Fix use-after-free when destroying objfile

The recent patch to heap-allocate compunit_symtabs introduced a
use-after-free that can occur when destroying an objfile.  The bug
here is that the objfile obstack is destroyed before compunit_symtabs;
but the compunit_symtabs destructor refers to the symtabs, which are
allocated on the obstack.

This patch fixes the problem.  This was reported using ASAN, but I
reproduced it with valgrind and verified that this fixes the problem.

Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33435

diff --git a/gdb/objfiles.h b/gdb/objfiles.h
index 9566acfe33b005392e91e46baffc7579813f0b38..3c4e568b98c07e05bbbedd06f00667bd5d57e989 100644 (file)
--- a/gdb/objfiles.h
+++ b/gdb/objfiles.h
@@ -719,11 +719,6 @@ private:
   program_space *m_pspace;
 
 public:
-  /* List of compunits.
-     These are used to do symbol lookups and file/line-number lookups.  */
-
-  owning_intrusive_list<compunit_symtab> compunit_symtabs;
-
   /* The object file's BFD.  Can be null if the objfile contains only
      minimal symbols (e.g. the run time common symbols for SunOS4) or
      if the objfile is a dynamic objfile (e.g. created by JIT reader
@@ -751,6 +746,11 @@ public:
 
   auto_obstack objfile_obstack;
 
+  /* List of compunits.
+     These are used to do symbol lookups and file/line-number lookups.  */
+
+  owning_intrusive_list<compunit_symtab> compunit_symtabs;
+
   /* Structure which keeps track of functions that manipulate objfile's
      of the same type as this objfile.  I.e. the function to read partial
      symbols for example.  Note that this structure is in statically

diff --git a/gdb/symfile.c b/gdb/symfile.c
index eb969249f3fe9bfdfda12fb2225c58b78a3b777f..2406c569c2614535770f73ff9ed2a33f7902a8d0 100644 (file)
--- a/gdb/symfile.c
+++ b/gdb/symfile.c
@@ -2581,6 +2581,8 @@ reread_symbols (int from_tty)
            error (_("Can't read symbols from %s: %s."), objfile_name (&objfile),
                   bfd_errmsg (bfd_get_error ()));
 
+         objfile.compunit_symtabs.clear ();
+
          /* NB: after this call to obstack_free, objfiles_changed
             will need to be called (see discussion below).  */
          obstack_free (&objfile.objfile_obstack, 0);
@@ -2590,7 +2592,6 @@ reread_symbols (int from_tty)
          objfile.sect_index_data = -1;
          objfile.sect_index_rodata = -1;
          objfile.sect_index_text = -1;
-         objfile.compunit_symtabs.clear ();
          objfile.template_symbols = NULL;
          objfile.static_links.clear ();