Red Hat Bugzilla – Bug 51755
gcc-2.96-95 compiled binary segfaults in vfprintf()
Last modified: 2007-04-18 12:35:53 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (Windows NT 5.0; U) Description of problem: Xwindow application compiled with gcc-2.95-85 and gcc-2.95-95 segfaults on a call to vfprintf() after a call that mallocs space for a structure and a new pixel buffer. I've stepped through the function right before the LOG() that includes the vfprintf() that segfaults and can insert LOG() calls anywhere in that function that work just fine. Same Xwindow application compiled with kgcc runs without errors. Here's the gdb backtrace for the core file generated: GNU gdb 5.0rh-5 Red Hat Linux 7.1 Copyright 2001 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... Core was generated by `wxv -type GIF -v -log /u/opscntl/Logs/wxv_gif.log us10.gif'. Program terminated with signal 11, Segmentation fault. Reading symbols from /opt/bxpro-5.0/lib/libEPak.so.4...done. Loaded symbols for /opt/bxpro-5.0/lib/libEPak.so.4 Reading symbols from /usr/X11R6/lib/libXm.so.2...done. Loaded symbols for /usr/X11R6/lib/libXm.so.2 Reading symbols from /usr/X11R6/lib/libXt.so.6...done. Loaded symbols for /usr/X11R6/lib/libXt.so.6 Reading symbols from /usr/X11R6/lib/libSM.so.6...done. Loaded symbols for /usr/X11R6/lib/libSM.so.6 Reading symbols from /usr/X11R6/lib/libICE.so.6...done. Loaded symbols for /usr/X11R6/lib/libICE.so.6 Reading symbols from /usr/X11R6/lib/libXp.so.6...done. Loaded symbols for /usr/X11R6/lib/libXp.so.6 Reading symbols from /usr/X11R6/lib/libXext.so.6...done. Loaded symbols for /usr/X11R6/lib/libXext.so.6 Reading symbols from /usr/X11R6/lib/libX11.so.6...done. Loaded symbols for /usr/X11R6/lib/libX11.so.6 Reading symbols from /lib/i686/libm.so.6...done. Loaded symbols for /lib/i686/libm.so.6 Reading symbols from /lib/i686/libc.so.6...done. Loaded symbols for /lib/i686/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 #0 __wcslen (s=0x2) at wcslen.c:30 30 wcslen.c: No such file or directory. ---Type <return> to continue, or q <return> to quit--- in wcslen.c (gdb) bt #0 __wcslen (s=0x2) at wcslen.c:30 #1 0x404b5c74 in __wcsrtombs (dst=0x0, src=0xbfffd17c, len=0, ps=0xbfffd180) at wcsrtombs.c:67 #2 0x4047ff98 in _IO_vfprintf (s=0x834d550, format=0x80e5900 "wxv_LoadXImage: ZOOM_IN Expand thePIC 200% SUCCESS\n", ap=0xbfffd7f8) at vfprintf.c:1524 #3 0x080c8361 in LOG () #4 0x080600ee in wxv_LoadXImage (pimage=0x8355dd0) at wxv_display.c:1336 #5 0x0805e2f4 in wxv_Zoom_in () at wxv_display.c:540 #6 0x08057231 in zoom_in (w=0x83855f8, client_data=0x0, call_data=0xbfffda20) at callbacks-c.c:466 #7 0x402d3611 in XtCallCallbackList () from /usr/X11R6/lib/libXt.so.6 #8 0x401d9287 in Select () from /usr/X11R6/lib/libXm.so.2 #9 0x40307127 in HandleSimpleState () from /usr/X11R6/lib/libXt.so.6 #10 0x40307984 in _XtTranslateEvent () from /usr/X11R6/lib/libXt.so.6 #11 0x402dfac7 in XtDispatchEventToWidget () from /usr/X11R6/lib/libXt.so.6 #12 0x402e02a0 in _XtDefaultDispatcher () from /usr/X11R6/lib/libXt.so.6 #13 0x402e0529 in XtDispatchEvent () from /usr/X11R6/lib/libXt.so.6 #14 0x402e12f5 in XtAppMainLoop () from /usr/X11R6/lib/libXt.so.6 #15 0x08064905 in main (argc=7, argv=0xbfffe58c) at main-c.c:301 #16 0x40445177 in __libc_start_main (main=0x8063f8c <main>, argc=7, ubp_av=0xbfffe58c, init=0x804b6bc <_init>, fini=0x80e0290 <_fini>, rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbfffe57c) Here's the LOG() that the vfprintf() occurs in: #include <varargs.h> static time_t reopen_log_time = (time_t)-1; char WxvLogFilename[MAX_TEXT_LINE+1] = { NUL }; FILE *WxvLogFp = NULL; void LOG(va_alist) va_dcl { va_list args; char *tplate; char log_time[MAX_TEXT_LINE+1]; time_t t_time; struct tm *tm_time; struct stat status; if (WxvLogFp != NULL) { time(&t_time); tm_time = gmtime(&t_time); sprintf(log_time, "%4.4d%2.2d%2.2d %2.2d:%2.2d:%2.2d", tm_time->tm_year + 1900, tm_time->tm_mon + 1, tm_time->tm_mday, tm_time->tm_hour, tm_time->tm_min, tm_time->tm_sec); va_start(args); fprintf(WxvLogFp, "%s ", log_time); tplate = va_arg(args, char *); vfprintf(WxvLogFp, tplate, args); va_end(args); fflush(WxvLogFp); } } /* LOG */ Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.call contrast_shrink(const byte*, int ) Calls to LOG() anywhere in this function work fine. 2. Call "if (Verbose) LOG()" 3. Actual Results: Program segfaults in vfprintf(). Expected Results: Program should not segfault Additional info:
Created attachment 27813 [details] Backtrace generated by gbd on core file.
If the backtrace is correct, then I don't wonder why it segfaults. Calling vfprintf with format string "... 200% SUCCESS" looks like something that was not intended (I strongly doubt you want to insert space padded wide character string between 200 and UCCESS). It is well possible that when you compile the thing with other compiler other value will be on the stack after last given argument, so wcslen will e.g. return 0 and not segfault.
Jakub, Thanks! I was completely over looking the '%' symbol in the format string. Kathy Bieltz