vi segfaults (bb 1.8.2)

Cristian Ionescu-Idbohrn cristian.ionescu-idbohrn at axis.com
Tue Nov 27 16:47:54 UTC 2007


On Tue, 27 Nov 2007, Cristian Ionescu-Idbohrn wrote:

> On Tue, 27 Nov 2007, Denys Vlasenko wrote:
>
> > Failed to reproduce it here.
>
> Ok.  I'll dig deeper.

Looks like its some sort of artifact of these 2 conf options.

CONFIG_FEATURE_VI_MAX_LEN=2048
CONFIG_FEATURE_VI_DOT_CMD=y

does not segfault with this:

CONFIG_FEATURE_VI_MAX_LEN=2048
# CONFIG_FEATURE_VI_DOT_CMD is not set

Ok.  Back to:

CONFIG_FEATURE_VI_MAX_LEN=2048
CONFIG_FEATURE_VI_DOT_CMD=y

and the 'HERE' debugging method ;)

The segfault occurs in the 'text_yank' function, which looks like this
(after my 'bb_error_msg("HERE...");' insertions):

#if ENABLE_FEATURE_VI_YANKMARK
static char *text_yank(char * p, char * q, int dest)	// copy text into a register
{
	char *t;
	int cnt;

	bb_error_msg("HERE 300");
	if (q < p) {		// they are backwards- reverse them
		t = q;
		q = p;
		p = t;
	}
	bb_error_msg("HERE 301");
	cnt = q - p + 1;
	t = reg[dest];
	bb_error_msg("HERE 302");
	free(t);		//  if already a yank register, free it
	bb_error_msg("HERE 303");
	t = xmalloc(cnt + 1);	// get a new register
	bb_error_msg("HERE 304");
	memset(t, '\0', cnt + 1);	// clear new text[]
	bb_error_msg("HERE 305: cnt=%d", cnt);
	//bb_error_msg("HERE 305: t=0x%08x, p=0x%08x, cnt=%d", t, p, cnt);
	strncpy(t, p, cnt);	// copy text[] into bufer
	bb_error_msg("HERE 306");
	reg[dest] = t;
	bb_error_msg("HERE 307");
	return p;
}

It segfaults somewhere sfter 'HERE 305' in strncpy and never reaches
'HERE 306'.  If I use the alternate 'HERE 305' (commented out above)
instead, I will nicely reach 'HERE 306'.

vi.stderr and vi.strace attached.


Cheers,

-- 
Cristian
-------------- next part --------------
vi: HERE 300
vi: HERE 301
vi: HERE 302
vi: HERE 303
vi: HERE 304
vi: HERE 305: cnt=1
-------------- next part --------------
637   execve("/bin/vi", ["/bin/vi"], [/* 10 vars */]) = 0
637   old_mmap(NULL, 20, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3555c000
637   readlink("/lib/ld-uClibc.so.0", "ld-uClibc-0.9.27.so", 1024) = 19
637   stat("/etc/ld-uClibc.so.preload", {st_mode=S_IFREG|0644, st_size=19, ...}) = 0
637   open("/etc/ld-uClibc.so.preload", O_RDONLY) = 4
637   old_mmap(NULL, 20, PROT_READ|PROT_WRITE, MAP_PRIVATE, 4, 0) = 0x3555e000
637   close(4)                          = 0
637   munmap(0x3555e000, 20)            = 0
637   open("/lib/libcrypt.so.0", O_RDONLY) = 4
637   old_mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3555e000
637   read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0L\0\1\0\0\0L\5\0\0004\0\0\0X\37\0\0\0\0\0\0004\0 \0\5\0(\0\16\0\r\0\6\0\0\0004\0\0\0004\0\0\0004\0\0\0\240\0\0\0\240\0\0\0\5\0\0\0\4\0\0\0\3\0\0\0\24\36\0\0\24\36\0\0\24\36\0\0\24\0\0\0\24\0\0\0\4\0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\36\0\0(\36\0\0\5\0\0\0\0 \0\0\1\0\0\0@\36\0\0@>\0\0@>\0\0\274\0\0\0\240\25\1\0\6\0\0\0\0 \0\0\2\0\0\0D\36\0\0D>\0\0D>\0\0\210\0\0\0\210\0\0\0\6\0\0\0\4\0\0\0\21\0\0\0\36\0\0\0\0\0\0\0\33\0\0\0\27\0\0\0\0\0\0\0\35\0\0\0\23\0"..., 8192) = 8192
637   old_mmap(NULL, 90112, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35560000
637   old_mmap(0x35560000, 7720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x35560000
637   old_mmap(0x35562000, 7932, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x35562000
637   old_mmap(0x35564000, 70624, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x35564000
637   close(4)                          = 0
637   munmap(0x3555e000, 8192)          = 0
637   open("/lib/libm.so.0", O_RDONLY)  = 4
637   old_mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3555e000
637   read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0L\0\1\0\0\0\324\17\0\0004\0\0\0P|\0\0\0\0\0\0004\0 \0\5\0(\0\16\0\r\0\6\0\0\0004\0\0\0004\0\0\0004\0\0\0\240\0\0\0\240\0\0\0\5\0\0\0\4\0\0\0\3\0\0\0\220z\0\0\220z\0\0\220z\0\0\24\0\0\0\24\0\0\0\4\0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244z\0\0\244z\0\0\5\0\0\0\0 \0\0\1\0\0\0\300z\0\0\300\232\0\0\300\232\0\0004\1\0\0@\1\0\0\6\0\0\0\0 \0\0\2\0\0\0\300z\0\0\300\232\0\0\300\232\0\0\210\0\0\0\210\0\0\0\6\0\0\0\4\0\0\0C\0\0\0U\0\0\0<\0\0\0\0\0\0\0E\0\0\0,\0\0\0G"..., 8192) = 8192
637   old_mmap(NULL, 40960, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35576000
637   old_mmap(0x35576000, 31396, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x35576000
637   old_mmap(0x3557e000, 7156, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x6000) = 0x3557e000
637   close(4)                          = 0
637   munmap(0x3555e000, 8192)          = 0
637   open("/lib/libc.so.0", O_RDONLY)  = 4
637   old_mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3555e000
637   read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0L\0\1\0\0\0 \370\0\0004\0\0\0x\264\3\0\0\0\0\0004\0 \0\5\0(\0\22\0\21\0\6\0\0\0004\0\0\0004\0\0\0004\0\0\0\240\0\0\0\240\0\0\0\5\0\0\0\4\0\0\0\3\0\0\0\234\240\3\0\234\240\3\0\234\240\3\0\24\0\0\0\24\0\0\0\4\0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\240\3\0\260\240\3\0\5\0\0\0\0 \0\0\1\0\0\0\300\240\3\0\300\300\3\0\300\300\3\0,\23\0\0\300G\0\0\6\0\0\0\0 \0\0\2\0\0\0X\252\3\0X\312\3\0X\312\3\0\270\0\0\0\270\0\0\0\6\0\0\0\4\0\0\0\7\4\0\0\337\4\0\0\250\3\0\000"..., 8192) = 8192
637   old_mmap(NULL, 270336, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35580000
637   old_mmap(0x35580000, 237744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x35580000
637   old_mmap(0x355bc000, 5100, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x3a000) = 0x355bc000
637   old_mmap(0x355be000, 10368, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x355be000
637   close(4)                          = 0
637   munmap(0x3555e000, 8192)          = 0
637   ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
637   ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
637   getuid()                          = 0
637   getpid()                          = 637
637   brk(0)                            = 0xe0000
637   brk(0xe2000)                      = 0xe2000
637   brk(0xe2000)                      = 0xe2000
637   ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
637   ioctl(0, SNDCTL_TMR_START or TCSETS, {B38400 opost isig -icanon -echo ...}) = 0
637   ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
637   ioctl(0, TIOCGWINSZ, {ws_row=84, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
637   brk(0xe6000)                      = 0xe6000
637   rt_sigaction(SIGINT, {0xb6f70, [INT], SA_RESTART}, {SIG_DFL}, 8) = 0
637   rt_sigaction(SIGWINCH, {0xb6e92, [WINCH], SA_RESTART}, {SIG_DFL}, 8) = 0
637   rt_sigaction(SIGTSTP, {0xb6f1e, [TSTP], SA_RESTART}, {SIG_DFL}, 8) = 0
637   ioctl(0, TIOCGWINSZ, {ws_row=84, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
637   write(1, "\33[1;1H\33[0J\33[2;1H~\n\r", 19) = 19
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\n\r", 3)              = 3
637   write(1, "~\33[1;1H\33[84;1H- No file 1/1 100%\33[0K\33[1;1H", 42) = 42
637   alarm(0)                          = 0
637   read(0, "i", 2047)                = 1
637   alarm(3)                          = 0
637   write(2, "vi: HERE 300\n", 13)    = 13
637   write(2, "vi: HERE 301\n", 13)    = 13
637   write(2, "vi: HERE 302\n", 13)    = 13
637   write(2, "vi: HERE 303\n", 13)    = 13
637   write(2, "vi: HERE 304\n", 13)    = 13
637   write(2, "vi: HERE 305: cnt=1\n", 20) = 20
637   --- SIGSEGV (Segmentation fault) @ 0 (0) ---
637   +++ killed by SIGSEGV +++


More information about the busybox mailing list