SBValues referencing deallocated memory

Hi,

We’re running into a problem where a Python SBValue references stale memory. It can be reproduced by evaluating an expression with a constant string:

var1 = frame.EvaluateExpression("“ABCDEFGEH”")

var2 = frame.EvaluateExpression("“123456789"”)
print(var1.GetSummary())

print(var2.GetSummary())

This will print

“123456789”
“123456789”

and not as you would expect

“ABCDEFGEH”

“123456789”

If you print the addresses,

print(var1.AddressOf())

print(var2.AddressOf())

they’re the same, e.g.

(const char ()[10]) &$0 = 0x0000012d787c0010
(const char (
)[10]) &$1 = 0x0000012d787c0010

Walking through the code, it seems like the SBValues (var1 and var2) point to deallocated memory. The memory is allocated and owned by ClangUserExpression and deallocated by its destructor, but the SBValues are clinging to the address (see callstacks below).

What’s the best approach to deal with this? Could the ownership somehow be transferred to the SBValue? Any pointers?

Thanks,

  • Lutz

********* CALLSTACK FOR ALLOCATION OF THE CONSTANT STRING *********

_lldb.pyd!lldb_private::AllocatedMemoryCache::AllocateMemory(unsigned __int64 byte_size, unsigned int permissions, lldb_private::Status & error) Line 373 C++
_lldb.pyd!lldb_private::Process::AllocateMemory(unsigned __int64 size, unsigned int permissions, lldb_private::Status & error) Line 2560 C++
_lldb.pyd!lldb_private::IRMemoryMap::Malloc(unsigned __int64 size, unsigned char alignment, unsigned int permissions, lldb_private::IRMemoryMap::AllocationPolicy policy, bool zero_memory, lldb_private::Status & error) Line 389 C++
_lldb.pyd!lldb_private::IRExecutionUnit::CommitOneAllocation(std::shared_ptr<lldb_private::Process> & process_sp, lldb_private::Status & error, lldb_private::IRExecutionUnit::AllocationRecord & record) Line 1116 C++
_lldb.pyd!lldb_private::IRExecutionUnit::CommitAllocations(std::shared_ptr<lldb_private::Process> & process_sp) Line 1125 C++
_lldb.pyd!lldb_private::IRExecutionUnit::GetRunnableInfo(lldb_private::Status & error, unsigned __int64 & func_addr, unsigned __int64 & func_end) Line 363 C++
_lldb.pyd!lldb_private::ClangExpressionParser::PrepareForExecution(unsigned __int64 & func_addr, unsigned __int64 & func_end, std::shared_ptr<lldb_private::IRExecutionUnit> & execution_unit_sp, lldb_private::ExecutionContext & exe_ctx, bool & can_interpret, lldb_private::ExecutionPolicy execution_policy) Line 1221 C++
_lldb.pyd!lldb_private::ClangUserExpression::Parse(lldb_private::DiagnosticManager & diagnostic_manager, lldb_private::ExecutionContext & exe_ctx, lldb_private::ExecutionPolicy execution_policy, bool keep_result_in_memory, bool generate_debug_info) Line 554 C++
_lldb.pyd!lldb_private::UserExpression::Evaluate(lldb_private::ExecutionContext & exe_ctx, const lldb_private::EvaluateExpressionOptions & options, llvm::StringRef expr, llvm::StringRef prefix, lldb_private::SharingPtr<lldb_private::ValueObject> & result_valobj_sp, lldb_private::Status & error, unsigned int line_offset, std::basic_string<char,std::char_traits,std::allocator > * fixed_expression, std::shared_ptr<lldb_private::Module> * jit_module_sp_ptr, lldb_private::ValueObject * ctx_obj) Line 258 C++
_lldb.pyd!lldb_private::Target::EvaluateExpression(llvm::StringRef expr, lldb_private::ExecutionContextScope * exe_scope, lldb_private::SharingPtr<lldb_private::ValueObject> & result_valobj_sp, const lldb_private::EvaluateExpressionOptions & options, std::basic_string<char,std::char_traits,std::allocator > * fixed_expression, lldb_private::ValueObject * ctx_obj) Line 2406 C++
_lldb.pyd!lldb_private::ValueObject::CreateValueObjectFromExpression(llvm::StringRef name, llvm::StringRef expression, const lldb_private::ExecutionContext & exe_ctx, const lldb_private::EvaluateExpressionOptions & options) Line 3136 C++
_lldb.pyd!lldb::SBValue::CreateValueFromExpression(const char * name, const char * expression, lldb::SBExpressionOptions & options) Line 725 C++
_lldb.pyd!lldb::SBValue::CreateValueFromExpression(const char * name, const char * expression) Line 712 C++
_lldb.pyd!_wrap_SBValue_CreateValueFromExpression__SWIG_0(_object * __formal, _object * args) Line 71739 C++
_lldb.pyd!_wrap_SBValue_CreateValueFromExpression(_object * self, _object * args) Line 71839 C++

********* CALLSTACK FOR DEALLOCATION OF THE CONSTANT STRING *********

_lldb.pyd!lldb_private::AllocatedBlock::FreeBlock(unsigned __int64 addr) Line 318 C++
_lldb.pyd!lldb_private::AllocatedMemoryCache::DeallocateMemory(unsigned __int64 addr) Line 407 C++
_lldb.pyd!lldb_private::Process::DeallocateMemory(unsigned __int64 ptr) Line 2613 C++
_lldb.pyd!lldb_private::IRMemoryMap::Free(unsigned __int64 process_address, lldb_private::Status & error) Line 475 C++
_lldb.pyd!lldb_private::IRMemoryMap::~IRMemoryMap() Line 36 C++
_lldb.pyd!lldb_private::IRExecutionUnit::~IRExecutionUnit() Line 495 C++
_lldb.pyd!lldb_private::IRExecutionUnit::scalar deleting destructor'(unsigned int) C++ _lldb.pyd!lldb_private::LLVMUserExpression::~LLVMUserExpression() Line 65 C++ _lldb.pyd!lldb_private::ClangUserExpression::scalar deleting destructor’(unsigned int) C++
_lldb.pyd!std::_Ref_count_base::_Decref() Line 848 C++
_lldb.pyd!lldb_private::UserExpression::Evaluate(lldb_private::ExecutionContext & exe_ctx, const lldb_private::EvaluateExpressionOptions & options, llvm::StringRef expr, llvm::StringRef prefix, lldb_private::SharingPtr<lldb_private::ValueObject> & result_valobj_sp, lldb_private::Status & error, unsigned int line_offset, std::basic_string<char,std::char_traits,std::allocator > * fixed_expression, std::shared_ptr<lldb_private::Module> * jit_module_sp_ptr, lldb_private::ValueObject * ctx_obj) Line 384 C++
_lldb.pyd!lldb_private::Target::EvaluateExpression(llvm::StringRef expr, lldb_private::ExecutionContextScope * exe_scope, lldb_private::SharingPtr<lldb_private::ValueObject> & result_valobj_sp, const lldb_private::EvaluateExpressionOptions & options, std::basic_string<char,std::char_traits,std::allocator > * fixed_expression, lldb_private::ValueObject * ctx_obj) Line 2406 C++
_lldb.pyd!lldb_private::ValueObject::CreateValueObjectFromExpression(llvm::StringRef name, llvm::StringRef expression, const lldb_private::ExecutionContext & exe_ctx, const lldb_private::EvaluateExpressionOptions & options) Line 3136 C++
_lldb.pyd!lldb::SBValue::CreateValueFromExpression(const char * name, const char * expression, lldb::SBExpressionOptions & options) Line 725 C++
_lldb.pyd!lldb::SBValue::CreateValueFromExpression(const char * name, const char * expression) Line 712 C++
_lldb.pyd!_wrap_SBValue_CreateValueFromExpression__SWIG_0(_object * __formal, _object * args) Line 71739 C++
_lldb.pyd!_wrap_SBValue_CreateValueFromExpression(_object * self, _object * args) Line 71839 C++

This can also be reproduced in the command line like this:

(lldb) expr “foo”
(const char [4]) $0 = “foo”
(lldb) expr “bar”
(const char [4]) $1 = “bar”
(lldb) expr $0
(const char [4]) $0 = “bar”

This however works just fine:

(lldb) expr char c[] = “foo”; c
(char [4]) $0 = “foo”
(lldb) expr char c[] = “bar”; c
(char [4]) $1 = “bar”
(lldb) expr $0
(char [4]) $0 = “foo”

I don’t know the related code so well, but from what I remember we have a storage mechanism for persistent variables that we fill up (in the ‘Materializer’ IIRC). We probably just copy the pointer itself to this storage but not the memory it points to. I guess we could tweak that logic to detect pointers that point into memory LLDB allocated and then either extract the necessary memory into our storage or keep the related sections around.

Anyway, I filed https://bugs.llvm.org/show_bug.cgi?id=44155 and I will ask around what solution people would prefer once thanksgiving is over.

You can find a kind of a description of how this is meant to work in <http://lists.llvm.org/pipermail/lldb-dev/2019-October/015703.html>.

Persisting string literals that were typed into the expression seems reasonable and hopefully not too difficult, and it would kind of match what happens during "normal" compilation. Doing that for random "const char *"s that you happen to stumble upon in the result variable seems more problematic, and I'm not sure we should even try...

pl