[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug default/26514] New: Seg fault when mapping array of struct for file
From: |
m.nabipoor at yahoo dot com |
Subject: |
[Bug default/26514] New: Seg fault when mapping array of struct for files bigger than a threshold size |
Date: |
Fri, 21 Aug 2020 07:26:04 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=26514
Bug ID: 26514
Summary: Seg fault when mapping array of struct for files
bigger than a threshold size
Product: poke
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: default
Assignee: unassigned at sourceware dot org
Reporter: m.nabipoor at yahoo dot com
CC: poke-devel at gnu dot org
Target Milestone: ---
Hi,
A file size dependent bug + a double-free bug.
Pay attention to the file sizes (these are thresholds).
Below the threshold everything seems fine.
I found, empirically(!), that `1360 * #Packet` is a good starting point to find
the threshold :D
=== Observation 1
$ dd if=/dev/zero of=/tmp/x bs=1 count=$((1360*12)) # count=16320
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { int i; long j; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)
=== Observation 2
$ dd if=/dev/zero of=/tmp/x bs=1 count=$((1360*16)) # count=21760
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; long j; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)
=== Observation 3
$ dd if=/dev/zero of=/tmp/x bs=1 count=$(((1360 - 1)*24)) # count=32616
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; long j; long k; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)
=== Observation 4
$ dd if=/dev/zero of=/tmp/x bs=1 count=$(((1360 + 2)*8)) # count=10896
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)
=== Observation 5
New bug: double-free
$ dd if=/dev/zero of=/tmp/x bs=1 count=$(((1360 - 1)*24 - 1)) # count=32615
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; long j; long k; };
(poke) defvar p = Packet[] @ 0#B;
free(): invalid pointer
Aborted (core dumped)
Here's the backtrace:
#0 0x00007fcb3d047355 in raise () from /usr/lib/libc.so.6
#1 0x00007fcb3d030853 in abort () from /usr/lib/libc.so.6
#2 0x00007fcb3d08a878 in __libc_message () from /usr/lib/libc.so.6
#3 0x00007fcb3d091d3a in malloc_printerr () from /usr/lib/libc.so.6
#4 0x00007fcb3d093f92 in free_check () from /usr/lib/libc.so.6
#5 0x00007fcb3d433a4d in jitter_stack_finalize_backing
(backing=0x558d18da6ff0) at ../../jitter/jitter/jitter-stack.c:73
#6 0x00007fcb3d4238e8 in pvm_state_finalize (jitter_state=0x558d18da6fd0) at
../../libpoke/pvm.jitter:689
#7 0x00007fcb3d417b44 in pvm_shutdown (apvm=0x558d18da6fd0) at
../../libpoke/pvm.c:150
#8 0x00007fcb3d3d38da in pk_compiler_free (pkc=0x558d18dab9f0) at
../../libpoke/libpoke.c:75
#9 0x0000558d183d369a in finalize () at ../../poke/poke.c:289
#10 0x0000558d183d313d in main (argc=<optimized out>, argv=<optimized out>) at
../../poke/poke.c:686
Thanks
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug default/26514] New: Seg fault when mapping array of struct for files bigger than a threshold size,
m.nabipoor at yahoo dot com <=