Hans-Bernhard Bröker wrote: > Am 01.05.2022 um 13:38 schrieb Dominique Pellé: > > Hi > > > > cscope-15.9 (installed from homebrew) crashes on macOS (Monterey). > > That's somewhat surprising insofar as it's the first such report in 4 > years since we released 15.9, except for a build failure that was > apparently due to some breakage in Apple's latest version of their > development tool chain. > > > ==50182==ERROR: AddressSanitizer: global-buffer-overflow on address > > 0x00010474cc81 at pc 0x00010d195718 bp 0x00030d14ae90 sp > [...]> 0x00010474cc81 is located 0 bytes to the right of global variable > > 'found_caller' defined in 'find.c:1047:14' (0x10474cc80) of size 1 > > > [...] > > I can reproduce the crash at least with vim sources: > > Which version of the vim source, in particular? > > > The proposed patch fixes that issue in `find.c` by making sure > > the returned `char*` is '\0' terminated. > > The patch would be much easier to digest if it did just that, instead of > conflating it with other, unrelated changes. Changes for 3 separate > issues really should come as 3 patch files. > > That said, it might be even better if you could use the "Patches" > tracker at SourceForge for them. > > > However, cscope still did not work on macOS for another > > reason whereas it worked on Linux. > > "Did not work" begs for a better explanation. > > I do see test failures here in vim's "make test_cscope" of the GIT head > version. But those look like they're more likely to have been caused by > bit-rot in the tests' expected results. The results themselves appear > correct. > > > Debugging the difference, > > I saw that BUFSIZ is 1024 on macOS and 8192 on Linux and > > somehow this causes cscope to not work on macOS. > > That is an extremely surprising finding, given that cscope reportedly > has worked on MacOS just fine, for a very long time. > > Also, other platforms that use a BUFSIZ of 1024 have worked just fine, > too. Including Cygwin, which is my primary cscope platform these days. > That make me doubt this analysis heavily. > > > I wanted to try with the latest code in CVS but > > I was not able to download it from sourceforge. > > CVS has been discontinued by SourceForge. The source is now in git there.
Hi I just created 3 separate git pull requests: * https://sourceforge.net/p/cscope/cscope/merge-requests/3/ This pull requests fixes access beyond end of string reproducible on macOS or Linux. On Linux it crashes only when cscope is built with the address sanitizer (asan) but on macOS Monterey M1 it crashed even in regular build and crashed with the official homebrew binary package. See reproducible steps [1] below. * https://sourceforge.net/p/cscope/cscope/merge-requests/4/ This pull request merely fixes typos in the man page and in source code comments. * https://sourceforge.net/p/cscope/cscope/merge-requests/5/ This pull request fixes Vim cscope test. See reproducible steps [2] below on macOS. It should be applied on top of https://sourceforge.net/p/cscope/cscope/merge-requests/3/ The bug in this last PR is not so clear and deserves more investigation but my PR makes Vim test works at least. [1] steps to reproduce asan error on Linux or macOS, happening with latest scope in git without my PRs https://sourceforge.net/p/cscope/cscope/merge-requests/3/ ``` # git SHA1 of latest scope: eaea31cb93ecddda69a373f83f632e1a450c3c90 $ git clone https://git.code.sf.net/p/cscope/cscope cscope-cscope $ cd cscope-cscope $ autoreconf -i -s # Configure to build with asan (address sanitizer) to find invalid memory acceses $ CFLAGS="-O0 -fsanitize=address" LDFLAGS="-O0 -fsanitize=address" ./configure $ make $ cd src $ rm -f cscope.out ; ./cscope -bk -fcscope.out main.c $ ./cscope -d 2> asan.log # Then in the scope UI, search for xxx (a non-existing function) with: Find functions called by this function: xxx Observe that scsope crashes and asan.log file contains: ``` ================================================================= ==6590==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000074b121 at pc 0x7f269ef5f653 bp 0x7ffc9ca95630 sp 0x7ffc9ca94de0 READ of size 2 at 0x00000074b121 thread T0 #0 0x7f269ef5f652 (/usr/local/pkg/gcc5/lib/../lib64/libasan.so.2+0x5f652) #1 0x7f269ef603b6 in __interceptor_vsnprintf (/usr/local/pkg/gcc5/lib/../lib64/libasan.so.2+0x603b6) #2 0x7f269ef60605 in __interceptor_snprintf (/usr/local/pkg/gcc5/lib/../lib64/libasan.so.2+0x60605) #3 0x422f51 in search (/home/dope/sb/cscope-cscope/src/cscope+0x422f51) #4 0x417763 in command (/home/dope/sb/cscope-cscope/src/cscope+0x417763) #5 0x43610f in main (/home/dope/sb/cscope-cscope/src/cscope+0x43610f) #6 0x7f269e4e1c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #7 0x4037d9 in _start (/home/dope/sb/cscope-cscope/src/cscope+0x4037d9) 0x00000074b121 is located 0 bytes to the right of global variable 'found_caller' defined in 'find.c:1047:14' (0x74b120) of size 1 0x00000074b121 is located 63 bytes to the left of global variable 'function' defined in 'find.c:1204:14' (0x74b160) of size 251 SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0000800e15d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800e15e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800e15f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800e1600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800e1610: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 =>0x0000800e1620: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0000800e1630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800e1640: 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9 0x0000800e1650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800e1660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800e1670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==6590==ABORTING ``` [2] steps to reproduce Vim cscope failing test on macOS only (on Linux test passed) without my PR https://sourceforge.net/p/cscope/cscope/merge-requests/5/ Make sure cscope is in PATH then: ``` # git SHA1 of latest vim: d899e51120798d3fb5420abb1f19dddf3f014d05 $ git clone https://github.com/vim/vim.git $ cd vim $ ./configure --with-features=huge --enable-gui=none --enable-cscope --enable-fail-if-missing $ make -j8 $ cd src/testdir $ make test_cscope ...snip... From test_cscope.vim: Executed Test_cscopeWithCscopeConnections() in 0.558636 seconds Executed Test_cscope_add_dir() in 0.175729 seconds Executed Test_cscopequickfix() in 0.000320 seconds Executed Test_withoutCscopeConnection() in 0.000226 seconds Executed 4 tests in 0.759186 seconds 2 FAILED: Found errors in Test_cscopeWithCscopeConnections(): Caught exception in Test_cscopeWithCscopeConnections(): Vim(cscope):E262: Error reading cscope connection 0 @ command line..script /private/tmp/vim/src/testdir/runtest.vim[459]..function RunTheTest[44]..Test_cscopeWithCscopeConnections, line 36 Found errors in Test_cscope_add_dir(): command line..script /private/tmp/vim/src/testdir/runtest.vim[459]..function RunTheTest[44]..Test_cscope_add_dir line 11: Expected 3 but got 4 command line..script /private/tmp/vim/src/testdir/runtest.vim[459]..function RunTheTest[44]..Test_cscope_add_dir line 14: Pattern '^ 0 \\d\\+.*Xcscopedir/cscope.out\\s\\+<none>$' does not match ' 0 25431 /private/tmp/vim/src/testdir/Xcscope.out <none>' make: *** [Makefile:66: test_cscope] Error 1 ``` Regards Dominique _______________________________________________ Cscope-devel mailing list Cscope-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cscope-devel
