[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Segmentation fault in dcigettext.c:925 using Apache + PHP
|
From: |
Wiebe Cazemier |
|
Subject: |
Re: Segmentation fault in dcigettext.c:925 using Apache + PHP |
|
Date: |
Mon, 22 Jun 2020 22:38:24 +0200 (CEST) |
----- Original Message -----
> From: "Wiebe Cazemier" <wiebe@halfgaar.net>
> To: "Bruno Haible" <bruno@clisp.org>
> Cc: bug-gettext@gnu.org
> Sent: Tuesday, 16 June, 2020 17:41:10
> Subject: Re: Segmentation fault in dcigettext.c:925 using Apache + PHP
>
> I'd like to revisit this. The dcigettext.c from glibc-2.27, Ubuntu 18.04,
> around
> line 925 (marked) is:
>
>
> /* Compare msgid with the original string at index nstr.
> We compare the lengths with >=, not ==, because plural entries
> are represented by strings with an embedded NUL. */
> if (nstr < nstrings
> ? W (domain->must_swap, domain->orig_tab[nstr].length) >= len
> && (strcmp (msgid,
> domain->data + W (domain->must_swap,
> domain->orig_tab[nstr].offset))
> == 0)
> : domain->orig_sysdep_tab[nstr - nstrings].length > len
> && (strcmp (msgid, // <- Line 925
> domain->orig_sysdep_tab[nstr - nstrings].pointer)
> == 0))
> {
> act = nstr;
> goto found;
> }
>
>
>
> gdb can't access nstr, probably because it's only stored in a register.
> However:
>
> (gdb) print domain->orig_sysdep_tab
> $5 = (const struct sysdep_string_desc *) 0x0
>
> I would have expected it to crash on the line above it (because it also
> references 'domain->orig_sysdep_tab'), but because gdb says 'len' is optimized
> out, perhaps line 924 isn't executed.
>
> I can't quit figure out how to trip that swapping code. Perhaps then I could
> reproduce it. But, it seems to me it shouldn't call this with
> 'domain->orig_sysdep_tab' being 0/NULL?
>
> Regards,
>
> Wiebe
I think I can reproduce it, sort of. When I let my small C program from earlier
loop forever, outputting several translation, and I generate a new mo file with
msgfmt, two things can happen:
1) it loses translations, even if I only remove one of the entries.
2) SIGBUS. This happens especially when the new .mo file is much shorter.
Apparently you can get SIGBUS when you're accessing outside of a mmap on a
file? The original fault was a SIGSEGV, but the rest of the crash is similar.
dcigettext.c line 907 this time:
nls_uint32 nstr = W(domain->must_swap_hash_tab, domain->hash_tab[idx]);
I'm unsure at this point whether the client application should deal with this
better or not, but I thought I'd post it.
Regards,
Wiebe
Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Wiebe Cazemier, 2020/06/09