I've got segfault in texinfo(texinfo-4.7-r1) while searching information on gcc. Here is the coredump info: Core was generated by `info gcc'. Program terminated with signal 11, Segmentation fault. warning: current_sos: Can't read pathname for load map: Input/output error Reading symbols from /lib/libncurses.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libncurses.so.5 Reading symbols from /lib/tls/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x0805c394 in ?? () (gdb) bt #0 0x0805c394 in ?? () #1 0x08080428 in ?? () #2 0x08082330 in ?? () #3 0xbfffed38 in ?? () #4 0x08065778 in ?? () #5 0x080803e8 in ?? () #6 0x08082440 in ?? () (gdb) i r eax 0x6e890f3f 1854476095 ecx 0x8081b48 134749000 edx 0x3 3 ebx 0x8081e00 134749696 esp 0xbfffecf0 0xbfffecf0 ebp 0xbfffed38 0xbfffed38 esi 0x0 0 edi 0x8080428 134743080 eip 0x805c394 0x805c394 eflags 0x10282 66178 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) Here is the strace info: ... stat64("/usr/share/gcc-data/i686-pc-linux-gnu/3.3/info/gcc.info.gz", {st_mode=S_IFREG|0644, st_size=290570, ...}) = 0 stat64("/usr/share/gcc-data/i686-pc-linux-gnu/3.3/info/gcc.info.gz", {st_mode=S_IFREG|0644, st_size=290570, ...}) = 0 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[1;24HC Extensions, Next: C++ "..., 77) = 77 ioctl(0, FIONREAD, [0]) = 0 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[3;1H5 Extensions to the C Lang"..., 43) = 43 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[4;13H*************************", 32) = 32 ioctl(0, FIONREAD, [0]) = 0 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[6;1HGNU C provides several lan"..., 75) = 75 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[7;1H(The `-pedantic\' option di"..., 78) = 78 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[8;1Hof these features is used."..., 75) = 75 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[9;1Hfeatures in conditional co"..., 74) = 74 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[10;1H`__GNUC__\', which is alwa"..., 56) = 56 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[11;1H\33[K", 10) = 10 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[12;1H These extensions are a"..., 76) = 76 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[13;1Hare also available in C++"..., 76) = 76 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[14;1HExtensions, for extension"..., 59) = 59 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[15;1H\33[K", 10) = 10 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[16;1H Some features that are"..., 75) = 75 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[17;1Hextensions, accepted by G"..., 61) = 61 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[18;1H\33[K", 10) = 10 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[19;3HMenu:\33[K", 15) = 15 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[20;1H\33[K", 10) = 10 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[21;3HStatement Exprs:: Put"..., 84) = 84 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[22;3HLocal Labels:: Lab"..., 68) = 68 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[23;3HLabels as Values:: Get"..., 76) = 76 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[24;3HNested Functions:: As "..., 82) = 82 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[25;3HConstructing Calls:: Dis"..., 68) = 68 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[26;3HTypeof:: `ty"..., 78) = 78 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[27;3HLvalues:: Usi"..., 69) = 69 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[28;1H* Conditionals:: O"..., 80) = 80 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[29;3HLong Long:: Dou"..., 71) = 71 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[30;3HComplex:: Dat"..., 60) = 60 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[31;1H* Hex Floats:: H"..., 68) = 68 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[32;3HZero Length:: Zer"..., 51) = 51 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[33;1H* Variable Length:: A"..., 75) = 75 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[34;3HEmpty Structures:: Str"..., 59) = 59 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[35;3HVariadic Macros:: Mac"..., 72) = 72 ioctl(0, FIONREAD, [0]) = 0 write(1, "\33[36;1H* Escaped Newlines:: S"..., 74) = 74 write(1, "\33[37;1H\33[7m--zz-Info: (gcc.info."..., 119) = 119 write(1, "\33[1;1H", 6) = 6 ioctl(0, FIONREAD, [0]) = 0 read(0, "\177", 1) = 1 write(1, "\33[38;1HMoving Prev in this windo"..., 34) = 34 stat64("/usr/share/gcc-data/i686-pc-linux-gnu/3.3/info/gcc.info.gz", {st_mode=S_IFREG|0644, st_size=290570, ...}) = 0 stat64("/usr/share/gcc-data/i686-pc-linux-gnu/3.3/info/gcc.info.gz", {st_mode=S_IFREG|0644, st_size=290570, ...}) = 0 write(1, "\33[38;8Hto `Prev\'s last menu item"..., 33) = 33 stat64("/usr/share/gcc-data/i686-pc-linux-gnu/3.3/info/gcc.info.gz", {st_mode=S_IFREG|0644, st_size=290570, ...}) = 0 stat64("/usr/share/gcc-data/i686-pc-linux-gnu/3.3/info/gcc.info.gz", {st_mode=S_IFREG|0644, st_size=290570, ...}) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Reproducible: Always Steps to Reproduce: 1. 'info gcc' 2. Go to "* C Extensions:: GNU extensions to the C language family." 3. Press 'backspace' to move back up. Sometimes it failes only after second third 'backspace' press. Actual Results: 'info' segfaults ... * Escaped Newlines:: Slightly looser rules for escaped newlines. --zz-Info: (gcc.info.gz)C Extensions, 73 lines --Top---------------------------------------------------- Moving to `Prev's last menu item.Segmentation fault Expected Results: Normal texinfo operation I asked to check the steps to reproduce the problem to another Gentoo user and he also got the segfault. [ebuild R ] sys-apps/texinfo-4.7-r1 -build -debug +nls -static 0 kB $ emerge info System uname: 2.6.9-gentoo-r9 i686 Intel(R) Celeron(TM) CPU 1100MHz Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.3-r1 [2.3.3 (#1, Jul 11 2004, 19:39:29)] dev-lang/python: 2.3.3-r1 sys-devel/autoconf: 2.59-r5 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.14.90.0.8-r1 sys-devel/libtool: 1.5.2-r5 virtual/os-headers: 2.6.7-r4 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium3 -pipe -mmmx -msse -mfpmath=sse,387 -fstack-protector-all" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -pipe -mmmx -msse -mfpmath=sse,387 -fstack-protector-all" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo ftp://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ ftp://mirrors1.netvisao.pt/gentoo/ http://www.gigaload.org/gentoo.org/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="GAPING_SECURITY_HOLE X aalib acl activefilter alsa apache2 apm arts artswrappersuid audiofile avi berkdb bitmap-fonts bluetooth caps cdparanoia crypt cups curl dhcp directfb divx4linux divxforlinux doc encode esd f77 fam fbcon flac foomaticdb fortran gdbm gif gnokii gnome gphoto2 gpm gstreamer gtk gtk2 guile hardened imlib irda jack java jpeg jpeg2k junit kde kerberos ldap libclamav libg++ libwww lirc mad mbox mikmod milter mmap mmx mmx2 motif mozilla mpeg mppe-mppc multicall mysql ncurses nls nptl ntlm oggvorbis opengl oss pam pda pdflib perl pic png portaudio povray python qt quicktime quotas readline reiserfs ruby samba sasl scanner sdl sftplogging slang slp sms socks5 speex spell sse ssl svga tcltk tcpd threads tiff truetype usb v4l v4l2 wifi winbind wmf x86 xine xinerama xml2 xmms xscreensaver xv zlib"
Additional info: (gdb) x/20i $eip 0x805c394: mov 0x14(%esi),%eax 0x805c397: test %eax,%eax 0x805c399: jle 0x805c353 0x805c39b: movzbl 0xffffffd7(%ebp),%eax 0x805c39f: mov %eax,0x8(%esp,1) 0x805c3a3: mov 0x14(%esi),%eax 0x805c3a6: mov %edi,(%esp,1) 0x805c3a9: dec %eax 0x805c3aa: mov %eax,0x4(%esp,1) 0x805c3ae: call 0x8059c30 0x805c3b3: jmp 0x805c353 0x805c3b5: mov (%ebx),%esi 0x805c3b7: xor %eax,%eax 0x805c3b9: test %esi,%esi 0x805c3bb: je 0x805c3d5 0x805c3bd: sub $0x31,%edx 0x805c3c0: cmp %edx,%eax 0x805c3c2: je 0x805c319 0x805c3c8: inc %eax 0x805c3c9: mov (%ebx,%eax,4),%esi
rebuild it with CFLAGS="-pipe" and see if it still segfaults
It still fails $ CFLAGS="-pipe" sudo emerge sys-apps/texinfo ... >>> No outdated packages were found on your system. * Regenerating GNU info directory index... * Processed 322 info files. $ cat /var/db/pkg/sys-apps/texinfo-4.7-r1/CFLAGS -pipe $ info gcc ... Moving to `Prev's last menu item.Segmentation fault (core dumped) $ gdb -c ./core /usr/bin/info GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found)...Using host libthread_dblibrary "/lib/tls/libthread_db.so.1". Core was generated by `info gcc'. Program terminated with signal 11, Segmentation fault. warning: current_sos: Can't read pathname for load map: Input/output error Reading symbols from /lib/libncurses.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libncurses.so.5 Reading symbols from /lib/tls/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/tls/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x0805bbeb in ?? () (gdb) bt #0 0x0805bbeb in ?? () #1 0x0807d428 in ?? () #2 0x0807f330 in ?? () #3 0xbfffee08 in ?? () #4 0x080647ee in ?? () #5 0x0807d3e8 in ?? () #6 0x0807ee00 in ?? () (gdb) i r eax 0x0 0 ecx 0x807ea48 134736456 edx 0x10 16 ebx 0x43083a58 1124612696 esp 0xbfffede0 0xbfffede0 ebp 0xbfffee08 0xbfffee08 esi 0x0 0 edi 0x42f6e440 1123476544 eip 0x805bbeb 0x805bbeb eflags 0x10246 66118 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/20i $eip 0x805bbeb: cmpl $0x0,0x14(%eax) 0x805bbef: jle 0x805bc34 0x805bbf1: movzbl 0xffffffff(%ebp),%eax 0x805bbf5: mov %eax,0x8(%esp,1) 0x805bbf9: mov 0xfffffff0(%ebp),%edx 0x805bbfc: mov 0x14(%edx),%eax 0x805bbff: dec %eax 0x805bc00: mov %eax,0x4(%esp,1) 0x805bc04: mov 0x8(%ebp),%eax 0x805bc07: mov %eax,(%esp,1) 0x805bc0a: call 0x80598b2 0x805bc0f: jmp 0x805bc34 0x805bc11: movl $0x80679dc,(%esp,1) 0x805bc18: call 0x80496a8 0x805bc1d: movl $0x0,0x8(%esp,1) 0x805bc25: mov 0xfffffff4(%ebp),%ecx 0x805bc28: mov %ecx,0x4(%esp,1) 0x805bc2c: mov %eax,(%esp,1) 0x805bc2f: call 0x8051722 0x805bc34: mov 0xffffffec(%ebp),%eax (gdb)
you're not going to get anything useful out of a stripped/non-debugged info rebuild it with FEATURES=nostrip CFLAGS="-pipe -g3 -ggdb3" and see if you can get a useful backtrace out of gdb
(gdb) bt #0 0x0805bbeb in info_menu_digit (window=0x807d428, count=1, key=48 '0') at session.c:1973 #1 0x0805a693 in backward_move_node_structure (window=0x807d428, behaviour=0) at session.c:1085 #2 0x0805a8c3 in _scroll_backward (window=0x807d428, count=1, key=127 '\177', behaviour=0) at session.c:1190 #3 0x0805aa07 in info_scroll_backward (window=0x807d428, count=1, key=127 '\177') at session.c:1239 #4 0x0806029e in info_dispatch_on_key (key=127 '\177', map=0x80b21a8) at session.c:4646 #5 0x08058e98 in info_read_and_dispatch () at session.c:227 #6 0x08058d9a in info_session () at session.c:175 #7 0x08058d76 in display_startup_message_and_start () at session.c:166 #8 0x08058d2f in begin_info_session (initial_node=0x80b4ff0) at session.c:153 #9 0x080516be in main (argc=2, argv=0xbffff094) at info.c:507
(gdb) x/5i $eip 0x805bbeb <info_menu_digit+203>: cmpl $0x0,0x14(%eax) 0x805bbef <info_menu_digit+207>: jle 0x805bc34 <info_menu_digit+276> 0x805bbf1 <info_menu_digit+209>: movzbl 0xffffffff(%ebp),%eax 0x805bbf5 <info_menu_digit+213>: mov %eax,0x8(%esp,1) 0x805bbf9 <info_menu_digit+217>: mov 0xfffffff0(%ebp),%edx (gdb) i r eax eax 0x0 0 --- session.c: ... /* Use KEY (a digit) to select the Nth menu item in WINDOW->node. */ DECLARE_INFO_COMMAND (info_menu_digit, _("Select this menu item")) { register int i, item; register REFERENCE *entry = NULL, **menu; menu = info_menu_of_node (window->node); if (!menu) { info_error ((char *) msg_no_menu_node, NULL, NULL); return; } /* We have the menu. See if there are this many items in it. */ item = key - '0'; /* Special case. Item "0" is the last item in this menu. */ if (item == 0) for (i = 0; menu[i + 1]; i++); else { for (i = 0; (entry = menu[i]); i++) if (i == item - 1) break; } if (menu[i]) { info_select_reference (window, menu[i]); if (entry->line_number > 0) // got segfault here ... The last line is the place where it fails on data access via pointer entry=NULL.
after applying following patch 'info' works as expected: --- texinfo-4.7-old/info/session.c 2004-04-07 04:58:25.000000000 +0600 +++ texinfo-4.7/info/session.c 2004-12-20 01:14:13.084715752 +0500 @@ -1959,7 +1959,7 @@ /* Special case. Item "0" is the last item in this menu. */ if (item == 0) - for (i = 0; menu[i + 1]; i++); + for (i = 0; (entry=menu[i + 1]); i++); else { for (i = 0; (entry = menu[i]); i++) @@ -1967,7 +1967,7 @@ break; } - if (menu[i]) + if (entry) { info_select_reference (window, menu[i]); if (entry->line_number > 0)
did you find that patch somewhere or did you create it yourself ?
also, can you attach the info file to this bug that is causing the segfault ?
Created attachment 46454 [details, diff] Patch for texinfo-4.7-r1 fixes dereference of the NULL pointer This patch I created by myself
Created attachment 46459 [details] Bug description
Created attachment 46461 [details] Bug description
Created attachment 46462 [details] Bug description
sorry for my terrible engrish ;)
Although bug investigated, but my fix should be checked because I'm unsure it is correct although it seems so. The loop "for (i = 0; (entry=menu[i + 1]); i++);" always produces entry=NULL at last iteration.
Created attachment 46471 [details, diff] Fixes NULL-pointer dereference segfault in info
Created attachment 46472 [details, diff] Patch for NULL-pointer dereference segfault
Created attachment 46473 [details] NULL-pointer dereference segfault patch description
Final patch and patch description.
What news about the bugfix? And what about adding my patch to the Portage ;)
upstream has this fixed by not even using 'entry' variable :) http://savannah.gnu.org/cgi-bin/viewcvs/texinfo/texinfo/info/session.c.diff?r1=1.12&r2=1.13 texinfo-4.8 has these fixes, thanks for the report !
