This is an archive of the discontinued LLVM Phabricator instance.

Differential D109937

[lldb] Handle malformed qfThreadInfo reply
ClosedPublic

Authored by ted on Sep 16 2021, 4:41 PM.

Details

Reviewers
clayborg
jingham
labath
mgorny
Commits
rG953ddded1aa2: [lldb] Handle malformed qfThreadInfo reply
Summary

If the remote gdbserver's qfThreadInfo reply has a trailing comma,
GDBRemoteCommunicationClient::GetCurrentProcessAndThreadIDs will return
an empty vector of thread ids. This will cause lldb to recurse through
three functions trying to get the list of threads, until it blows its
stack and crashes.

A trailing comma is a malformed response, but it shouldn't cause lldb to
crash. This patch will return the tids received before the malformed
response.

Diff Detail

Event Timeline

ted requested review of this revision.Sep 16 2021, 4:41 PM
ted created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptSep 16 2021, 4:41 PM
ted added reviewers: jingham, labath.Sep 16 2021, 4:42 PM
Herald added a subscriber: JDevlieghere. · View Herald TranscriptSep 16 2021, 4:42 PM
Harbormaster completed remote builds in B124308: Diff 373104.Sep 16 2021, 5:14 PM
clayborg added a comment.Sep 16 2021, 5:18 PM

We should make a test for this.

lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationClient.cpp
2916–2918

Might be nice to make sure we got LLDB_INVALID_PROCESS_ID back, as it might not always be zero?

labath added a reviewer: mgorny.Sep 17 2021, 12:46 AM

+1 for the test. It should be fairly easy to rig up a "gdb-remote client" test that sends such a packet.

lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationClient.cpp
2916–2918

pid == LLDB_INVALID_PROCESS_ID is a valid response if the stub does not support the multiprocess syntax. pid == GetPID() is a valid response if it supports it. IIRC, further validation/interpretation of these values is done in the caller.

2918–2919

Isn't it still possible to get the infinite recursion you mentioned, if the response consists only of a single comma ?

ted added a comment.Sep 17 2021, 8:01 AM

I agree about the test. I'll work on one.

lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationClient.cpp
2918–2919

Yes. I was wondering if the correct response to this case is to drop down and go through the "pid=tid=1" case from line 2931. What do you think?

ted added a comment.Sep 17 2021, 12:35 PM

I've got a test written. It doesn't crash like the debugger in the wild does, but it does give a tid of 0 for each thread I ask about. So I can assert if the threads don't have the correct tid.

With the patch, the test passes (gets the tids correctly)
Without the patch and asserts enabled, the test causes an assert in llvm::Optional
WIthout the patch and asserts disabled, the test fails when it checks the tid.

Which leads me to 1 more question - what should I do when we have a malformed response, and there are no threads listed? I'm leaning towards just falling through to the if at line 2931, and returning a pid and tid of 1. That's what we do if there's and empty response.

labath added a comment.Sep 19 2021, 11:45 PM
In D109937#3007071, @ted wrote:

I've got a test written. It doesn't crash like the debugger in the wild does, but it does give a tid of 0 for each thread I ask about. So I can assert if the threads don't have the correct tid.

I guess you forgot to upload it (?)

Which leads me to 1 more question - what should I do when we have a malformed response, and there are no threads listed? I'm leaning towards just falling through to the if at line 2931, and returning a pid and tid of 1. That's what we do if there's and empty response.

Sounds reasonable to me. We'd be basically treating it as if the stub did not support the packet at all.

ted updated this revision to Diff 374049.Sep 21 2021, 3:20 PM

[lldb] Handle malformed qfThreadInfo reply

Add requested test.
Refine handling of malformed reply with no valid threads.

Harbormaster completed remote builds in B124998: Diff 374049.Sep 21 2021, 3:23 PM
labath accepted this revision.Sep 22 2021, 1:37 AM
labath added inline comments.
lldb/test/API/functionalities/gdb_remote_client/TestThreadInfoTrailingComma.py
25–26

s/print/self.trace/

This revision is now accepted and ready to land.Sep 22 2021, 1:37 AM
ted updated this revision to Diff 374233.Sep 22 2021, 7:43 AM

Remove unneeded prints from test

ted marked an inline comment as done.Sep 22 2021, 7:45 AM

Prints were there for my debugging. They don't serve a purpose, so I've removed them.

Harbormaster completed remote builds in B125128: Diff 374233.Sep 22 2021, 7:45 AM
clayborg accepted this revision.Sep 22 2021, 8:32 AM
Closed by commit rG953ddded1aa2: [lldb] Handle malformed qfThreadInfo reply (authored by ted). · Explain WhySep 23 2021, 3:04 PM
This revision was automatically updated to reflect the committed changes.
ted added a commit: rG953ddded1aa2: [lldb] Handle malformed qfThreadInfo reply.

Revision Contents

PathSize
lldb/
source/
Plugins/
Process/
gdb-remote/
6 lines
test/
API/
functionalities/
gdb_remote_client/
27 lines

Diff 374678

lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationClient.cpp

Show First 20 LinesShow All 2,902 Lines▼ Show 20 Lines for (packet_result =
packet_result = packet_result =
SendPacketAndWaitForResponseNoLock("qsThreadInfo", response)) { SendPacketAndWaitForResponseNoLock("qsThreadInfo", response)) {
char ch = response.GetChar(); char ch = response.GetChar();
if (ch == 'l') if (ch == 'l')
break; break;
if (ch == 'm') { if (ch == 'm') {
do { do {
auto pid_tid = response.GetPidTid(LLDB_INVALID_PROCESS_ID); auto pid_tid = response.GetPidTid(LLDB_INVALID_PROCESS_ID);
// If we get an invalid response, break out of the loop.
// If there are valid tids, they have been added to ids.
// If there are no valid tids, we'll fall through to the
// bare-iron target handling below.
if (!pid_tid) if (!pid_tid)
return {}; break;
ids.push_back(pid_tid.getValue()); ids.push_back(pid_tid.getValue());
clayborgUnsubmitted
Not Done
ReplyInline Actions
auto pid_tid = response.GetPidTid(LLDB_INVALID_PROCESS_ID);
- if (!pid_tid) {
- // if ids is empty, this is an error
- if (ids.size() == 0)
- return {};
- // if ids is not empty, bail out from here and process ids
+ if (pid_tid == LLDB_INVALID_PROCESS_ID)
break;
- }
-
ids.push_back(pid_tid.getValue());
ch = response.GetChar(); // Skip the command separator

Might be nice to make sure we got LLDB_INVALID_PROCESS_ID back, as it might not always be zero?

clayborg: Might be nice to make sure we got LLDB_INVALID_PROCESS_ID back, as it might not always be zero?
labathUnsubmitted
Not Done
ReplyInline Actions

pid == LLDB_INVALID_PROCESS_ID is a valid response if the stub does not support the multiprocess syntax. pid == GetPID() is a valid response if it supports it. IIRC, further validation/interpretation of these values is done in the caller.

labath: pid == LLDB_INVALID_PROCESS_ID is a valid response if the stub does not support the…
ch = response.GetChar(); // Skip the command separator ch = response.GetChar(); // Skip the command separator
labathUnsubmitted
Not Done
ReplyInline Actions

Isn't it still possible to get the infinite recursion you mentioned, if the response consists only of a single comma ?

labath: Isn't it still possible to get the infinite recursion you mentioned, if the response consists…
tedAuthorUnsubmitted
Done
ReplyInline Actions

Yes. I was wondering if the correct response to this case is to drop down and go through the "pid=tid=1" case from line 2931. What do you think?

ted: Yes. I was wondering if the correct response to this case is to drop down and go through the…
} while (ch == ','); // Make sure we got a comma separator } while (ch == ','); // Make sure we got a comma separator
} }
} }
/* /*
* Connected bare-iron target (like YAMON gdb-stub) may not have support for * Connected bare-iron target (like YAMON gdb-stub) may not have support for
* qProcessInfo, qC and qfThreadInfo packets. The reply from '?' packet * qProcessInfo, qC and qfThreadInfo packets. The reply from '?' packet
* could * could
▲ Show 20 LinesShow All 1,393 LinesShow Last 20 Lines

lldb/test/API/functionalities/gdb_remote_client/TestThreadInfoTrailingComma.py

  • This file was added.
import lldb
from lldbsuite.test.lldbtest import *
from lldbsuite.test.decorators import *
from gdbclientutils import *
class TestThreadInfoTrailingComma(GDBRemoteTestBase):
def test(self):
class MyResponder(MockGDBServerResponder):
def haltReason(self):
return "T02thread:1"
def qfThreadInfo(self):
return "m1,2,3,4,"
self.server.responder = MyResponder()
target = self.dbg.CreateTarget('')
if self.TraceOn():
self.runCmd("log enable gdb-remote packets")
self.addTearDownHook(
lambda: self.runCmd("log disable gdb-remote packets"))
process = self.connect(target)
self.assertEqual(process.GetThreadAtIndex(0).GetThreadID(), 1)
self.assertEqual(process.GetThreadAtIndex(1).GetThreadID(), 2)
self.assertEqual(process.GetThreadAtIndex(2).GetThreadID(), 3)
labathUnsubmitted
Done
ReplyInline Actions

s/print/self.trace/

labath: s/print/self.trace/
self.assertEqual(process.GetThreadAtIndex(3).GetThreadID(), 4)