Date: Thu, 25 Sep 2008 11:29:41 -0800 (AKDT) From: Mel <mel.xyzzy@rachie.is-a-geek.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: MAINTAINER <ahze@FreeBSD.org> Subject: ports/127639: Segfault in x_realloc devel/ccache Message-ID: <20080925192941.B65FAAFBC02@mail.rachie.is-a-geek.net> Resent-Message-ID: <200809251950.m8PJo2Yf003234@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127639 >Category: ports >Synopsis: Segfault in x_realloc devel/ccache >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 25 19:50:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Mel >Release: FreeBSD 6.3-RELEASE-p4 amd64 >Organization: >Environment: System: FreeBSD smell.example.com 6.3-RELEASE-p4 FreeBSD 6.3-RELEASE-p4 #0: Tue Sep 23 13:02:08 AKDT 2008 root@smell.example.com:/usr/obj/usr/src/sys/GENERIC amd64 >Description: util.c: 184 this is like realloc() but dies if the malloc fails 185 */ 186 void *x_realloc(void *ptr, size_t size) 187 { 188 void *p2; 189 if (!ptr) return x_malloc(size); 190 p2 = malloc(size); 191 if (!p2) { 192 fatal("out of memory in x_realloc"); 193 } 194 if (ptr) { 195 memcpy(p2, ptr, size); 196 free(ptr); 197 } 198 return p2; 199 } args.c: 38 void args_add(ARGS *args, const char *s) 39 { 40 args->argv = (char**)x_realloc(args->argv, (args->argc + 2) * sizeof(char *)); 41 args->argv[args->argc] = x_strdup(s); 42 args->argc++; 43 args->argv[args->argc] = NULL; 44 } Line 195 copies newsize of oldpointer to new pointer which can produce the following backtrace: (gdb) bt #0 0x0000000800816b86 in memcpy () from /lib/libc.so.6 #1 0x0000000000403fec in x_realloc (ptr=0x514800, size=2056) at util.c:195 #2 0x0000000000404512 in args_add (args=0x512040, s=0x7fffffffe2c3 "p12_key.So") at args.c:40 #3 0x00000000004045a1 in args_init (init_argc=455, init_args=0x7fffffffcf20) at args.c:32 #4 0x0000000000402a14 in main (argc=455, argv=0x7fffffffc720) at ccache.c:564 >How-To-Repeat: I can't reproduce this using a test like this: ln -s ccache cc ./cc -L/usr/lib -shared `jot -w 'file%04u.So' 452 1 452` However, the following reproduces the bug reliably: #!/bin/sh SRCDIR=${SRCDIR:="/usr/src"} cd ${SRCDIR}/secure/lib/libcrypto rm -f `make -V .OBJDIR`/libcrypto.so.4 cd ${SRCDIR} make everything >Fix: The following works around the problem by using reallocf, instead of x_malloc, however, the root of the problem is likely elsewhere. --- patch-args.c begins here --- --- args.c.orig 2004-09-13 02:38:30.000000000 -0800 +++ args.c 2008-09-25 04:58:35.000000000 -0800 @@ -37,7 +37,13 @@ void args_add(ARGS *args, const char *s) { +#ifndef __FreeBSD__ args->argv = (char**)x_realloc(args->argv, (args->argc + 2) * sizeof(char *)); +#else + args->argv = reallocf((char *)args->argv, (args->argc + 2) * sizeof(char *)); + if( args->argv == NULL ) + fatal("out of memory in reallocf"); +#endif args->argv[args->argc] = x_strdup(s); args->argc++; args->argv[args->argc] = NULL; --- patch-args.c ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080925192941.B65FAAFBC02>