|
From: Rich C. <rc...@wi...> - 2010-10-31 14:05:25
|
Hi Julian,
I was recently helping someone with a SIGSEGV and no stack trace, and they
were running vg/memcheck to help solve their problem without getting anywhere.
They had read about vg/exp-ptrcheck and were trying that to solve the problem.
After I helped them find the coding error, I coded up a simple test case
that caused the crash to see what vg/exp-ptrcheck would catch.
It doesn't actually catch the stack array overwrite, but it does catch
the subsequent access by strlen().
Is this something vg/exp-ptrcheck should catch ?
Thanks,
Rich
==3237== exp-ptrcheck, a heap, stack and global array overrun detector
==3237== NOTE: This is an Experimental-Class Valgrind Tool
==3237== Copyright (C) 2003-2010, and GNU GPL'd, by OpenWorks Ltd et al.
==3237== Using Valgrind-3.7.0.SVN and LibVEX; rerun with -h for copyright info
==3237== Command: stack-ptr
==3237==
==3237== Invalid read of size 1
==3237== at 0x4C28F54: strlen (h_intercepts.c:127)
==3237== by 0x4006CA: xf_f1 (stack-ptr.c:25)
==3237== by 0x400772: main (stack-ptr.c:45)
==3237== Address 0x7fefff810 expected vs actual:
==3237== Expected: stack array "temp" in frame 1 back from here
==3237== Actual: unknown
==3237==
==3237== Warning: client switching stacks? SP change: 0x7fefff830 --> 0x700303030
==3237== to suppress, use: --max-stackframe=4275030016 or greater
==3237==
==3237== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3237== Access not within mapped region at address 0x700303030
==3237== at 0x400778: main (stack-ptr.c:48)
==3237== If you believe this happened as a result of a stack
==3237== overflow in your program's main thread (unlikely but
==3237== possible), you can try to increase the size of the
==3237== main thread stack using the --main-stacksize= flag.
==3237== The main thread stack size used in this run was 8388608.
==3237==
==3237== For counts of detected and suppressed errors, rerun with: -v
==3237== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
/* stack-ptr.c -- overwrite stack with sprintf()
* compile with: gcc -g -o stack-ptr stack-ptr.c
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
struct valdesc {
char valtyp;
char valsts;
int curlen;
int elmlen;
void *valptr;
};
short
xf_f1(struct valdesc *ptr)
{
short len;
char temp[16];
float value;
memset(temp,0,sizeof(temp));
value = -43.561e25;
sprintf(temp,"%f",value);
len = strlen(temp);
if(len > ptr->curlen)
return -1;
ptr->valtyp = 5;
ptr->curlen = len;
ptr->elmlen = len;
memcpy(ptr->valptr,temp,len);
ptr->valsts = 100;
return 0;
}
int
main(int argc, char **argv)
{
struct valdesc vd;
memset(&vd, 0, sizeof(vd));
vd.curlen = 100;
vd.valptr = malloc(100 * sizeof(char));
xf_f1(&vd);
return 0;
}
--
Rich Coe rc...@wi...
|