bug-groff
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #47162] [PATCH] invalid memory access in small_temp_iterator::opera

From: Balint Reczey
Subject: [bug #47162] [PATCH] invalid memory access in small_temp_iterator::operator new
Date: Mon, 15 Feb 2016 22:03:15 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0 
URL:
  <http://savannah.gnu.org/bugs/?47162>

                 Summary: [PATCH] invalid memory access in
small_temp_iterator::operator new
                 Project: GNU troff
            Submitted by: rbalint
            Submitted on: Mon 15 Feb 2016 10:03:14 PM GMT
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None

    _______________________________________________________

Details:

...
No symbol table info available.
#3  0x00007fd6c6411653 in __ubsan_handle_dynamic_type_cache_miss () from
/usr/lib/x86_64-linux-gnu/libubsan.so.0
No symbol table info available.
#4  0x000000000045da43 in small_temp_iterator::operator new (address@hidden) at
/home/rbalint/projects/deb/gccs/groff-1.22.3/debian/build/../../src/roff/troff/input.cpp:3632
        i = <optimized out>
        p = <optimized out>
#5  0x000000000045dd9a in make_temp_iterator (s=0x8cb073 <buf+19> "0") at
/home/rbalint/projects/deb/gccs/groff-1.22.3/debian/build/../../src/roff/troff/input.cpp:3674
        n = <optimized out>
#6  0x000000000046290b in interpolate_number_reg (nm=..., inc=<optimized out>)
at
/home/rbalint/projects/deb/gccs/groff-1.22.3/debian/build/../../src/roff/troff/input.cpp:4975
        r = 0x25160d0
#7  0x0000000000472413 in token::next (this=0x8c76c0 <tok>) at
/home/rbalint/projects/deb/gccs/groff-1.22.3/debian/build/../../src/roff/troff/input.cpp:2133
        inc = 0
        s = {static table = 0x2537f60, static table_used = 908, static
table_size = 4001, static block = 0x2501d4a "", static block_size = 214, s =
0x25157d8 ".C"}
        n = 0x0
        cc = <optimized out>
        x = 2063780463
...

Many invalid memoory accesses were caught by ASAN & UBSAN while bootstrapping
hardened1-linux-amd64 Debian port.

In the current bug the free_list handling broke.
One problem with the free_list implementation is the inaccurate calculation of
memory needed for storing the free_list array because it does not consider the
padding _between_ array elements:
...
(small_temp_iterator *)new char[sizeof(small_temp_iterator)*BLOCK];
...
https://en.wikipedia.org/wiki/Data_structure_alignment
https://en.wikipedia.org/wiki/Stride_of_an_array

The proposed patch removes all free_list handling, because probably they are
not providing significant speed gain with current C++ compilers anyway.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Mon 15 Feb 2016 10:03:14 PM GMT  Name: 0001-Get-rid-of-free_list-s.patch
 Size: 9kB   By: rbalint
patch fixing the issue
<http://savannah.gnu.org/bugs/download.php?file_id=36349>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?47162>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]