Re: [Crash-utility] [PATCH] GDB: fix completion related libstdc++ assert
-----Original Message-----
> diff --git a/gdb-10.2.patch b/gdb-10.2.patch
> index 1332b6638028..16165839b360 100644
> --- a/gdb-10.2.patch
> +++ b/gdb-10.2.patch
> @@ -1591,3 +1591,32 @@
> max += 2;
> limit = cols / max;
> if (limit != 1 && (limit * max == cols))
> +--- gdb-10.2/gdb/ada-lang.c.orig
> ++++ gdb-10.2/gdb/ada-lang.c
> +@@ -997,7 +997,7 @@ ada_fold_name (gdb::string_view name)
> + int len = name.size ();
> + GROW_VECT (fold_buffer, fold_buffer_size, len + 1);
> +
> +- if (name[0] == '\'')
> ++ if (name.size () > 0 && name[0] == '\'')
> + {
> + strncpy (fold_buffer, name.data () + 1, len - 2);
> + fold_buffer[len - 2] = '\000';
> +@@ -1006,7 +1006,7 @@ ada_fold_name (gdb::string_view name)
> + {
> + int i;
> +
> +- for (i = 0; i <= len; i += 1)
> ++ for (i = 0; i < len; i++)
> + fold_buffer[i] = tolower (name[i]);
According to 2ccee230f830 ("Fix off-by-one error in ada_fold_name"),
please add this:
+ fold_buffer[i] = '\0';
No, the above change will definitely cause a core dump because it assigns the value
'\0' to a null pointer
when the name string is null.
Hmm, I'm not familiar with gdb source, could you explain a little more?
The following is the function with your patch.
static char *
ada_fold_name (gdb::string_view name)
{
static char *fold_buffer = NULL;
static size_t fold_buffer_size = 0;
int len = name.size ();
GROW_VECT (fold_buffer, fold_buffer_size, len + 1);
if (name.size () > 0 && name[0] == '\'')
{
strncpy (fold_buffer, name.data () + 1, len - 2);
fold_buffer[len - 2] = '\000';
}
else
{
int i;
for (i = 0; i < len; i++)
fold_buffer[i] = tolower (name[i]);
}
return fold_buffer;
}
The GROW_VECT() looks to alloc 1 byte to fold_buffer if name.size() is zero.
Then len is zero, and nothing is done in the for loop, and fold_buffer[i]
(== fold_buffer[0]) can be set '\0', I thought.
+ fold_buffer[i] = '\0';
And as far as I've tried, no abort occured.
Thanks,
Kazu