Function linux x64:由于调用函数时参数值发生不合理更改而导致分段错误
由于分段错误,应用程序经常转储内核,其回溯如下所示Function linux x64:由于调用函数时参数值发生不合理更改而导致分段错误,function,arguments,64-bit,coredump,Function,Arguments,64 Bit,Coredump,由于分段错误,应用程序经常转储内核,其回溯如下所示 (gdb) bt #0 0x00000039c6c71874 in strncpy () from /lib64/libc.so.6 #1 0x00000000016fab83 in CcString::CcString (this=0x470008e0, str=...) at ../../base/src/ccString.cpp:163 #2 0x00000000016face9 in CcString::operator= (th
(gdb) bt
#0 0x00000039c6c71874 in strncpy () from /lib64/libc.so.6
#1 0x00000000016fab83 in CcString::CcString (this=0x470008e0, str=...) at ../../base/src/ccString.cpp:163
#2 0x00000000016face9 in CcString::operator= (this=0x47000bf0, str=...) at ../../base/src/ccString.cpp:250
#3 0x0000000000441193 in RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &) (this=0x2af86a4de008, apNumber=0xb90160, aFormatType=NUMBER_FORMAT_TYPE_LDAP, aFormatedNumber=...) at ../main/RmsDbMgr.cpp:4465
#4 0x0000000000b1cacf in SessionMt::sendLdapQueryReq (this=0x2cb8d580, apNumber=0x2cb90160, aRecipient=true) at ../session/SessionMt.cpp:1600
在第4帧中,apNumber=0x2cb90160,但在第3帧中,其值更改为0xb90160,该指针随后导致分段错误
什么会导致这种情况发生?为什么第3帧的回溯格式看起来和其他行不太相似
我试过一点组装
(gdb) disass sendLdapQueryReq
Dump of assembler code for function SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool):
0x0000000000b1ca40 <+0>: mov %rbp,-0x28(%rsp)
0x0000000000b1ca45 <+5>: mov %r15,-0x8(%rsp)
0x0000000000b1ca4a <+10>: mov %rdi,%rbp
0x0000000000b1ca4d <+13>: mov %rbx,-0x30(%rsp)
0x0000000000b1ca52 <+18>: mov %r12,-0x20(%rsp)
0x0000000000b1ca57 <+23>: mov %rsi,%r15
0x0000000000b1ca5a <+26>: mov %r13,-0x18(%rsp)
0x0000000000b1ca5f <+31>: mov %r14,-0x10(%rsp)
0x0000000000b1ca64 <+36>: sub $0x208,%rsp
0x0000000000b1ca6b <+43>: mov %fs:0x28,%rax
0x0000000000b1ca74 <+52>: mov %rax,0x1c8(%rsp)
0x0000000000b1ca7c <+60>: xor %eax,%eax
0x0000000000b1ca7e <+62>: mov %dl,0x93(%rsp)
0x0000000000b1ca85 <+69>: movl $0x2,0x1c4(%rsp)
0x0000000000b1ca90 <+80>: callq 0x1c2b406 <mxLog::GetInstance()>
0x0000000000b1ca95 <+85>: movzbl 0x8(%rax),%eax
0x0000000000b1ca99 <+89>: test %al,%al
0x0000000000b1ca9b <+91>: jne 0xb1cbb8 <SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool)+376>
0x0000000000b1caa1 <+97>: lea 0x140(%rsp),%rdi
0x0000000000b1caa9 <+105>: callq 0x16f7570 <CcString::CcString()>
0x0000000000b1caae <+110>: mov 0xc8(%rbp),%rax
0x0000000000b1cab5 <+117>: lea 0x140(%rsp),%rcx
0x0000000000b1cabd <+125>: xor %edx,%edx
0x0000000000b1cabf <+127>: mov %r15,%rsi
0x0000000000b1cac2 <+130>: mov 0x28(%rax),%rax
0x0000000000b1cac6 <+134>: mov 0x58(%rax),%rdi
0x0000000000b1caca <+138>: callq 0x441110 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)>
=> 0x0000000000b1cacf <+143>: cmpq $0x0,0x150(%rsp)
0x0000000000b1cad8 <+152>: je 0xb1cb88 <SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool)+328>
0x0000000000b1cade <+158>: movl $0x2,0x1c4(%rsp)
和RmsDbMgr::GetFormattedNumber()的程序集,如下所示
(gdb) disass getFormatedNumber
Dump of assembler code for function RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &):
0x0000000000441110 <+0>: mov %rbp,-0x28(%rsp)
0x0000000000441115 <+5>: mov %r13,-0x18(%rsp)
0x000000000044111a <+10>: mov %edx,%ebp
0x000000000044111c <+12>: mov %r14,-0x10(%rsp)
0x0000000000441121 <+17>: mov %r15,-0x8(%rsp)
0x0000000000441126 <+22>: mov %rdi,%r14
0x0000000000441129 <+25>: mov %rbx,-0x30(%rsp)
0x000000000044112e <+30>: mov %r12,-0x20(%rsp)
0x0000000000441133 <+35>: sub $0x178,%rsp
0x000000000044113a <+42>: mov %fs:0x28,%rax
0x0000000000441143 <+51>: mov %rax,0x138(%rsp)
0x000000000044114b <+59>: xor %eax,%eax
0x000000000044114d <+61>: test %rsi,%rsi
0x0000000000441150 <+64>: mov %rsi,%r13
0x0000000000441153 <+67>: mov %rcx,%r15
0x0000000000441156 <+70>: je 0x4411e0 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)+208>
0x000000000044115c <+76>: cmp $0x2,%edx
0x000000000044115f <+79>: jg 0x4411e0 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)+208>
0x0000000000441165 <+85>: lea 0x100(%rsp),%rdi
0x000000000044116d <+93>: callq 0x16f7570 <CcString::CcString()>
0x0000000000441172 <+98>: movzwl 0x53e74(%r14),%esi
0x000000000044117a <+106>: lea 0x100(%rsp),%rdi
0x0000000000441182 <+114>: callq 0x16f90e0 <CcString::operator+=(u16_t const)>
0x0000000000441187 <+119>: lea 0x8(%r13),%rsi
0x000000000044118b <+123>: mov %r15,%rdi
0x000000000044118e <+126>: callq 0x16facc0 <CcString::operator=(CcString const&)>
=> 0x0000000000441193 <+131>: movl $0x2,0x134(%rsp)
0x000000000044119e <+142>: callq 0x1c2b406 <mxLog::GetInstance()>
0x00000000004411a3 <+147>: movzbl 0x8(%rax),%eax
0x00000000004411a7 <+151>: test %al,%al
然后在做任何事情之前,%rsi被分配给%r13,但现在r13有一个不同的值,这是错误的
(gdb) p/x $r13
$9 = 0xb90160
任何人都可以帮助找出它有什么问题?这类问题的一个常见原因是
strncpy
覆盖一些程序数据。仔细检查传递给它的指针和长度参数。同时检查范围重叠(在[src,src+len)和[dst,dst+len”)。%r15和%r13是调用方寄存器,不在内存中。同样从第2帧开始,它访问了不正确的内存指针0xb90160,我认为这是导致分段错误的原因,而且在我使用-fstack-protector选项编译应用程序后,它没有崩溃。但据我所知-fstack-protector应该故意在如果我的代码中存在导致该问题的问题,则会发生堆栈溢出。
(gdb) x/a $rsp+0x178-0x8
0x47000aa0: 0x2cb90160
(gdb) p/x $r13
$9 = 0xb90160