This is the mail archive of the
gcc-prs@gcc.gnu.org
mailing list for the GCC project.
preprocessor/8055: CPP0 segfault on FreeBSD + PATCH
- From: ak03 at gte dot com
- To: gcc-gnats at gcc dot gnu dot org
- Date: Thu, 26 Sep 2002 11:23:14 -0400 (EDT)
- Subject: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH
>Number: 8055
>Category: preprocessor
>Synopsis: PATCH: CPPO dies with SIG11 when building FreeBSD kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: unassigned
>State: open
>Class: ice-on-legal-code
>Submitter-Id: net
>Arrival-Date: Thu Sep 26 08:26:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Alexander N. Kabaev
>Release: 3.2.1 [FreeBSD] 20020916 (prerelease)
>Organization:
>Environment:
System: FreeBSD kanpc.gte.com 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Sep 16 10:44:41EDT 2002 root@kanpc.gte.com:/usr/obj/usr/src/sys/KANPC i386
GCC 3.2.1 configured as system compiler
As well as:
System: FreeBSD ork.gte.com 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #0: Mon Sep 16 11:16:37 EDT 2002 root@ork.gte.com:/usr/src/sys/compile/KAN i386
GCC 3.2.1 built from ports:
host: i386-portbld-freebsd4.7
build: i386-portbld-freebsd4.7
target: i386-portbld-freebsd4.7
configured with: ./..//gcc-20020902/configure --disable-nls --with-gnu-as --with-gnu-ld --with-gxx-include-dir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/g++-v3 --with-system-zlib --includedir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/Java --disable-libgcj --disable-shared --prefix=/usr/local i386-portbld-freebsd4.7
>Description:
Preprocessor CPP0 dumps core when used to create dependencies list
while building the FreeBSD kernel. The reason is the bug in gcc/cppmacro.cpp
in function stringify_arg. If pfile->u_buff buffer is completely filled
when the function is called (i.e.
BUFF_FRONT (pfile->u_buff) == BUFF_LIMIT (pfile->u_buff) ), and the
macro_arg passed to it as a second parameter has no tokens, that is
arg->count is 0, then stringify_buffer will happily advance the
BUFF_FRONT(pfile->u_buff) pointer past the BUFF_LIMIT (pfile->u_buff)
values, making comparisons like
(size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < len
useless. CPP0 will dump core shortly afterwards trying strchr/strcpy
a string which it thinks is about 4G in size.
>How-To-Repeat:
The test case is not exactly trivial to produce. The stringify_arg
function should be called with an empty argument and completely
filled buffer. The layout of system header files happend to
trigger exectly this condition.
>Fix:
The patch below takes care of the problem.
Index: contrib/gcc/cppmacro.c
===================================================================
RCS file: /usr/ncvs/src/contrib/gcc/cppmacro.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 cppmacro.c
--- contrib/gcc/cppmacro.c 1 Sep 2002 20:37:29 -0000 1.1.1.4
+++ contrib/gcc/cppmacro.c 24 Sep 2002 15:40:54 -0000
@@ -349,6 +349,12 @@
/* Commit the memory, including NUL, and return the token. */
len = dest - BUFF_FRONT (pfile->u_buff);
+ if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1)
+ {
+ size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff);
+ _cpp_extend_buff (pfile, &pfile->u_buff, 1);
+ dest = BUFF_FRONT (pfile->u_buff) + len_so_far;
+ }
BUFF_FRONT (pfile->u_buff) = dest + 1;
return new_string_token (pfile, dest - len, len);
}
>Release-Note:
>Audit-Trail:
>Unformatted: