Bug Report: decode command causes GDB segmentation fault

[Lv-viv]

Problem Description
When using the decode command in core_analyzer, GDB experiences a segmentation fault and crashes. This issue can be consistently reproduced when debugging multi-threaded programs.

Environment Information
Operating System: Linux (x86_64-pc-linux-gnu)
GDB Version: 16.3 (core_analyzer custom build)
Core Analyzer Version: 2.24 (latest)
Test Program: mallocTest (built-in test program)
Architecture: x86_64

Steps to Reproduce
Start GDB and load the test program:

gdb ./mallocTest

Run the program:

(gdb) r

After the program starts multiple threads, interrupt it using Ctrl+C:

^C

Execute the decode command:

(gdb) decode

Actual Behavior
GDB crashes immediately, showing a segmentation fault and a stack trace.

Stack Trace
Fatal signal: Segmentation fault
----- Backtrace -----
0x4f145b gdb_internal_backtrace_1
/opt/core_analyzer/build/gdb-16.3/build/../gdb/bt-utils.c:121
0x4f145b _Z22gdb_internal_backtracev
/opt/core_analyzer/build/gdb-16.3/build/../gdb/bt-utils.c:182
0x60553e handle_fatal_signal
/opt/core_analyzer/build/gdb-16.3/build/../gdb/event-top.c:1018
0x6056b4 handle_sigsegv
/opt/core_analyzer/build/gdb-16.3/build/../gdb/event-top.c:1089
0x7f5b304a032f ???
./signal/../sysdeps/unix/sysv/linux/x86_64/libc_sigaction.c:0
0x956ac8 bfd_get_flavour
./bfd.h:7958
0x956ac8 is32bit
/opt/core_analyzer/build/gdb-16.3/build/../bfd/bfd.

[yanqi27]

@Lv-viv
Thank you for the report. The function had crashes before. I haven't got a chance to debug it.

[Lv-viv]

Thank you for your reply. I tried to debug the stack trace, and here's what I found:

(gdb) frame
#0 bfd_sprintf_vma (abfd=0x0, buf=0x7fffffffce60 "\240\323\377\377\377\177", value=56) at /opt/core_analyzer/build/gdb-16.3/build/../bfd/bfd.c:2826
2826 if (!is32bit (abfd))
(gdb) bt
#0 bfd_sprintf_vma (abfd=0x0, buf=0x7fffffffce60 "\240\323\377\377\377\177", value=56) at /opt/core_analyzer/build/gdb-16.3/build/../bfd/bfd.c:2826
#1 0x000000000057e3cf in print_displacement (buf=buf@entry=0x7fffffffcf90 "-0x", disp=) at /opt/core_analyzer/build/gdb-16.3/build/../gdb/decode.c:1766
#2 0x0000000000580ae6 in print_one_operand (op_size=8, uiout=, op=) at /opt/core_analyzer/build/gdb-16.3/build/../gdb/decode.c:1805
According to the stack trace, the abfd parameter passed to bfd_sprintf_vma is NULL.

Based on the implementation of bfd_sprintf_vma, here's the relevant code:

static bool
is32bit (bfd *abfd)
{
if (bfd_get_flavour (abfd) == bfd_target_elf_flavour)
{
const struct elf_backend_data *bed = get_elf_backend_data (abfd);
return bed->s->elfclass == ELFCLASS32;
}

/* For non-ELF targets, use architecture information. */
return bfd_arch_bits_per_address (abfd) <= 32;
}

static inline enum bfd_flavour
bfd_get_flavour (const bfd *abfd)
{
return abfd->xvec->flavour;
}
The is32bit function calls bfd_get_flavour without checking the validity of the pointer parameter, which I believe is the cause of the crash.

[yanqi27]

Is the parameter, bfd_get_flavour (const bfd *abfd), null or invalid?

[Lv-viv]

through the stack and source code is a null pointer

`print_displacement(char *buf, bfd_vma disp)
{
bfd_signed_vma val = disp;
char tmp[30];
int i, j = 0;

if (val < 0)
{
	buf[j++] = '-';
	val = -disp;
}

buf[j++] = '0';
buf[j++] = 'x';

**bfd_sprintf_vma(NULL, tmp, (bfd_vma) val);**
for (i = 0; tmp[i] == '0'; i++)
	continue;
if (tmp[i] == '\0')
	i--;
strcpy(buf + j, tmp + i);

}`