[Bug 1869734] Re: openjade segfaults on arm (due to gcc optimization)

Tue, 31 Mar 2020 05:31:08 -0700 

The call is from:
OpenSP::NCVector<OpenSP::Owner<OpenJade_DSSSL::Expression> >::resize 
(this=0xffffffffe0c8, n=1)

That means resize it to size "1".
And it would be ok to delete all later elements.


  void resize(size_t n) {
    if (n < size_)
      erase(ptr_ + n, ptr_ + size_);
    else if (n > size_)
      append(n - size_);
  }

p ptr_
$14 = (OpenSP::Owner<OpenJade_DSSSL::Expression> *) 0xaaaaab46eae0


And therefore ptr_ + size_ => 0xaaaaab46eb00
But there is no valid OpenSP::Owner<OpenJade_DSSSL::Expression at this address.


999             for (;;) {
1000              args.resize(args.size() + 1);
1001              if (!parseExpression(allowCloseParen, args.back(), key, tok))
1002                return 0;
1003              if (!args.back()) {
1004                args.resize(args.size() - 1);   <===
1005                break;
1006              }
1007            }

Here:
(gdb) p args
$16 = {_vptr.NCVector = 0xfffff7f8a020 <vtable for 
OpenSP::NCVector<OpenSP::Owner<OpenJade_DSSSL::Expression> >+16>, size_ = 2, 
ptr_ = 0xaaaaab46eae0, alloc_ = 2}


But the size is only "2" elements, not three.
(gdb) p *(args.ptr_+0)
$21 = {_vptr.Owner = 0xfffff7f8a040 <vtable for 
OpenSP::Owner<OpenJade_DSSSL::Expression>+16>, p_ = 0xaaaaab46f9f0}
(gdb) p *(args.ptr_+1)
$22 = {_vptr.Owner = 0xfffff7f8a040 <vtable for 
OpenSP::Owner<OpenJade_DSSSL::Expression>+16>, p_ = 0x0}
(gdb) p *(args.ptr_+2)
$23 = {_vptr.Owner = 0x6c00000063, p_ = 0x1d1}


b OpenJade_DSSSL::SchemeParser::parseExpression
b OpenSP::NCVector<OpenSP::Owner<OpenJade_DSSSL::Expression> >::resize


(gdb) p tok
$30 = (OpenJade_DSSSL::SchemeParser::Token &) @0xffffffffe1c8: 
OpenJade_DSSSL::SchemeParser::tokenCloseParen

And I see him taking the route I'd expect then:
(gdb) 
977       switch (tok) {
(gdb) 
1090        break;
(gdb) 
1092      return 1;

That is the default: in the switch a tokenCloseParen doesn't have an
entry.

But then it re-enters the switch without obvious reason.

1003              if (!args.back()) {
(gdb) l
998             NCVector<Owner<Expression> > args;
999             for (;;) {
1000              args.resize(args.size() + 1);
1001              if (!parseExpression(allowCloseParen, args.back(), key, tok))
1002                return 0;
1003              if (!args.back()) {
1004                args.resize(args.size() - 1);
1005                break;
1006              }
1007            }

It didn't pass lines 998-1002 at all, not do I see why it would jump up
here?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1869734

Title:
  openjade segfaults on arm (due to gcc optimization)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjade/+bug/1869734/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to