toolchain/59549: gdb is not ctype(3) safe

To: toolchain-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: toolchain/59549: gdb is not ctype(3) safe
From: Thomas Klausner <wiz%NetBSD.org@localhost>
Date: Thu, 24 Jul 2025 14:00:01 +0000 (UTC)
>Number:         59549
>Category:       toolchain
>Synopsis:       gdb is not ctype(3) safe
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    toolchain-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 24 14:00:01 +0000 2025
>Originator:     Thomas Klausner
>Release:        NetBSD 10.99.14
>Organization:

>Environment:
	
	
Architecture: x86_64
Machine: amd64
>Description:
While debugging a program that was not using the ctype(3) interface correctly,
gdb dumped core as well.

This is the program failing:
(gdb) r
Starting program: /usr/pkg/bin/Guitar
[New process 28508]
ctype(3) isupper: invalid input: -61

And this is gdb failing:

Thread 10 "gdb worker" received signal SIGABRT, Aborted.
[Switching to LWP 16996 of process 28508]
0x000075433d78b4da in _lwp_kill () from /usr/lib/libc.so.12
(gdb) bt
#0  0x000075433d78b4da in _lwp_kill () from /usr/lib/libc.so.12
#1  0x000075433d796914 in abort () at /usr/src/lib/libc/stdlib/abort.c:74
#2  0x000075433d786c13 in ctype_nasaldemon (func=func@entry=0x75433d7b4098 <__func__.7> "isupper", c=<optimized out>) at /usr/src/lib/libc/gen/isctype.c:65
#3  0x000075433d787035 in ctype_check (c=<optimized out>, func=0x75433d7b4098 <__func__.7> "isupper") at /usr/src/lib/libc/gen/isctype.c:73
#4  isupper (c=<optimized out>) at /usr/src/lib/libc/gen/isctype.c:102
#5  0x000000000088bd82 in ada_decode[abi:cxx11](char const*, bool, bool, bool) () at /usr/src/external/gpl3/gdb/lib/libgdb/../../dist/gdb/ada-lang.c:1563
#6  0x0000000000bdb235 in ada_language::sniff_from_mangled_name () at /usr/src/external/gpl3/gdb/lib/libgdb/../../dist/gdb/ada-lang.c:13531
#7  0x00000000006d15f9 in symbol_find_demangled_name () at /usr/src/external/gpl3/gdb/lib/libgdb/../../dist/gdb/symtab.c:961
#8  0x000000000072a0f0 in operator() () at /usr/src/external/gpl3/gdb/lib/libgdb/../../dist/gdb/minsyms.c:1494
#9  0x0000000000ba76b1 in std::function<void()>::operator() () at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/std_function.h:591
#10 std::__invoke_impl<void, std::function<void()>&> () at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/invoke.h:61
#11 std::__invoke_r<void, std::function<void()>&> () at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/invoke.h:111
#12 std::__future_base::_Task_state<std::function<void ()>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}::operator()() const () at /usr/obj/amd64.gcc.20250624/usr/include/g++/future:1489
#13 std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::function<void ()>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}, void>::operator()() const () at /usr/obj/amd64.gcc.20250624/usr/include/g++/future:1430
#14 std::__invoke_impl<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::function<void ()>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}, void>&>(std::__invoke_other, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::function<void ()>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}, void>&) ()
    at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/invoke.h:61
#15 std::__invoke_r<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::function<void ()>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}, void>&>(std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::function<void ()>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}, void>&) ()
    at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/invoke.h:116
#16 std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_state<std::function<void ()>, std::allocator<int>, void ()>::_M_run()::{lambda()#1}, void> >::_M_invoke(std::_Any_data const&) ()
    at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/std_function.h:291
#17 0x0000000000ba762f in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>()>::operator() ()
    at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/std_function.h:591
#18 std::__future_base::_State_baseV2::_M_do_set () at /usr/obj/amd64.gcc.20250624/usr/include/g++/future:587
#19 0x000075433dcae711 in pthread_once (once_control=0x7542fffd0388, routine=0x75433db44bca <std::__once_proxy()>) at /usr/src/lib/libpthread/pthread_once.c:66
#20 0x0000000000ba7b1f in __gthread_once () at /usr/obj/amd64.gcc.20250624/usr/include/g++/bits/gthr-default.h:703
#21 std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>()>*, bool*> () at /usr/obj/amd64.gcc.20250624/usr/include/g++/mutex:891
#22 0x0000000000a8bd99 in std::__future_base::_State_baseV2::_M_set_result () at /usr/obj/amd64.gcc.20250624/usr/include/g++/future:426
#23 std::__future_base::_Task_state<std::function<void()>, std::allocator<int>, void()>::_M_run () at /usr/obj/amd64.gcc.20250624/usr/include/g++/future:1492
#24 std::packaged_task<void()>::operator() () at /usr/obj/amd64.gcc.20250624/usr/include/g++/future:1626
#25 gdb::thread_pool::thread_function () at /usr/src/external/gpl3/gdb/lib/libgdbsupport/../../dist/gdbsupport/thread-pool.cc:245
#26 0x000075433db43d3b in std::execute_native_thread_routine (__p=0x75433d3c6d80) at /usr/src/external/gpl3/gcc/dist/libstdc++-v3/src/c++11/thread.cc:82
#27 0x000075433dcb32e1 in pthread__create_tramp (cookie=0x75433d3a9800) at /usr/src/lib/libpthread/pthread.c:605
#28 0x000075433d6706e0 in ?? () from /usr/lib/libc.so.12
#29 0x0000000000200000 in ?? ()
#30 0x0000000000000000 in ?? ()
(gdb)

I'm still confused why
/usr/src/external/gpl3/gdb/lib/libgdb/../../dist/gdb/ada-lang.c:1563
is in the backtrace, but when you read that file, you can see that it
calls isupper(), isalpha() and isdigit() on both 'const char' and
'std::string' in many many places, without checking the range or
casting to 'unsigned char' first.

>How-To-Repeat:
cd /usr/pkgsrc/wip/Guitar
make install
gdb --args gdb Guitar
r

>Fix:

Please.

>Unformatted:
Prev by Date: RE: kern/59452: Move NFS wcc data messages to debug or control them via sysctl.
Next by Date: Re: toolchain/59549: gdb is not ctype(3) safe
Previous by Thread: xsrc/59548: luit(1): initial winsize is 0
Next by Thread: Re: toolchain/59549: gdb is not ctype(3) safe
Indexes:
Home | Main Index | Thread Index | Old Index