#13720 closed bug (fixed)
kernel debugger demangler add-ons fail to properly handle some symbols
| Reported by: | anevilyak | Owned by: | korli |
|---|---|---|---|
| Priority: | normal | Milestone: | R1/beta3 |
| Component: | System/Kernel | Version: | R1/Development |
| Keywords: | Cc: | bonefish, axeld | |
| Blocked By: | Blocking: | #11249 | |
| Platform: | All |
Description
The symbol _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE12_M_constructIPcEEvT_S7_St20forward_iterator_tag.isra.25 causes issues for both the gcc3+ demangler, and the gcc2 demangler, though it should theoretically be valid for the former.
c++filt decodes this symbol as void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) [clone .isra.25], but our Itanium demangler [1] appears to fail to parse one of the function parameter types based on some preliminary investigation.
In both the kernel and the userland debugger's Demangler helper [2], it then attempts to fall back to the gcc2 demangler [3]. However, this exposes a second issue: the latter, rather than failing to parse the symbol, appears to determine it to be valid, and then performs an out of bounds memory access while attempting to decode it. As this code is also used kernel-side, this potentially presents several (possibly crashing) issues.
[1] http://cgit.haiku-os.org/haiku/tree/src/add-ons/kernel/debugger/demangle/gcc3+.cpp
[2] http://cgit.haiku-os.org/haiku/tree/src/kits/debugger/demangler/Demangler.cpp
[3] http://cgit.haiku-os.org/haiku/tree/src/add-ons/kernel/debugger/demangle/gcc2.cpp
Change History (11)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Blocking: | 13537 added |
|---|
follow-up: 4 comment:3 by , 7 years ago
A good idea would be to extend http://cgit.haiku-os.org/haiku/tree/src/tests/add-ons/kernel/debugger/gcc2_demangle_test.cpp with gcc3+_demangle_test.cpp.
comment:4 by , 7 years ago
Replying to korli:
A good idea would be to extend http://cgit.haiku-os.org/haiku/tree/src/tests/add-ons/kernel/debugger/gcc2_demangle_test.cpp with gcc3+_demangle_test.cpp.
Will look into that. In any case, it appears this might be a GNU ABI extension, relevant info can be found at https://gcc.gnu.org/bugzilla/show_bug.cgi?id=40831
comment:5 by , 6 years ago
| Blocking: | 13537 removed |
|---|
comment:6 by , 6 years ago
| Blocking: | 11249 added |
|---|
comment:7 by , 3 years ago
| Owner: | changed from to |
|---|
Proposed change: https://review.haiku-os.org/c/haiku/+/4084
comment:8 by , 3 years ago
| Milestone: | Unscheduled → R1/beta3 |
|---|
comment:10 by , 3 years ago
Does this mean the GCC2 demangler would still crash on this one if someone would feed it this symbol?
Enabling tracing in the gcc3+ add-on appears to isolate the issue to being the trailing suffix:
_ParseType(): "St20forward_iterator_tag.isra.25" _ParseTypeInternal(): "St20forward_iterator_tag.isra.25" _TryParseBuiltinType(): "St20forward_iterator_tag.isra.25" _TryParseBuiltinType() done _ParseName(): "St20forward_iterator_tag.isra.25" _ParseUnqualifiedName(): "20forward_iterator_tag.isra.25" _ParseSourceName(): "20forward_iterator_tag.isra.25" _ParseNumber(): "20forward_iterator_tag.isra.25" _ParseNumber() done _ParseSourceName() done _ParseUnqualifiedName() done _ParseName() done _ParseTypeInternal() done _ParseType() done _ParseType(): ".isra.25" _ParseTypeInternal(): ".isra.25" _TryParseBuiltinType(): ".isra.25" _TryParseBuiltinType() done _ParseName(): ".isra.25" _ParseUnqualifiedName(): ".isra.25" _ParseOperatorName(): ".isra.25" _SetError(): 3, remaining input: ".isra.25" _ParseOperatorName() done _ParseUnqualifiedName() done _ParseName() done _ParseTypeInternal() done _ParseType() done _ParseBareFunctionType() done _ParseEncoding() done Demangle() done