Discussion:
[ast-developers] Populating indexed type array with compound variables triggers a crash...
Roland Mainz
2013-07-17 22:36:04 UTC
Permalink
Hi!

----

The following testcase (which should populate a type array with data)
triggers a crash in ast-ksh.2013-06-28 on SuSE 12.3/AMD64/64bit:
-- snip --
$ gdb --args ../build_i386_64bit_debug/arch/linux.i386-64/bin/ksh -c
'typeset -T p_t=( integer fd ; compound events=( bool pollin=false )
revents=() ) ; compound c ; p_t -a c.p=( [0]=( fd=0 ; events=( bool
pollin=true pollout=false ) ) ) ; print -v c '
Reading symbols from
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/arch/linux.i386-64/bin/ksh...done.
(gdb) run
Starting program:
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/arch/linux.i386-64/bin/ksh
-c typeset\ -T\ p_t=\(\ integer\ fd\ \;\ compound\ events=\(\ bool\
pollin=false\ \)\ revents=\(\)\ \)\ \;\ compound\ c\ \;\ p_t\ -a\
c.p=\(\ \[0\]=\(\ fd=0\ \;\ events=\(\ bool\ pollin=true\
pollout=false\ \)\ \)\ \)\ \;\ print\ -v\ c\

Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2794
2794 movzwl (%rsi), %edx
(gdb) where
#0 __memcpy_ssse3_back () at
../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2794
#1 0x0000000000498aa8 in clone_type (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512, fp=0x7ffff7f2f590)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvtype.c:474
#2 0x0000000000495ce9 in clone_all_disc (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvdisc.c:893
#3 0x0000000000495f28 in nv_clone (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvdisc.c:944
#4 0x00000000004a4622 in nv_arraysettype (np=0x7ffff7f2df20,
tp=0x7ffff7f2de60, sub=0x80444a <numbuff.7456+10> "0", flags=0)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/array.c:453
#5 0x000000000049ca45 in nv_settype (np=0x7ffff7f2df20,
tp=0x7ffff7f2de60, flags=0) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvtype.c:1407
#6 0x000000000048fe9a in setall (argv=0x7ffff7f1dc80, flag=512,
troot=0x7ffff7ee2340, tp=0x7fffffffd1f0)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/bltins/typeset.c:731
#7 0x000000000048ee8a in b_typeset (argc=3, argv=0x7ffff7f1dc78,
context=0x803758 <sh+1368>)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/bltins/typeset.c:458
#8 0x0000000000468caa in sh_exec (shp=0x803200 <sh>,
t=0x7ffff7f1d8a0, flags=4) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/xec.c:1357
#9 0x000000000046bd0e in sh_exec (shp=0x803200 <sh>,
t=0x7ffff7f1dd70, flags=5) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/xec.c:2218
#10 0x000000000040f532 in exfile (shp=0x803200 <sh>,
iop=0x7ffff7ee04d0, fno=-1) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/main.c:603
#11 0x000000000040e77d in sh_main (ac=3, av=0x7fffffffe118,
userinit=0x0) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/main.c:375
#12 0x000000000040d951 in main (argc=3, argv=0x7fffffffe118) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/pmain.c:45
(gdb) up
#1 0x0000000000498aa8 in clone_type (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512, fp=0x7ffff7f2f590)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvtype.c:474
474
memcpy((char*)nq->nvalue.cp,nr->nvalue.cp,size);
(gdb) print nq->nvalue.cp
$1 = 0x7ffff7f2af64 ""
(gdb) print nr->nvalue.cp
$2 = 0x1 <Address 0x1 out of bounds>
(gdb) print nr->nvalue
$3 = {cp = 0x1 <Address 0x1 out of bounds>, ip = 0x1, c = 1 '\001', i
= 1, u = 1, lp = 0x1, idp = 0x1, llp = 0x1, s = 1, sp = 0x1, dp = 0x1,
ldp = 0x1, array = 0x1, np = 0x1,
up = 0x1, rp = 0x1, funp = 0x1, nrp = 0x1, bfp = 0x1}
(gdb) print size
$4 = 2
-- snip --

----

Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
ольга крыжановская
2013-08-16 10:13:22 UTC
Permalink
David, during work on an other project I hit this bug, which is not
fixed yet. Can to take a look, please?

Olga
Post by Roland Mainz
Hi!
----
The following testcase (which should populate a type array with data)
-- snip --
$ gdb --args ../build_i386_64bit_debug/arch/linux.i386-64/bin/ksh -c
'typeset -T p_t=( integer fd ; compound events=( bool pollin=false )
revents=() ) ; compound c ; p_t -a c.p=( [0]=( fd=0 ; events=( bool
pollin=true pollout=false ) ) ) ; print -v c '
Reading symbols from
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/arch/linux.i386-64/bin/ksh...done.
(gdb) run
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/arch/linux.i386-64/bin/ksh
-c typeset\ -T\ p_t=\(\ integer\ fd\ \;\ compound\ events=\(\ bool\
pollin=false\ \)\ revents=\(\)\ \)\ \;\ compound\ c\ \;\ p_t\ -a\
c.p=\(\ \[0\]=\(\ fd=0\ \;\ events=\(\ bool\ pollin=true\
pollout=false\ \)\ \)\ \)\ \;\ print\ -v\ c\
Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2794
2794 movzwl (%rsi), %edx
(gdb) where
#0 __memcpy_ssse3_back () at
../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2794
#1 0x0000000000498aa8 in clone_type (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512, fp=0x7ffff7f2f590)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvtype.c:474
#2 0x0000000000495ce9 in clone_all_disc (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvdisc.c:893
#3 0x0000000000495f28 in nv_clone (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvdisc.c:944
#4 0x00000000004a4622 in nv_arraysettype (np=0x7ffff7f2df20,
tp=0x7ffff7f2de60, sub=0x80444a <numbuff.7456+10> "0", flags=0)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/array.c:453
#5 0x000000000049ca45 in nv_settype (np=0x7ffff7f2df20,
tp=0x7ffff7f2de60, flags=0) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvtype.c:1407
#6 0x000000000048fe9a in setall (argv=0x7ffff7f1dc80, flag=512,
troot=0x7ffff7ee2340, tp=0x7fffffffd1f0)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/bltins/typeset.c:731
#7 0x000000000048ee8a in b_typeset (argc=3, argv=0x7ffff7f1dc78,
context=0x803758 <sh+1368>)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/bltins/typeset.c:458
#8 0x0000000000468caa in sh_exec (shp=0x803200 <sh>,
t=0x7ffff7f1d8a0, flags=4) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/xec.c:1357
#9 0x000000000046bd0e in sh_exec (shp=0x803200 <sh>,
t=0x7ffff7f1dd70, flags=5) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/xec.c:2218
#10 0x000000000040f532 in exfile (shp=0x803200 <sh>,
iop=0x7ffff7ee04d0, fno=-1) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/main.c:603
#11 0x000000000040e77d in sh_main (ac=3, av=0x7fffffffe118,
userinit=0x0) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/main.c:375
#12 0x000000000040d951 in main (argc=3, argv=0x7fffffffe118) at
/home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/pmain.c:45
(gdb) up
#1 0x0000000000498aa8 in clone_type (np=0x7ffff7f2de60,
mp=0x7ffff7f2e040, flags=512, fp=0x7ffff7f2f590)
at /home/test001/work/ast_ksh_20130628/build_i386_64bit_debug/src/cmd/ksh93/sh/nvtype.c:474
474
memcpy((char*)nq->nvalue.cp,nr->nvalue.cp,size);
(gdb) print nq->nvalue.cp
$1 = 0x7ffff7f2af64 ""
(gdb) print nr->nvalue.cp
$2 = 0x1 <Address 0x1 out of bounds>
(gdb) print nr->nvalue
$3 = {cp = 0x1 <Address 0x1 out of bounds>, ip = 0x1, c = 1 '\001', i
= 1, u = 1, lp = 0x1, idp = 0x1, llp = 0x1, s = 1, sp = 0x1, dp = 0x1,
ldp = 0x1, array = 0x1, np = 0x1,
up = 0x1, rp = 0x1, funp = 0x1, nrp = 0x1, bfp = 0x1}
(gdb) print size
$4 = 2
-- snip --
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
_______________________________________________
ast-developers mailing list
ast-developers at lists.research.att.com
http://lists.research.att.com/mailman/listinfo/ast-developers
--
, _ _ ,
{ \/`o;====- Olga Kryzhanovska -====;o`\/ }
.----'-/`-/ olga.kryzhanovska at gmail.com \-`\-'----.
`'-..-| / http://twitter.com/fleyta \ |-..-'`
/\/\ Solaris/BSD//C/C++ programmer /\/\
`--` `--`
Loading...