[sac-dev] Bugs found

Kuang He icrazy at gmail.com
Sun Sep 7 23:17:41 PDT 2008 

On Sat, Sep 6, 2008 at 2:06 AM, Kuang He <icrazy at gmail.com> wrote:
> I'm using SAC v101.1 on a linux box (Ubuntu 8.04), and the glibc
> version is 2.7 (2.7-10ubuntu3, to be exact).
>
> $ uname -a
> Linux ....... 2.6.24-19-generic #1 SMP Fri Jul 11 23:41:49 UTC 2008
> i686 GNU/Linux
> .....
> Bug 2: Putting a space after the comma in something like "&1,DIST"
> will _sometimes_ cause SAC to suddenly abort, with a message from
> glibc indicating possible double free. Below is an example of a case
> where this problem does not show up and another case where the problem
> does show up.
>
> $ sac
> SAC> r vel.sac
> SAC> evaluate to dist1 &1,dist
> SAC> message %dist1
>  2.84897$
> SAC> evaluate to dist1 &1, dist
> *** glibc detected *** /usr/local/sac/bin/sac: double free or
> corruption (!prev): 0x0843f020 ***
> ======= Backtrace: =========
> /lib/tls/i686/cmov/libc.so.6[0xb7c9ba85]
> /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7c9f4f0]
> ....

With Brian's help, I was able to locate the place in the source code
that caused this problem (his OSX machines don't have this problem):
line 93 of src/cpf/cfmt.c . The code there does not have double
free()'s, but code snippets shown below just do not make any sense to
me: temporal variable strtemp1 gets created and destroyed, without
doing anything useful at all. Commenting out these does solve the
problem.

$ diff -u src/cpf/cfmt.c.old src/cpf/cfmt.c
--- src/cpf/cfmt.c.old  2008-09-08 00:07:33.000000000 -0400
+++ src/cpf/cfmt.c      2008-09-08 01:48:27.000000000 -0400
@@ -86,11 +86,14 @@
                        iend_ = ibeg + nchar + 2;
                        if( iend_ <= MCMSG ){
                                kmsg[ibeg - 1] = kmcom.kcom[j - 1][0];
+                               /*
                                 strtemp1 = malloc(MCMSG+1-(ibeg+1));
                                 strncpy(strtemp1,kmsg+ibeg,MCMSG+1-(ibeg+1));
                                 strtemp1[MCMSG+1-(ibeg+1)] = '\0';
                                copykc( (char*)kmcom.kcom[j + 1],9,
nchar, strtemp1);
                                 free(strtemp1);
+                               */
                                kmsg[iend_ - 2] = kmcom.kcom[j - 1][0];
                                kmsg[iend_ - 1] = ' ';
                                if( j == cmcom.jcom )
@@ -103,11 +106,13 @@
                        nchar = (long)( Flnum[j + 1] + 0.1 );
                        iend_ = ibeg + nchar;
                        if( iend_ <= MCMSG ){
+                               /*
                                 strtemp1 = malloc(MCMSG+1-ibeg);
                                 strncpy(strtemp1,kmsg+ibeg-1,MCMSG+1-ibeg);
                                 strtemp1[MCMSG+1-ibeg] = '\0';
                                copykc( (char*)kmcom.kcom[j + 1],9,
nchar, strtemp1);
                                 free(strtemp1);
+                               */
                                kmsg[iend_ - 1] = ' ';
                                if( j == cmcom.jcom )
                                        iarrow = ibeg - ndiff;


By the way, I think wrapping all the uses of free() to FREE() shown
below would be a good idea. The catch is just that since the code base
is too big, it'll take quite some time to change all of them.

#define FREE(ptr)   do { if (ptr) free(ptr); } while (0)


Best regards,

-- 
Kuang He
Department of Physics
University of Connecticut
Storrs, CT 06269-3046

Tel: +1.860.486.4919
Web: http://www.phys.uconn.edu/~he/

More information about the sac-dev mailing list