This is the mail archive of the mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

preprocessor/8055: CPP0 segfault on FreeBSD + PATCH

>Number:         8055
>Category:       preprocessor
>Synopsis:       PATCH: CPPO dies with SIG11 when building FreeBSD kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          ice-on-legal-code
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 26 08:26:01 PDT 2002
>Originator:     Alexander N. Kabaev
>Release:        3.2.1 [FreeBSD] 20020916 (prerelease)

System: FreeBSD 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Sep 16 10:44:41EDT 2002  i386
GCC 3.2.1 configured as system compiler

As well as:
System: FreeBSD 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #0: Mon Sep 16 11:16:37 EDT 2002 i386

GCC 3.2.1 built from ports:
host: i386-portbld-freebsd4.7
build: i386-portbld-freebsd4.7
target: i386-portbld-freebsd4.7
configured with: ./..//gcc-20020902/configure --disable-nls --with-gnu-as --with-gnu-ld --with-gxx-include-dir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/g++-v3 --with-system-zlib --includedir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/Java --disable-libgcj --disable-shared --prefix=/usr/local i386-portbld-freebsd4.7
	Preprocessor CPP0 dumps core when used to create dependencies list 
	while building the FreeBSD kernel. The reason is the bug in gcc/cppmacro.cpp
	in function stringify_arg. If pfile->u_buff buffer is completely filled
	when the function is called (i.e.
	BUFF_FRONT (pfile->u_buff) == BUFF_LIMIT (pfile->u_buff) ), and the
        macro_arg passed to it as a second parameter has no tokens, that is
	arg->count is 0, then stringify_buffer will happily advance the
        BUFF_FRONT(pfile->u_buff) pointer past the BUFF_LIMIT (pfile->u_buff) 
	values, making comparisons like 
          (size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < len
        useless. CPP0 will dump core shortly afterwards trying strchr/strcpy
	a string which it thinks is about 4G in size.

	The test case is not exactly trivial to produce. The stringify_arg
	function should be called with an empty argument and completely
	filled buffer. The layout of system header files happend to 
	trigger exectly this condition.
	The patch below takes care of the problem.

Index: contrib/gcc/cppmacro.c
RCS file: /usr/ncvs/src/contrib/gcc/cppmacro.c,v
retrieving revision
diff -u -r1.1.1.4 cppmacro.c
--- contrib/gcc/cppmacro.c	1 Sep 2002 20:37:29 -0000
+++ contrib/gcc/cppmacro.c	24 Sep 2002 15:40:54 -0000
@@ -349,6 +349,12 @@
   /* Commit the memory, including NUL, and return the token.  */
   len = dest - BUFF_FRONT (pfile->u_buff);
+  if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1)
+    {
+      size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff);
+      _cpp_extend_buff (pfile, &pfile->u_buff, 1);
+      dest = BUFF_FRONT (pfile->u_buff) + len_so_far;
+    }
   BUFF_FRONT (pfile->u_buff) = dest + 1;
   return new_string_token (pfile, dest - len, len);

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]