[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8685) Invalid memory access
Hi Breno,
Thanks a lot for taking the time to look at this.
I reproduced the crash on a minicloud VM (thanks!) with gcc -O2 (but not
-O1 or -O0) and also with clang -O2 and -O1 (but not -O0).
On Fri, Jul 07, 2017 at 12:57:47AM +0000, leitao@debian.org wrote:
>So, that is what I suppose is happening. On the following loop,
>ldap_first_entry() is returning NULL, thus, i = 0;
>
> for ( i = 0, e = ldap_first_entxury( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) )
> {
> values[ i ] = ldap_get_dn( ld, e );
> }
> values[ i ] = NULL;
>
>Thus, value[0] = NULL;
I have not been able to reproduce that. I added an assert(i == nvalues)
here, but it never failed in the time I spent on this today.
On IRC, Howard pointed at the computation of 'r' (line 682), and indeed
some printf debugging suggests that may be going wrong. I occasionally
saw values of 'r' greater than 'nvalues', leading to reads past the end
of the array like you suggested.
for example:
nvalues = 19
[...]
i=20 r=11 values[r]=0x10014fba0f0
i=48 r=6 values[r]=0x3fff40000bd0
i=49 r=3 values[r]=0x3fff40000b50
i=51 r=7 values[r]=0x3fff6c001310
i=46 r=11 values[r]=0x3fff0c003530
i=56 r=27 values[r]=0x25
Segmentation fault (core dumped)
Unpacking the computation, it looks like the multiplication is the part
that sometimes returns the wrong result. For example:
nvalues = 19
[...]
rand() -> 745824322
((double)19)*745824322 -> 45495283642.000000
45495283642.000000 / 2147483648.000000 -> 21.185392
i=75 r=21 values[r]=0x35
Segmentation fault (core dumped)
but 19.0*745824322 should be 14170662118.
I'm not really sure where to look next. Compiler bug would be a nice
explanation, but wouldn't it be unusual for gcc and clang to have the
same bug?