View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000045 | LDMud 3.2-dev | Runtime | public | 2004-03-22 18:47 | 2004-05-17 09:27 |
| Reporter | menaures | Assigned To | |||
| Priority | normal | Severity | crash | Reproducibility | unable to reproduce |
| Status | closed | Resolution | fixed | ||
| Summary | 0000045: segfault driver-ed | ||||
| Description | LDMud 3.2.10.dev-607 crashed. Program terminated with signal 11, Segmentation fault. Backtrace: #0 prntln (str=0x73726550 <Address 0x73726550 out of bounds>, vflg=32, lin=2) at ed.c:734 str = 0x73726550 <Address 0x73726550 out of bounds> vflg = 32 lin = 0 0000001 0x0806198e in doprnt (from=1, to=42) at ed.c:711 from = 2 to = 42 0000002 0x08064b12 in docmd (glob=0) at ed.c:2967 dfln = 0 glob = 0 rhs = ".\\\\n\0\0_FRUEHLING\0EX_STEP1\0 \0. Durch den Kamin \0lie bewohn", '\0' <repeats 197 times> subpat = (regexp *) 0x0 c = 60 err = 0 line3 = 0 lastcmd = -2 apflg = 135223296 pflag = 0 gflag = 163126276 nchng = -2 fptr = 0x0 0000003 0x080653fa in ed_cmd (str=0xbfffe008 "Z\n") at ed.c:3329 str = 0x0 status = 0 old_ed_buffer = (ed_buffer_t *) 0x17a045e0 0000004 0x08051832 in backend () at backend.c:617 ip = (interactive_t *) 0x1dcd700c buff = "Z\n\0dwesten\0h\0he ich erstmal schlafen\0 aus getreidesack, schliesse getreidesack\0h reinladen musste\0s lieber so macht..\0glichkeiten immer weiter aus...\0ab\0l\0as wirst du momentan ohne Unterstuetzung ncht"... 0000005 0x080a304c in main (argc=58, argv=0xbffff994) at main.c:502 i = 5 set = {__val = {8192, 0 <repeats 31 times>}} | ||||
| Steps To Reproduce | Unable to reproduce so far. | ||||
| Tags | No tags attached. | ||||
|
|
The following commands crash the ed. You need a file 'a' with 4 or more lines and a file 'b' with at least one line (meaning one carriage return). Then if you have MALLOC_TRACE enabled the following frees a block (a line in the file) twice: ed a Z Z d d 1 r b Q I think the following happens: The first 'Z' goes to the end of the file, so CurLn==LastLn and CurPtr->l_next==Line0. The next 'Z' goes one line further (because the last command was a 'Z', the next commands increments CurLn unseen). So CurLn==LastLn+1 and CurPtr==Line0. 'd' then deletes CurPtr, that means, Line0 doesn't belong to the ring anymore. The next 'd' deletes the last line. At this point the ring itself is consistent, but Line0 doesn't belong to the ring and thus its pointers were never updated. So the Line0->l_prev points to deleted line. '1', 'r b', 'Q' are just there to exploit this (1 changes CurPtr, so that 'r b' starts searching for the last line with Line0 and not CurPtr. 'r b' inserts between the deleted last line and the deleted Line0. 'Q' then frees this...) I changed the doprnt, that It doesn't update CurPtr without checking that it is greater than LastLn and since then it works. Greetings, Gnomi |
|
2004-03-24 04:52
|
ed.diff (325 bytes)
--- src.old/ed.c 2003-04-30 14:00:00.000000000 +0200
+++ src/ed.c 2004-03-24 10:22:06.000000000 +0100
@@ -703,7 +703,7 @@
from = (from < 1) ? 1 : from;
to = (to > P_LASTLN) ? P_LASTLN : to;
- if (to != 0)
+ if (to != 0 && from <= P_LASTLN)
{
_setCurLn( from );
while( P_CURLN <= to )
|
|
|
Thanks for the analysis - especially since the crash was not deterministic. 3.3.504 3.2-dev.618 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2004-03-22 18:47 | menaures | New Issue | |
| 2004-03-24 04:52 | Gnomi | Note Added: 0000030 | |
| 2004-03-24 04:52 | Gnomi | File Added: ed.diff | |
| 2004-03-28 03:28 |
|
Status | new => resolved |
| 2004-03-28 03:28 |
|
Resolution | open => fixed |
| 2004-03-28 03:28 |
|
Assigned To | => lars |
| 2004-03-28 03:28 |
|
Note Added: 0000032 | |
| 2004-05-17 09:27 |
|
Status | resolved => closed |
