Crash in judy64nb.c #7
Description
judy64nb.c crashes with some sequences of judy_cell (works fine when same
(string) keys are entered in different sequence)
Crashes with
Program received signal SIGSEGV, Segmentation fault.
__memmove_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:2814
(gdb) bt
#0 __memmove_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:2814
#1 0x00000000004058c5 in memmove (__len=<optimized out>, __src=<optimized
out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:57
#2 judy_cell (judy=0x61a180, buff=0x62aff8 "", buff@entry=0x7fffffffd960
"andr0id", max=4294897880) at src/judy64nb.c:1298
#3 0x0000000000402389 in main (argc=<optimized out>, argv=<optimized out>) at
src/shallot.c:276
With some additional printf debugging:
printf ("%p %d %d\n", base, keysize, slot);
0x61a150 8 -1
slot is -1 which never happens on successful runs.
1297 memmove(base, base + keysize, slot * keysize);
I'm not sure if the loop at 1297 is supposed to make slot negative in case it
doesn't reach "break".
1268 while( slot-- ) {
...
1277 }
This small testcase already exhibits the behavior on my system:
#include <stdio.h>
#include "judy64nb.h"
int main (int argc, char *argv[]) {
void * judy;
JudySlot *res;
JudySlot i = 0;
judy = judy_open (2, 0);
res = judy_cell (judy, "android", 7);
*res = i++;
res = judy_cell (judy, "andr0id", 7); /* crashes here */
*res = i++;
judy_close (judy);
return 0;
}
Changing the insertion order of the strings (first "andr0id", then "android")
does NOT crash.
Running on x86_64, ubuntu 14.10
Original issue reported on code.google.com by [email protected] on 1 Dec 2014 at 3:56