Debian Bug report logs - #499015
fastjar: segfaults sporadically on m68k during unpack of jar with file argument list

version graph

Package: fastjar; Maintainer for fastjar is Matthias Klose <doko@debian.org>; Source for fastjar is src:fastjar.

Reported by: Xerxes Ranby <xerxes@zafena.se>

Date: Mon, 15 Sep 2008 14:12:16 UTC

Severity: important

Found in version fastjar/2:0.95-2

Fixed in version fastjar/2:0.95-4

Done: Matthias Klose <doko@ubuntu.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#499015; Package fastjar. Full text and rfc822 format available.

Acknowledgement sent to Xerxes Ranby <xerxes@zafena.se>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Xerxes Ranby <xerxes@zafena.se>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fastjar: segfaults sporadically on m68k during unpack of jar with file argument list
Date: Mon, 15 Sep 2008 15:41:34 +0200
Package: fastjar
Version: 2:0.95-2
Severity: important

Fastjar segfaults on m68k when unpacking a jar during Icedtea6 build: http://buildd.debian.org/fetch.cgi?&pkg=openjdk-6&ver=6b11-7&arch=m68k&stamp=1221384832&file=log

I have uploaded the jar file tools.jar for testing: http://labb.zafena.se/fastjar/tools.jar

When unpacking without file argument list the unpacking of all files works
jar xvf tools.jar

When unpacking with file argument list fastjar segfaults after unpacking about 1500 files. The segfault happens after different amount of files have been unpacked each time when rerun.
jar xvf tools.jar com/sun/mirror com/sun/source com/sun/tools/apt com/sun/tools/javac com/sun/tools/javah com/sun/tools/javadoc com/sun/tools/doclets 
com/sun/javadoc sun/tools/javap com/sun/codemodel com/sun/istack/internal/tools com/sun/istack/internal/ws com/sun/xml/internal/rngom com/sun/xml/internal/xsom com/sun/xml/internal/dtdparser 
com/sun/tools/internal/xjc com/sun/tools/internal/ws com/sun/tools/internal/jxc META-INF/services/com.sun.mirror.apt.AnnotationProcessorFactory META-INF/services/com.sun.tools.internal.xjc.Plugin

When running it through gdb with the above file argument list the crash happens in a call to strstr() in /lib/libc.so.6
  inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator.class
  inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator$1.class
  inflated: com/sun/tools/internal/jxc/apt/AnnotationProcessorFactoryImpl.class
  inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator$1$1.class

Program received signal SIGSEGV, Segmentation fault.
0xc0095440 in strstr () from /lib/libc.so.6
(gdb) bt
#0  0xc0095440 in strstr () from /lib/libc.so.6
#1  0x80003d0c in ?? ()
#2  0x80013838 in ?? ()
#3  0x00000019 in ?? ()
#4  0xefe09720 in ?? ()
#5  0x00000014 in ?? ()
#6  0x00000002 in ?? ()
#7  0x00000000 in ?? ()
(gdb) disassemble
Dump of assembler code for function strstr:
0xc0095430 <strstr+0>:  linkw %fp,#0
0xc0095434 <strstr+4>:  moveml %d2-%d4/%a2-%a3,%sp@-
0xc0095438 <strstr+8>:  moveal %fp@(12),%a1
0xc009543c <strstr+12>: moveal %fp@(8),%a0
0xc0095440 <strstr+16>: moveb %a1@,%d0
0xc0095442 <strstr+18>: clrl %d2
0xc0095444 <strstr+20>: moveb %d0,%d2
0xc0095446 <strstr+22>: bnes 0xc009544e <strstr+30>
0xc0095448 <strstr+24>: movel %a0,%d0
0xc009544a <strstr+26>: braw 0xc0095506 <strstr+214>
0xc009544e <strstr+30>: subql #1,%a0
0xc0095450 <strstr+32>: addql #1,%a0
0xc0095452 <strstr+34>: moveb %a0@,%d0
0xc0095454 <strstr+36>: beqw 0xc0095504 <strstr+212>
0xc0095458 <strstr+40>: andil #255,%d0
0xc009545e <strstr+46>: cmpl %d2,%d0
0xc0095460 <strstr+48>: bnes 0xc0095450 <strstr+32>
0xc0095462 <strstr+50>: lea %a1@(1),%a3
0xc0095466 <strstr+54>: moveb %a3@,%d0
0xc0095468 <strstr+56>: beqs 0xc0095448 <strstr+24>
0xc009546a <strstr+58>: clrl %d3
0xc009546c <strstr+60>: moveb %d0,%d3
...

0xc0095440 <strstr+16>: moveb %a1@,%d0  <--- %d0 is 0x0

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: m68k

Kernel: Linux 2.6.24-1-atari
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages fastjar depends on:
ii  libc6                  2.5-11            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

fastjar recommends no packages.

fastjar suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#499015; Package fastjar. Full text and rfc822 format available.

Acknowledgement sent to Xerxes Rånby <xerxes@zafena.se>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #10 received at 499015@bugs.debian.org (full text, mbox):

From: Xerxes Rånby <xerxes@zafena.se>
To: 499015@bugs.debian.org
Subject: Test with upstream version 0.96 of fastjar on m68k. the pug presists.
Date: Mon, 15 Sep 2008 16:54:43 +0200
Tested the upstream version 0.96 of fastjar and the bug presists.

Segfaults with file argument list:
fastjar-0.96/fastjar xvf tools.jar com/sun/mirror com/sun/source 
com/sun/tools/apt com/sun/tools/javac com/sun/tools/javah 
com/sun/tools/javadoc com/sun/tools/doclets com/sun/javadoc 
sun/tools/javap com/sun/codemodel com/sun/istack/internal/tools 
com/sun/istack/internal/ws com/sun/xml/internal/rngom 
com/sun/xml/internal/xsom com/sun/xml/internal/dtdparser 
com/sun/tools/internal/xjc com/sun/tools/internal/ws 
com/sun/tools/internal/jxc 
META-INF/services/com.sun.mirror.apt.AnnotationProcessorFactory 
META-INF/services/com.sun.tools.internal.xjc.Plugin
...
 inflated: com/sun/tools/internal/jxc/apt/Messages.class
 inflated: com/sun/tools/internal/jxc/apt/Const.class
 inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator.class
 inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator$1.class
 inflated: 
com/sun/tools/internal/jxc/apt/AnnotationProcessorFactoryImpl.class
 inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator$1$1.class
  created: com/sun/tools/javadoc/
Segmentation fault

Works without file argument list:
fastjar-0.96/fastjar xvf tools.jar

GDB output for fastjar-0.96 now with debug information!

 inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator$1.class
 inflated: 
com/sun/tools/internal/jxc/apt/AnnotationProcessorFactoryImpl.class
 inflated: com/sun/tools/internal/jxc/apt/SchemaGenerator$1$1.class

Program received signal SIGSEGV, Segmentation fault.
0xc0095440 in strstr () from /lib/libc.so.6
(gdb) bt
#0  0xc0095440 in strstr () from /lib/libc.so.6
#1  0x80003d70 in extract_jar (fd=5, files=0x80009050, file_num=20) at 
jartool.c:1647
#2  0x8000528c in main (argc=25, argv=0x800090b0) at jartool.c:441
(gdb)






Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#499015; Package fastjar. Full text and rfc822 format available.

Acknowledgement sent to Xerxes Rånby <xerxes@zafena.se>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #15 received at 499015@bugs.debian.org (full text, mbox):

From: Xerxes Rånby <xerxes@zafena.se>
To: 499015@bugs.debian.org, Dalibor.Topic@Sun.COM
Subject: fastjar bug located! realloc() does not preserve the data as assumed in jartool.c
Date: Tue, 16 Sep 2008 12:49:10 +0200
[Message part 1 (text/plain, inline)]
I have included a testcase based on jartool.c to expose this bug on any 
platform.

jartool.c function extract_jar uses a list subdir_list[] to keep track 
on directorys and subdirs specifyed for extraction from the argument list.
The list startswith 10 possitions and if more is needded realloc is used 
to increase the memory for the list. The current fastjar code works on 
all platforms if only up to 10 list possitions are used, if more like 
11+ then the bug is exposed.
It is assumed that realloc preserves the curretn data in the list during 
expansion of the list. Unfortunally realloc seems to change some of the 
data, even worse it seems it does so on all Linux platforms i have 
access to! i have tested this on atmel/Debian(lenny)  m68k/Debian(sid)  
x86/Ubuntu.

I recommend that this bug should be filed to the glibc package as well 
to make realloc behave as expected.

Example: here subdir_list[5] and subdir_list[6] have been altered after 
realloc.

malloc  subdir_list[0]: 80003080 test
malloc  subdir_list[1]: 800030C8 test
malloc  subdir_list[2]: 80003110 test
malloc  subdir_list[3]: 80003158 test
malloc  subdir_list[4]: 800031A0 test
malloc  subdir_list[5]: 800031E8 test
malloc  subdir_list[6]: 80003230 test
malloc  subdir_list[7]: 80003278 test
malloc  subdir_list[8]: 800032C0 test
malloc  subdir_list[9]: 80003308 test

realloc
testing integrity after realloc
testing subdir_list[0]: 80003080 test
testing subdir_list[1]: 800030C8 test
testing subdir_list[2]: 80003110 test
testing subdir_list[3]: 80003158 test
testing subdir_list[4]: 800031A0 test
testing subdir_list[5]: 19 (Broken!!!)
testing subdir_list[6]: 0 (null)
testing subdir_list[7]: 80003278 test
testing subdir_list[8]: 800032C0 test
testing subdir_list[9]: 80003308 test

Cheers! And have a great day!
Xerxes
[allocrealloc.fastjar.test.c (text/plain, inline)]
/*
  allocrealloc.fastjar.test.c - Testcase to expose alloc realloc bugs found in fastjar
  based on the jartool.c sourcecode of fastjar-0.96
  Copyright (C) 2002, 2004, 2005, 2006  Free Software Foundation
  Copyright (C) 1999, 2000, 2001  Bryan Burns
  Copyright (C) 2007  Dalibor Topic
  testcase implemented by
  Copyright (C) 2008  Xerxes Rånby

  This program is free software; you can redistribute it and/or
  modify it under the terms of the GNU General Public License
  as published by the Free Software Foundation; either version 2
  of the License, or (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

#include <string.h>
#include <stdlib.h>
#include <assert.h>
#include <stdio.h>

int main (int argc, char* argv[])
{
  int test_size = 0;
  if(argc>1){ 
    test_size  = (int)strtol ( argv[1], NULL, 10 );
  } 
  if(test_size==0){
    printf("try run test with:\n%s 10\n%s 11\n%s 20\n%s 21\n%s 30\n",argv[0],argv[0],argv[0],argv[0],argv[0]);
    test_size = 1;
  } 

  /*  Let's be able to hold 10 subdirs, initially. */
  int subdir_list_size = 10;
  /* If any file is contained within a directory in this list,
   * then it should be extracted. A file is considered to be contained
   * in a directory if the directory is a substring of the file path. */
  char **subdir_list = malloc(subdir_list_size * sizeof(char *));
  /* Next available index to use. */
  int subdir_list_index = 0;
  int test_dir_len = 64;

  printf("running with test_size %d\n",test_size);
  int j;
  for(j=0;j<test_size;j++){
    if (subdir_list_index == subdir_list_size) {
      printf("\nrealloc\n");
      
      subdir_list_size = subdir_list_size + 10;
      subdir_list = realloc(subdir_list, (subdir_list_size) * sizeof(char));
      if (subdir_list == NULL) {
        fprintf(stderr, "error realloc-ing subdir_list_size\n");
        exit(EXIT_FAILURE);
      }
      
      printf("testing integrity after realloc\n"); 
      int c; 
      for(c=0;c<subdir_list_index;c++){
        if((((int)subdir_list[c])>0)&&(((int)subdir_list[c])<4096)){
        //Probably broken 
          printf("testing subdir_list[%d]: %X (Broken!!!)  \n",c,(int)subdir_list[c]); 
        } else {
        //Probably OK
          printf("testing subdir_list[%d]: %X %s  \n",c,(int)subdir_list[c],subdir_list[c]);
        } 
      }
      printf("\n");
    } // if need to realloc

    //fill in more data    
    subdir_list[subdir_list_index] = malloc((test_dir_len + 1)*sizeof(char));
    strcpy(subdir_list[subdir_list_index], "test");

    printf("malloc  subdir_list[%d]: %X %s  \n",subdir_list_index,(int)subdir_list[subdir_list_index],subdir_list[subdir_list_index]);

    subdir_list_index++;
  } // for

  printf("\nReleasing allocated memory\n");
  for (j = 0; j < subdir_list_index; j++) {
    printf("free   subdir_list[%d]\n",j);
    free(subdir_list[j]);
  }
}

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#499015; Package fastjar. Full text and rfc822 format available.

Acknowledgement sent to Xerxes Rånby <xerxes@zafena.se>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #20 received at 499015@bugs.debian.org (full text, mbox):

From: Xerxes Rånby <xerxes@zafena.se>
To: 499015@bugs.debian.org, Dalibor.Topic@Sun.COM
Subject: Real bug found! wrong size specified to realloc, too little memory was allocated.
Date: Tue, 16 Sep 2008 16:53:29 +0200
[Message part 1 (text/plain, inline)]
Finally!
After several eyeballing runs it became clear that reallioc got wrong 
memory size specified.
no problems with glibc!

Patch included for fastjar 0.96 that makes the testcase works on m68k 
and other platforms!

Cheers!
Xerxes


[fastjar-0.96.patch (text/plain, inline)]
--- ../fastclean/fastjar-0.96/jartool.c	2008-08-14 17:33:06.000000000 +0200
+++ jartool.c	2008-09-16 16:40:52.000000000 +0200
@@ -1698,7 +1698,7 @@
             /* Add 10 more spots to subdir_list */
             if (subdir_list_index == subdir_list_size) {
               subdir_list_size = subdir_list_size + 10;
-              subdir_list = realloc(subdir_list, (subdir_list_size) * sizeof(char));
+              subdir_list = realloc(subdir_list, (subdir_list_size) * sizeof(char *));
 
               if (subdir_list == NULL) {
                 fprintf(stderr, "error realloc-ing subdir_list_size\n");

Reply sent to Matthias Klose <doko@ubuntu.com>:
You have taken responsibility. (Sun, 21 Sep 2008 21:37:34 GMT) Full text and rfc822 format available.

Notification sent to Xerxes Ranby <xerxes@zafena.se>:
Bug acknowledged by developer. (Sun, 21 Sep 2008 21:37:36 GMT) Full text and rfc822 format available.

Message #25 received at 499015-close@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@ubuntu.com>
To: 499015-close@bugs.debian.org
Subject: Bug#499015: fixed in fastjar 2:0.95-4
Date: Sun, 21 Sep 2008 21:02:09 +0000
Source: fastjar
Source-Version: 2:0.95-4

We believe that the bug you reported is fixed in the latest version of
fastjar, which is due to be installed in the Debian FTP archive:

fastjar_0.95-4.diff.gz
  to pool/main/f/fastjar/fastjar_0.95-4.diff.gz
fastjar_0.95-4.dsc
  to pool/main/f/fastjar/fastjar_0.95-4.dsc
fastjar_0.95-4_i386.deb
  to pool/main/f/fastjar/fastjar_0.95-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 499015@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@ubuntu.com> (supplier of updated fastjar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 21 Sep 2008 20:20:48 +0000
Source: fastjar
Binary: fastjar
Architecture: source i386
Version: 2:0.95-4
Distribution: unstable
Urgency: high
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@ubuntu.com>
Description: 
 fastjar    - Jar creation utility
Closes: 499015
Changes: 
 fastjar (2:0.95-4) unstable; urgency=high
 .
   * Fix reallocation for command line expansion (Xerxes Ranby).
     Closes: #499015.
Checksums-Sha1: 
 2adc0f9c684ca13baca607b1536d48a93e6c7683 951 fastjar_0.95-4.dsc
 28cdbd6c891f2040e979fcaa6e7392ccb1b24921 13769 fastjar_0.95-4.diff.gz
 808f597058f8ca240b68cff995d3accc9b55254e 46494 fastjar_0.95-4_i386.deb
Checksums-Sha256: 
 347c5fe05db547ea7d0106e420feb475025b8a4c7894dd7eba83b31aa18b87f9 951 fastjar_0.95-4.dsc
 00efe363fbe377dfadc27ba0a685e0579f896d6978e795def74ecc54645e1960 13769 fastjar_0.95-4.diff.gz
 9ae40ffcbd99e1ab814c278be9f1c385a9e632e529d9691d6134e1c757bb65ca 46494 fastjar_0.95-4_i386.deb
Files: 
 ed8a43785e6219efdf2858ac2f1c12b4 951 misc extra fastjar_0.95-4.dsc
 5fb8a357ffb7b02d3995fd42ac7b6a68 13769 misc extra fastjar_0.95-4.diff.gz
 342906dc4ce6ce99cdf80e748124279b 46494 misc extra fastjar_0.95-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI1q1+StlRaw+TLJwRAkGwAJ9Rqt1j60YO2GHvCVWAKTKNxcQcYACePT0h
ww9xw/sxYUVqqrRrPSkjopw=
=61TO
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Nov 2008 07:39:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:43:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.