This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
libobjc/10742: objc_lookup_class() called with illegal argument
- From: richard at brainstorm dot co dot uk
- To: gcc-gnats at gcc dot gnu dot org
- Date: 12 May 2003 08:42:46 -0000
- Subject: libobjc/10742: objc_lookup_class() called with illegal argument
- Reply-to: richard at brainstorm dot co dot uk
>Number: 10742
>Category: libobjc
>Synopsis: objc_lookup_class() called with illegal argument
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: unassigned
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 12 08:46:01 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: richard@brainstorm.co.uk
>Release: gcc (GCC) 3.4 20030510 and earlier
>Organization:
>Environment:
gnu/linux intel, but will apply to other systems too.
>Description:
When a class is loaded into the runtime, the fields in the class structure which normally link to other classes are actually pointers to strings contaningin the names of those classes, and these pointers are replaced by links to the actual classes during the load process.
In various places in the runtime file init.c, the code calls objc_lookup_class() passing it the value from class->super_class on the assumption that it is the name of the classes superclass. However, this is not always the case, and pointers to classes can be passed as if they were strings. This can result in objc_lookup_class causing a segmentation violation when it does not find a nul terminator in the 'string' it is given.
>How-To-Repeat:
>Fix:
The attached patch fixes this problem by using a new static function which checks to see whether the class links have been resolved and only trying to use them as string if they have not yet been changed to class pointers.
>Release-Note:
>Audit-Trail:
>Unformatted:
----gnatsweb-attachment----
Content-Type: text/plain; name="init.c.diff"
Content-Disposition: inline; filename="init.c.diff"
*** init.c.old Sun May 11 07:14:11 2003
--- init.c Sun May 11 07:13:52 2003
***************
*** 99,104 ****
--- 99,115 ----
should not be destroyed during the execution of the program. */
static cache_ptr __objc_load_methods = NULL;
+ /* Return the super class by resorting to objc_lookup_class()
+ if links are not yet resolved. */
+ static Class lookup_super(Class class)
+ {
+ if (class->super_class == Nil)
+ return Nil;
+ if (CLS_ISRESOLV(class))
+ return class->super_class;
+ return objc_lookup_class((char*)class->super_class);
+ }
+
/* Creates a tree of classes whose topmost class is directly inherited
from `upper' and the bottom class in this tree is
`bottom_class'. The classes in this tree are super classes of
***************
*** 108,117 ****
static objc_class_tree *
create_tree_of_subclasses_inherited_from (Class bottom_class, Class upper)
{
! Class superclass = bottom_class->super_class ?
! objc_lookup_class ((char *) bottom_class->super_class)
! : Nil;
!
objc_class_tree *tree, *prev;
DEBUG_PRINTF ("create_tree_of_subclasses_inherited_from:");
--- 119,126 ----
static objc_class_tree *
create_tree_of_subclasses_inherited_from (Class bottom_class, Class upper)
{
! Class superclass = lookup_super(bottom_class);
!
objc_class_tree *tree, *prev;
DEBUG_PRINTF ("create_tree_of_subclasses_inherited_from:");
***************
*** 122,135 ****
tree = prev = objc_calloc (1, sizeof (objc_class_tree));
prev->class = bottom_class;
! while (superclass != upper)
{
tree = objc_calloc (1, sizeof (objc_class_tree));
tree->class = superclass;
tree->subclasses = list_cons (prev, tree->subclasses);
! superclass = (superclass->super_class ?
! objc_lookup_class ((char *) superclass->super_class)
! : Nil);
prev = tree;
}
--- 131,142 ----
tree = prev = objc_calloc (1, sizeof (objc_class_tree));
prev->class = bottom_class;
! while (superclass != Nil && superclass != upper)
{
tree = objc_calloc (1, sizeof (objc_class_tree));
tree->class = superclass;
tree->subclasses = list_cons (prev, tree->subclasses);
! superclass = lookup_super(superclass);
prev = tree;
}
***************
*** 157,166 ****
DEBUG_PRINTF ("1. class %s was previously inserted\n", class->name);
return tree;
}
! else if ((class->super_class ?
! objc_lookup_class ((char *) class->super_class)
! : Nil)
! == tree->class)
{
/* If class is a direct subclass of tree->class then add class to the
list of subclasses. First check to see if it wasn't already
--- 164,170 ----
DEBUG_PRINTF ("1. class %s was previously inserted\n", class->name);
return tree;
}
! else if (lookup_super(class) == tree->class)
{
/* If class is a direct subclass of tree->class then add class to the
list of subclasses. First check to see if it wasn't already
***************
*** 370,378 ****
{
if (class == superclass)
return YES;
! class = (class->super_class ?
! objc_lookup_class ((char *) class->super_class)
! : Nil);
}
return NO;
--- 374,380 ----
{
if (class == superclass)
return YES;
! class = lookup_super(class);
}
return NO;
***************
*** 562,568 ****
/* Check to see if the superclass is known in this point. If it's not
add the class to the unresolved_classes list. */
! if (superclass && ! objc_lookup_class (superclass))
unresolved_classes = list_cons (class, unresolved_classes);
}
--- 564,570 ----
/* Check to see if the superclass is known in this point. If it's not
add the class to the unresolved_classes list. */
! if (superclass && ! lookup_super (class))
unresolved_classes = list_cons (class, unresolved_classes);
}
***************
*** 674,680 ****
{
Class class = unresolved_classes->head;
! while (objc_lookup_class ((char *) class->super_class))
{
list_remove_head (&unresolved_classes);
if (unresolved_classes)
--- 676,682 ----
{
Class class = unresolved_classes->head;
! while (lookup_super (class))
{
list_remove_head (&unresolved_classes);
if (unresolved_classes)