vi segfaults (bb 1.8.2)
Loïc Grenié
loic.grenie at gmail.com
Tue Nov 27 16:55:29 UTC 2007
2007/11/27, Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn at axis.com>:
> On Tue, 27 Nov 2007, Cristian Ionescu-Idbohrn wrote:
>
> > On Tue, 27 Nov 2007, Denys Vlasenko wrote:
> >
> > > Failed to reproduce it here.
> >
> > Ok. I'll dig deeper.
>
> Looks like its some sort of artifact of these 2 conf options.
>
> CONFIG_FEATURE_VI_MAX_LEN=2048
> CONFIG_FEATURE_VI_DOT_CMD=y
>
> does not segfault with this:
>
> CONFIG_FEATURE_VI_MAX_LEN=2048
> # CONFIG_FEATURE_VI_DOT_CMD is not set
>
> Ok. Back to:
>
> CONFIG_FEATURE_VI_MAX_LEN=2048
> CONFIG_FEATURE_VI_DOT_CMD=y
>
> and the 'HERE' debugging method ;)
>
> The segfault occurs in the 'text_yank' function, which looks like this
> (after my 'bb_error_msg("HERE...");' insertions):
>
> #if ENABLE_FEATURE_VI_YANKMARK
> static char *text_yank(char * p, char * q, int dest) // copy text into a register
> {
> char *t;
> int cnt;
>
> bb_error_msg("HERE 300");
> if (q < p) { // they are backwards- reverse them
> t = q;
> q = p;
> p = t;
> }
> bb_error_msg("HERE 301");
> cnt = q - p + 1;
> t = reg[dest];
> bb_error_msg("HERE 302");
> free(t); // if already a yank register, free it
> bb_error_msg("HERE 303");
> t = xmalloc(cnt + 1); // get a new register
> bb_error_msg("HERE 304");
> memset(t, '\0', cnt + 1); // clear new text[]
Side remark:
Wouldn't t[cnt] = '\0'; be sufficient (after the strncpy I'd say) ?
> bb_error_msg("HERE 305: cnt=%d", cnt);
> //bb_error_msg("HERE 305: t=0x%08x, p=0x%08x, cnt=%d", t, p, cnt);
> strncpy(t, p, cnt); // copy text[] into bufer
> bb_error_msg("HERE 306");
> reg[dest] = t;
> bb_error_msg("HERE 307");
> return p;
> }
>
> It segfaults somewhere sfter 'HERE 305' in strncpy and never reaches
> 'HERE 306'. If I use the alternate 'HERE 305' (commented out above)
> instead, I will nicely reach 'HERE 306'.
Regards,
Loïc Grenié
More information about the busybox
mailing list