[Gcl-devel] Number_minus problem

gcl-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gcl-devel] Number_minus problem

From:	Mike Thomas
Subject:	[Gcl-devel] Number_minus problem
Date:	Fri, 30 Dec 2005 08:57:35 +1000

Hi Camm.

I'm having trouble with number_minus on fixnums which calls mpz_set_si
apparently with a bad pointer in the dest->_mp_d[0] field (line 32
gmp3/mpz/set_si.c) corrupting memory it shouldn't be accessing
(according to gdb).

See **NOTE** below.

Hoping to catch you before you go off-line for the evening.

Mike Thomas

----------------------------------------------------------------


$ gdb-5.2.1 --args ../unixport/saved_pre_gcl.exe ../unixport -system-p
-c-file
-data-file -o-file nil -h-file -compile gcl_arraylib
GNU gdb 5.2.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i686-pc-mingw32"...
(gdb) b number_minus
Breakpoint 1 at 0x4612de: file num_arith.c, line 387.
(gdb) r
Starting program: c:\cvs\head\gcl\lsp/../unixport/saved_pre_gcl.exe
../unixport
-system-p -c-file -data-file -o-file nil -h-file -compile gcl_arraylib

Breakpoint 1, number_minus (x=0xa000000a, y=0xa0000001) at
num_arith.c:387
387       if ( ARGC == 10 ) {
(gdb) n
388           fprintf ( stdout, "number_minus ARGV[9] %s\n", ARGV[9] );
(gdb) n
390             switch (type_of(x)) {
(gdb) n
393                     switch(type_of(y)) {
(gdb) n
395                       MPOP(return,subss,fix(x),fix(y));
(gdb) s
m__gmpz_set_si (_b=0x3211fe4, _c=10) at ../h/../h/gmp_wrappers.h:142
142     MEM_GMP_CALL(2,void,mpz_set_si,1,mpz_t,long int)
(gdb) n
number_minus (x=0xa000000a, y=0xa0000001) at num_arith.c:524
524     }
(gdb) n
Lminus () at num_arith.c:1000
1000            for (i = 1;  i < j;  i++)
(gdb) c
Continuing.

Breakpoint 1, number_minus (x=0xa0000009, y=0xa0000001) at
num_arith.c:387
387       if ( ARGC == 10 ) {
(gdb) delete 1
(gdb) c
Continuing.
warning: HEAP[saved_pre_gcl.exe]:
warning: HEAP: Free Heap block 812648 modified at 812df8 after it was
freed


Program received signal SIGTRAP, Trace/breakpoint trap.
0x7c901231 in _libwsock32_a_iname ()

---------------------------------------------------------------------


So I restart with a breakpoint at number_minus and check the location at
0x812df8:



---------------------------------------------------------------------
(gdb) b number_minus
Breakpoint 2 at 0x4612de: file num_arith.c, line 387.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: c:\cvs\head\gcl\lsp/../unixport/saved_pre_gcl.exe
../unixport
-system-p -c-file -data-file -o-file nil -h-file -compile gcl_arraylib

Breakpoint 2, number_minus (x=0xa000000a, y=0xa0000001) at
num_arith.c:387
387       if ( ARGC == 10 ) {
(gdb) p *(0x812df8)
$1 = -17891602
(gdb) p /x *(0x812df8)
$2 = 0xfeeefeee
(gdb) n
388           fprintf ( stdout, "number_minus ARGV[9] %s\n", ARGV[9] );
(gdb) n
390             switch (type_of(x)) {
(gdb) n
393                     switch(type_of(y)) {
(gdb) n
395                       MPOP(return,subss,fix(x),fix(y));
(gdb) p /x *(0x812df8)
$3 = 0xfeeefeee
(gdb) s
m__gmpz_set_si (_b=0x3211fe4, _c=10) at ../h/../h/gmp_wrappers.h:142
142     MEM_GMP_CALL(2,void,mpz_set_si,1,mpz_t,long int)
(gdb) p /x *(0x812df8)
$4 = 0xfeeefeee
(gdb) s
__gmpz_set_si (dest=0x461482, val=52502500) at set_si.c:27
27      {
(gdb) p /x *(0x812df8)
$5 = 0xfeeefeee
(gdb) p /x 52502500
$6 = 0x3211fe4


**NOTE**
   0x3211fe4 (aka 52502500) is in the GCL heap.  
   0x812df8 is not, and is dangerously close to where the MSVC
   malloced memory is being placed.  This leads to overwrites of
   the argv (hence ARGV) data.

   You may wonder why the MSVC malloc is being used (a bad thing).

   That is because if I use GCL's malloc, it fails before main
   even starts while allocating things like the argv data.



(gdb) s
30        if (val > 0)
(gdb) s
27      {
(gdb) s
30        if (val > 0)
(gdb) s
32            dest->_mp_d[0] = val;
(gdb) p *dest
$7 = {_mp_alloc = 1, _mp_size = 1, _mp_d = 0x812df8}
(gdb) p /x 52502500
$8 = 0x3211fe4
(gdb) p /x *(0x812df8)
$9 = 0xfeeefeee
(gdb) s
33            dest->_mp_size = 1;
(gdb) p /x *(0x812df8)
$10 = 0xa
(gdb) p /x *((unsigned long *)0x812df8)
$11 = 0xa
(gdb) p /x *(0x812df7)
$12 = 0xafe
(gdb) p /x *(0x812df6)
$13 = 0xafeee
(gdb) p /x *(0x812df5)
$14 = 0xafeeefe
(gdb) p /x *(0x812df4)
$15 = 0xfeeefeee
(gdb) p /x *(0x812df9)
$16 = 0xee000000
(gdb) p /x *(0x812dfa)
$17 = 0xfeee0000
(gdb)

[Prev in Thread]

Current Thread

[Next in Thread]

[Gcl-devel] Number_minus problem, Mike Thomas <=
- Re: [Gcl-devel] Number_minus problem, Camm Maguire, 2005/12/29
- [Gcl-devel] Re: Number_minus problem, Camm Maguire, 2005/12/30
- RE: [Gcl-devel] Number_minus problem, Mike Thomas, 2005/12/29
- RE: [Gcl-devel] Number_minus problem, Mike Thomas, 2005/12/29
  - Re: [Gcl-devel] Number_minus problem, Camm Maguire, 2005/12/30

Prev by Date: [Gcl-devel] Re: [Axiom-developer] xgcl-2
Next by Date: Re: [Gcl-devel] Number_minus problem
Previous by thread: [Gcl-devel] Re: [Axiom-developer] xgcl-2
Next by thread: Re: [Gcl-devel] Number_minus problem
Index(es):
- Date
- Thread