:1526)
==105501==
==105501== Invalid write of size 8
==105501== at 0x43C99C: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1123)
==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183)
==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225)
==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324)
==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100)
==105501== by 0x432AB6: fpc_dynarray_setlength (dynarr.inc:208)
==105501== by 0x449516: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:964)
==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220)
==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346)
==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386)
==105501== by 0x50CBE8: SYSUTILS_$$_CATCHUNHANDLEDEXCEPTION$TOBJECT$POINTER$LONGINT$PCODEPOINTER (sysutils.inc:321)
==105501== by 0x436312: SYSTEM_$$_DOUNHANDLEDEXCEPTION (except.inc:144)
==105501== Address 0x257eddfb is 273,067 bytes inside a block of size 493,590 free'd
==105501== at 0x483A9F5: free (vg_replace_malloc.c:538)
==105501== by 0x44BA1F: CMEM_$$_CFREEMEM$POINTER$$QWORD (cmem.pp:75)
==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324)
==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100)
==105501== by 0x432AB6: fpc_dynarray_setlength (dynarr.inc:208)
==105501== by 0x4C3765: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$TENCODING (stringl.inc:1489)
==105501== by 0x4C33FA: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$BOOLEAN (stringl.inc:1427)
==105501== by 0x4C3381: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM (stringl.inc:1405)
==105501== by 0x4767C2: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNTEST$TTEST (guitestrunner.pas:1044)
==105501== by 0x473CD7: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNEXECUTE$TOBJECT (guitestrunner.pas:393)
==105501== by 0x4CBBDC: CLASSES$_$TBASICACTION_$__$$_EXECUTE$$BOOLEAN (action.inc:124)
==105501== by 0x81006A: ACTNLIST$_$TCONTAINEDACTION_$__$$_EXECUTE$$BOOLEAN (containedaction.inc:98)
==105501== Block was alloc'd at
==105501== at 0x483BCE8: realloc (vg_replace_malloc.c:834)
==105501== by 0x44BB3D: CMEM_$$_CREALLOCMEM$POINTER$QWORD$$POINTER (cmem.pp:123)
==105501== by 0x43B52E: SYSTEM_$$_REALLOCMEM$POINTER$QWORD$$POINTER (heap.inc:350)
==105501== by 0x432C94: fpc_dynarray_setlength (dynarr.inc:266)
==105501== by 0x4C36CF: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$TENCODING (stringl.inc:1483)
==105501== by 0x4C33FA: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM$BOOLEAN (stringl.inc:1427)
==105501== by 0x4C3381: CLASSES$_$TSTRINGS_$__$$_LOADFROMSTREAM$TSTREAM (stringl.inc:1405)
==105501== by 0x4767C2: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNTEST$TTEST (guitestrunner.pas:1044)
==105501== by 0x473CD7: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_RUNEXECUTE$TOBJECT (guitestrunner.pas:393)
==105501== by 0x4CBBDC: CLASSES$_$TBASICACTION_$__$$_EXECUTE$$BOOLEAN (action.inc:124)
==105501== by 0x81006A: ACTNLIST$_$TCONTAINEDACTION_$__$$_EXECUTE$$BOOLEAN (containedaction.inc:98)
==105501== by 0x812C7D: ACTNLIST$_$TCUSTOMACTION_$__$$_EXECUTE$$BOOLEAN (customaction.inc:246)
==105501==
==105501==




=105501== Thread 1:
==105501== Invalid read of size 8
==105501== at 0x43CAE1: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1180)
==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225)
==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324)
==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100)
==105501== by 0x439004: fpc_finalize (rtti.inc:268)
==105501== by 0x44A30B: LNFODWRF_$$_finalize$ (lnfodwrf.pp:1417)
==105501== by 0x43A078: SYSTEM_$$_FINALIZEUNITS (system.inc:1009)
==105501== by 0x43A3E8: SYSTEM_$$_INTERNALEXIT (system.inc:1090)
==105501== by 0x43A438: fpc_do_exit (system.inc:1133)
==105501== by 0x41F208: main (LazDebFpTest.lpr:18)
==105501== Address 0x18c63d38 is 8 bytes before a block of size 8,224 alloc'd
==105501== at 0x4839809: malloc (vg_replace_malloc.c:307)
==105501== by 0x44B9D8: CMEM_$$_CGETMEM$QWORD$$POINTER (cmem.pp:62)
==105501== by 0x43B369: SYSTEM_$$_GETMEM$POINTER$QWORD (heap.inc:284)
==105501== by 0x432A55: fpc_dynarray_setlength (dynarr.inc:194)
==105501== by 0x449421: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:947)
==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220)
==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346)
==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386)
==105501== by 0x91EC37: FPCUNIT_$$_POINTERTOLOCATIONINFO$POINTER$$ANSISTRING (fpcunit.pp:399)
==105501== by 0x91F611: FPCUNIT$_$TTESTFAILURE_$__$$_GETLOCATIONINFO$$ANSISTRING (fpcunit.pp:501)
==105501== by 0x475D15: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_ADDFAILURE$TTEST$TTESTFAILURE (guitestrunner.pas:883)
==105501== by 0x926EFA: FPCUNIT$_$TTESTRESULT_$__$$_ADDFAILURE$TTEST$EASSERTIONFAILEDERROR$TFPLIST$POINTER (fpcunit.pp:1526)
==105501==
==105501== Invalid read of size 8
==105501== at 0x43C97D: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1122)
==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183)
==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225)
==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324)
==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100)
==105501== by 0x439004: fpc_finalize (rtti.inc:268)
==105501== by 0x44A30B: LNFODWRF_$$_finalize$ (lnfodwrf.pp:1417)
==105501== by 0x43A078: SYSTEM_$$_FINALIZEUNITS (system.inc:1009)
==105501== by 0x43A3E8: SYSTEM_$$_INTERNALEXIT (system.inc:1090)
==105501== by 0x43A438: fpc_do_exit (system.inc:1133)
==105501== by 0x41F208: main (LazDebFpTest.lpr:18)
==105501== Address 0x18c63d38 is 8 bytes before a block of size 8,224 alloc'd
==105501== at 0x4839809: malloc (vg_replace_malloc.c:307)
==105501== by 0x44B9D8: CMEM_$$_CGETMEM$QWORD$$POINTER (cmem.pp:62)
==105501== by 0x43B369: SYSTEM_$$_GETMEM$POINTER$QWORD (heap.inc:284)
==105501== by 0x432A55: fpc_dynarray_setlength (dynarr.inc:194)
==105501== by 0x449421: LNFODWRF_$$_READABBREVTABLE (lnfodwrf.pp:947)
==105501== by 0x449845: LNFODWRF_$$_PARSECOMPILATIONUNITFORFUNCTIONNAME$QWORD$WORD$QWORD$SHORTSTRING$BOOLEAN$$QWORD (lnfodwrf.pp:1220)
==105501== by 0x44A046: LNFODWRF_$$_GETLINEINFO$QWORD$SHORTSTRING$SHORTSTRING$LONGINT$$BOOLEAN (lnfodwrf.pp:1346)
==105501== by 0x44A13A: LNFODWRF_$$_DWARFBACKTRACESTR$POINTER$$SHORTSTRING (lnfodwrf.pp:1386)
==105501== by 0x91EC37: FPCUNIT_$$_POINTERTOLOCATIONINFO$POINTER$$ANSISTRING (fpcunit.pp:399)
==105501== by 0x91F611: FPCUNIT$_$TTESTFAILURE_$__$$_GETLOCATIONINFO$$ANSISTRING (fpcunit.pp:501)
==105501== by 0x475D15: GUITESTRUNNER$_$TGUITESTRUNNER_$__$$_ADDFAILURE$TTEST$TTESTFAILURE (guitestrunner.pas:883)
==105501== by 0x926EFA: FPCUNIT$_$TTESTRESULT_$__$$_ADDFAILURE$TTEST$EASSERTIONFAILEDERROR$TFPLIST$POINTER (fpcunit.pp:1526)
==105501==
==105501== Invalid read of size 8
==105501== at 0x43C985: SYSTEM_$$_WAITFREE_VAR$PMEMCHUNK_VAR (heap.inc:1122)
==105501== by 0x43CAF3: SYSTEM_$$_SYSFREEMEM_VAR$PFREELISTS$PMEMCHUNK_VAR$$QWORD (heap.inc:1183)
==105501== by 0x43CC26: SYSTEM_$$_SYSFREEMEM$POINTER$$QWORD (heap.inc:1225)
==105501== by 0x43B482: SYSTEM_$$_FREEMEM$POINTER$$QWORD (heap.inc:324)
==105501== by 0x4328CD: fpc_dynarray_clear (dynarr.inc:100)
==105501== by 0x439004: fpc_finalize (rtti.inc:268)
==105501== by 0x44A30B: LNFODWRF_$$_finalize$ (lnfodwrf.pp:1417)
==105501== by 0x43A078: SYSTEM_$$_FINALIZEUNITS (system.inc:1009)
==105501== by 0x43A3E8: SYSTEM_$$_INTERNALEXIT (system.inc:1090)
==105501== by 0x43A438: fpc_do_exit (system.inc:1133)
==105501== by 0x41F208: main (LazDebFpTest.lpr:18)
==105501== Address 0x1fea1 is not stack'd, malloc'd or (recently) free'd
==105501==



TagsNo tags attached.
Fixed in Revision
FPCOldBugId
FPCTarget-
Attached Files

Activities

Florian

2021-01-04 16:56

administrator   ~0128075

Can you please post the output when lnfdwarf is compiled with DEBUG_DWARF_PARSER set (just change lnfdwarf.pp:58 appropriately)?

Martin Friebe

2021-01-31 18:55

manager   ~0128714

Using fixes rev 48466
Testing on Ubuntu Linux
64bit Intel
-----------------------

Ok, there are over 100Mb of output. I find 2 calls to ReadAbbrevTable logging "Reading .debug_info at section offset "
The 1st seems to pass, the 2nd seems to have the crash.

Those are the last lines.... (assuming that all output got flushed)

Next opcode:
Special opcode $0D address increment: 0 new line: 1
Current state : address = 000000000044A0D4 file_id = 1 line = 759 column = 10 is_stmt = TRUE basic_block = FALSE end_sequence = FALSE prolouge_end = FALSE epilouge_begin = FALSE isa = 0
Found "heaptrc.pp"
Skipping LEB128 : 0
Skipping LEB128 : 0
Unit length: 96
32 bit DWARF detected
debug_info_offset: 0
address_size: 8
segment_size: 0
Unit length: 48
32 bit DWARF detected
debug_info_offset: 9050
address_size: 8
segment_size: 0
Unit length: 20384
32 bit DWARF detected
debug_info_offset: 9221
address_size: 8
segment_size: 0
Unit length: 656
32 bit DWARF detected
debug_info_offset: 299551
address_size: 8
segment_size: 0
Matching aranges entry $0000000000449FF0, $0000000000000133
Found .debug_info offset $0004921F from .debug_aranges
Reading .debug_info at section offset $000000000004921F
Unit length: 7432
32 bit DWARF detected
debug_abbrev_offset: 846
address_size: 8
Starting to read abbrev. section at $00000000014917EF
Abbrev 1 at offset 2 has tag $0011

------------------------------
running
objdump --dwarf=aranges LazDebFpTest > arange.txt
objdump: Error: LEB value too large
objdump: Error: LEB value too large
objdump: Error: LEB value too large
objdump: Error: LEB value too large
objdump: Error: LEB value too large

The exe file itself is to big to attach too. (10 MB zipped)

It is in Lazarus components\lazdebuggers\lazdebuggerfp\test\LazDebFpTest.lpi
Compiled with -O1 -gw3 -gh -gl

Issue History

Date Modified Username Field Change
2021-01-03 20:54 Martin Friebe New Issue
2021-01-04 16:56 Florian Note Added: 0128075
2021-01-21 21:18 Florian Assigned To => Florian
2021-01-21 21:18 Florian Status new => feedback
2021-01-21 21:18 Florian FPCTarget => -
2021-01-31 18:55 Martin Friebe Note Added: 0128714
2021-01-31 18:55 Martin Friebe Status feedback => assigned