#
282739 |
|
10-May-2015 |
markj |
ctf_add_type(): when looking up an integer or floating point type in the list of pending dynamic type definitions, a match on the type name is not sufficient - we need to compare the type encodings as well. For example, bitfields have their own distinct type definitions which share the name of the underlying integer type, and these types aren't generally interchangeable.
This bug was causing the following libdtrace error when attempting to trace the th_flags member of a struct tcphdr: cg: bad field: off 104 type <32877> bits 539620016
Reported by: rwatson MFC after: 3 weeks
|
#
279869 |
|
10-Mar-2015 |
markj |
When copying a type from a source CTF container to a destination container, ctf_add_type() first performs a by-name lookup of the type in the destination container. If this lookup returns a forward declaration for an enum, struct, or union, reset dst_type back to CTF_ERR, indicating that the source type is not in fact present in the destination container. This ensures that ctf_add_type() will also search the destination container's dynamic type list for the source type.
Without this change, a pair of mutually recursive struct definitions could cause infinite recursion in ctf_add_type() if the destination container only contained forward declarations for the struct types: ctf_add_type() recursively calls itself on each struct member's type, and the forward declarations meant that the dynamic type list search would be skipped.
MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
|
#
279864 |
|
10-Mar-2015 |
markj |
CTF containers use the ctf_dtoldid field as a threshold type index which indicates the range of type indices which have been committed to the container by ctf_update(). However, the top bit of the dtd_type field is not part of the type index; rather, it is a flag used to indicate that the corresponding CTF container is a parent. This is why the maximum CTF type index is 2^15 - 1 rather than 2^16 - 1. Therefore, this flag must be masked off (using the CTF_TYPE_TO_INDEX macro) when comparing a type index with the ctf_dtoldid field of a container.
This bug was causing libctf to erroneously free committed type definitions in ctf_discard(). libdtrace holds some references to such types, resulting in a use-after-free.
MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
|
#
279862 |
|
10-Mar-2015 |
markj |
ctf_discard(): fetch the next list element before restarting the loop. If we end up skipping a dynamic type because it has already been committed to the container, we would previously either set the loop variable to an uninitialized local variable, or set it to itself, resulting in an infinite loop.
MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
|