[bug, bisected, -chrisl] Segfault at evaluate.c:341

[bug, bisected, -chrisl] Segfault at evaluate.c:341

[Hannes Eder]

running sparse (from Christopher's tree) on linux-2.6/kernel/cred.c
(as of next-20090318, problem may appeared earlier, I have not tried
yet) causes a segfault at evaluate.c:341:

        if (type->type == SYM_NODE)
                type = type->ctype.base_type;
        if (type->type == SYM_TYPEOF) {        <======== SEGFAULT (type == NULL)
                type = evaluate_expression(type->initializer);
                if (type->type == SYM_NODE)
                        type = type->ctype.base_type;
        }

the complete command line:

sparse -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ -Wbitwise
-Wno-return-void -D__x86_64__ -m64 -nostdinc -isystem
/usr/lib/gcc/x86_64-redhat-linux/4.3.2/include
-Wp,-MD,kernel/.cred.o.d -nostdinc -isystem
/usr/lib/gcc/x86_64-redhat-linux/4.3.2/include -Iinclude
-I/home/hannes/linux-2.6/arch/x86/include -include
include/linux/autoconf.h -D__KERNEL__ -Wall -Wundef
-Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common
-Werror-implicit-function-declaration -Os -m64 -mtune=generic
-mno-red-zone -mcmodel=kernel -funit-at-a-time
-maccumulate-outgoing-args -fstack-protector -fstack-protector-all
-DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -pipe
-Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx
-mno-sse2 -mno-3dnow -fno-omit-frame-pointer
-fno-optimize-sibling-calls -g -pg -Wdeclaration-after-statement
-Wno-pointer-sign -D"KBUILD_STR(s)=#s"
-D"KBUILD_BASENAME=KBUILD_STR(cred)"
-D"KBUILD_MODNAME=KBUILD_STR(cred)" -D"DEBUG_HASH=36"
-D"DEBUG_HASH2=28" kernel/cred.c


using "git bisect" i narrowed to problem down to:

[db31fd91f8231110ce8d8d48ce402f8cad068e44] Fix handling of ident-less
declarations

Does that help? Should I provide any further information?

Best,
-Hannes

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Al Viro]

On Thu, Mar 19, 2009 at 02:49:21PM +0100, Hannes Eder wrote:
> running sparse (from Christopher's tree) on linux-2.6/kernel/cred.c
> (as of next-20090318, problem may appeared earlier, I have not tried
> yet) causes a segfault at evaluate.c:341:
> 
>         if (type->type == SYM_NODE)
>                 type = type->ctype.base_type;
>         if (type->type == SYM_TYPEOF) {        <======== SEGFAULT (type == NULL)
>                 type = evaluate_expression(type->initializer);
>                 if (type->type == SYM_NODE)
>                         type = type->ctype.base_type;
>         }
> 
> the complete command line:
> 
> sparse -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ -Wbitwise
> -Wno-return-void -D__x86_64__ -m64 -nostdinc -isystem
> /usr/lib/gcc/x86_64-redhat-linux/4.3.2/include
> -Wp,-MD,kernel/.cred.o.d -nostdinc -isystem
> /usr/lib/gcc/x86_64-redhat-linux/4.3.2/include -Iinclude
> -I/home/hannes/linux-2.6/arch/x86/include -include
> include/linux/autoconf.h -D__KERNEL__ -Wall -Wundef
> -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common
> -Werror-implicit-function-declaration -Os -m64 -mtune=generic
> -mno-red-zone -mcmodel=kernel -funit-at-a-time
> -maccumulate-outgoing-args -fstack-protector -fstack-protector-all
> -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -pipe
> -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx
> -mno-sse2 -mno-3dnow -fno-omit-frame-pointer
> -fno-optimize-sibling-calls -g -pg -Wdeclaration-after-statement
> -Wno-pointer-sign -D"KBUILD_STR(s)=#s"
> -D"KBUILD_BASENAME=KBUILD_STR(cred)"
> -D"KBUILD_MODNAME=KBUILD_STR(cred)" -D"DEBUG_HASH=36"
> -D"DEBUG_HASH2=28" kernel/cred.c
> 
> 
> using "git bisect" i narrowed to problem down to:
> 
> [db31fd91f8231110ce8d8d48ce402f8cad068e44] Fix handling of ident-less
> declarations
> 
> Does that help? Should I provide any further information?

Preprocessed input would help (note that knowing the kernel tree in
question is not enough - .config affects what comes out of preprocessing,
after all).

Just slap -E in command line above and dump the output someplace public...

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Nicholas Mc Guire]

On Thu, 19 Mar 2009, Al Viro wrote:

> On Thu, Mar 19, 2009 at 02:49:21PM +0100, Hannes Eder wrote:
> > running sparse (from Christopher's tree) on linux-2.6/kernel/cred.c
> > (as of next-20090318, problem may appeared earlier, I have not tried
> > yet) causes a segfault at evaluate.c:341:
> > 
> >         if (type->type == SYM_NODE)
> >                 type = type->ctype.base_type;
> >         if (type->type == SYM_TYPEOF) {        <======== SEGFAULT (type == NULL)
> >                 type = evaluate_expression(type->initializer);
> >                 if (type->type == SYM_NODE)
> >                         type = type->ctype.base_type;
> >         }
> > 
> > the complete command line:
> > 
> > sparse -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ -Wbitwise
> > -Wno-return-void -D__x86_64__ -m64 -nostdinc -isystem
> > /usr/lib/gcc/x86_64-redhat-linux/4.3.2/include
> > -Wp,-MD,kernel/.cred.o.d -nostdinc -isystem
> > /usr/lib/gcc/x86_64-redhat-linux/4.3.2/include -Iinclude
> > -I/home/hannes/linux-2.6/arch/x86/include -include
> > include/linux/autoconf.h -D__KERNEL__ -Wall -Wundef
> > -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common
> > -Werror-implicit-function-declaration -Os -m64 -mtune=generic
> > -mno-red-zone -mcmodel=kernel -funit-at-a-time
> > -maccumulate-outgoing-args -fstack-protector -fstack-protector-all
> > -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -pipe
> > -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx
> > -mno-sse2 -mno-3dnow -fno-omit-frame-pointer
> > -fno-optimize-sibling-calls -g -pg -Wdeclaration-after-statement
> > -Wno-pointer-sign -D"KBUILD_STR(s)=#s"
> > -D"KBUILD_BASENAME=KBUILD_STR(cred)"
> > -D"KBUILD_MODNAME=KBUILD_STR(cred)" -D"DEBUG_HASH=36"
> > -D"DEBUG_HASH2=28" kernel/cred.c
> > 
> > 
> > using "git bisect" i narrowed to problem down to:
> > 
> > [db31fd91f8231110ce8d8d48ce402f8cad068e44] Fix handling of ident-less
> > declarations
> > 
> > Does that help? Should I provide any further information?
> 
> Preprocessed input would help (note that knowing the kernel tree in
> question is not enough - .config affects what comes out of preprocessing,
> after all).
>
> Just slap -E in command line above and dump the output someplace public...

just to (hopfully) simplify things a bit - a simple:

make i386_defconfig
make V=1 C=1 kernel/kred.i 

should actually do it 

hofrat

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Hannes Eder]

On Thu, Mar 19, 2009 at 3:46 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, Mar 19, 2009 at 02:49:21PM +0100, Hannes Eder wrote:
>> running sparse (from Christopher's tree) on linux-2.6/kernel/cred.c
>> (as of next-20090318, problem may appeared earlier, I have not tried
>> yet) causes a segfault at evaluate.c:341:
>>
>>         if (type->type == SYM_NODE)
>>                 type = type->ctype.base_type;
>>         if (type->type == SYM_TYPEOF) {        <======== SEGFAULT (type == NULL)
>>                 type = evaluate_expression(type->initializer);
>>                 if (type->type == SYM_NODE)
>>                         type = type->ctype.base_type;
>>         }
>>
>> the complete command line:
>>
>> sparse -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ -Wbitwise
>> -Wno-return-void -D__x86_64__ -m64 -nostdinc -isystem
>> /usr/lib/gcc/x86_64-redhat-linux/4.3.2/include
>> -Wp,-MD,kernel/.cred.o.d -nostdinc -isystem
>> /usr/lib/gcc/x86_64-redhat-linux/4.3.2/include -Iinclude
>> -I/home/hannes/linux-2.6/arch/x86/include -include
>> include/linux/autoconf.h -D__KERNEL__ -Wall -Wundef
>> -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common
>> -Werror-implicit-function-declaration -Os -m64 -mtune=generic
>> -mno-red-zone -mcmodel=kernel -funit-at-a-time
>> -maccumulate-outgoing-args -fstack-protector -fstack-protector-all
>> -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -pipe
>> -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx
>> -mno-sse2 -mno-3dnow -fno-omit-frame-pointer
>> -fno-optimize-sibling-calls -g -pg -Wdeclaration-after-statement
>> -Wno-pointer-sign -D"KBUILD_STR(s)=#s"
>> -D"KBUILD_BASENAME=KBUILD_STR(cred)"
>> -D"KBUILD_MODNAME=KBUILD_STR(cred)" -D"DEBUG_HASH=36"
>> -D"DEBUG_HASH2=28" kernel/cred.c
>>
>>
>> using "git bisect" i narrowed to problem down to:
>>
>> [db31fd91f8231110ce8d8d48ce402f8cad068e44] Fix handling of ident-less
>> declarations
>>
>> Does that help? Should I provide any further information?
>
> Preprocessed input would help (note that knowing the kernel tree in
> question is not enough - .config affects what comes out of preprocessing,
> after all).
>
> Just slap -E in command line above and dump the output someplace public...

I use sparse with -E <rest of the options> and gcc -E -P <rest of the
options> to produce the files
kernel-cred-c.prep.sparse and kernel-cred-c.prep.gcc, which can be found at

http://hanneseder.net/sparse/kernel-cred-c.prep.tar.gz

$ sparse kernel-cred-c.prep.gcc

produces some warnings as usual.

$ sparse kernel-cred-c.prep.sparse

produces some warnings, a boatload of errors, and then segfaults.

hth,
-Hannes
--
To unsubscribe from this list: send the line "unsubscribe linux-sparse" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Al Viro]

On Thu, Mar 19, 2009 at 07:38:51PM +0100, Hannes Eder wrote:

> http://hanneseder.net/sparse/kernel-cred-c.prep.tar.gz
> 
> $ sparse kernel-cred-c.prep.gcc
> 
> produces some warnings as usual.
> 
> $ sparse kernel-cred-c.prep.sparse
> 
> produces some warnings, a boatload of errors, and then segfaults.

Oh, joy.

a) some <expletives> has #define if(x) ....... (check it out, I'm not kidding)
b) ifdef that turd's conditional upon is present in your .config
c) ... and now,
	if (
#ifdef .....
		barf &&
#endif
		vomit)

steps into undefined behaviour.

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Christopher Li]

On Thu, Mar 19, 2009 at 12:14 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> a) some <expletives> has #define if(x) ....... (check it out, I'm not kidding)
> b) ifdef that turd's conditional upon is present in your .config
> c) ... and now,
>        if (
> #ifdef .....
>                barf &&
> #endif
>                vomit)
>
> steps into undefined behaviour.

We can complain about the bad C code.

We should stop the segfault though. I take a look at it. It seems that
there is a SYM_NODE with base_type is NULL. I guess in some of
the error path we result in an invalid AST three.

Maybe we should abort sparse after "too many error" ?

Chris
--
To unsubscribe from this list: send the line "unsubscribe linux-sparse" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Al Viro]

On Thu, Mar 19, 2009 at 01:04:20PM -0700, Christopher Li wrote:

> We should stop the segfault though. I take a look at it. It seems that
> there is a SYM_NODE with base_type is NULL. I guess in some of
> the error path we result in an invalid AST three.

We are getting some mess with K&R declarations.  Which is bloody likely
to be my fault; will check.

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Al Viro]

On Thu, Mar 19, 2009 at 09:52:50PM +0000, Al Viro wrote:
> On Thu, Mar 19, 2009 at 01:04:20PM -0700, Christopher Li wrote:
> 
> > We should stop the segfault though. I take a look at it. It seems that
> > there is a SYM_NODE with base_type is NULL. I guess in some of
> > the error path we result in an invalid AST three.
> 
> We are getting some mess with K&R declarations.  Which is bloody likely
> to be my fault; will check.

Yeah...  It's an old b0rken handling of calls for K&R + changes that exposed
that even worse.

Status quo is restored by the patch below, but it's a stopgap - e.g.
void f();
void g(void)
{
	f(0, 0);
}
will warn about extra arguments as if we had void f(void); as sparse had
been doing all along.  B0rken.

Testcase for the segfault is
void f(x, y);
void g(void)
{
	f(0, 0);
}

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/parse.c b/parse.c
index b9b96ba..87f6264 100644
--- a/parse.c
+++ b/parse.c
@@ -2323,6 +2323,7 @@ static struct token *identifier_list(struct token *token, struct symbol *fn)
 		sym->ident = token->ident;
 		token = token->next;
 		sym->endpos = token->pos;
+		sym->ctype.base_type = &incomplete_ctype;
 		add_symbol(list, sym);
 		if (!match_op(token, ',') ||
 		    token_type(token->next) != TOKEN_IDENT ||

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Christopher Li]

Thanks Al,

I will apply it later tonight.

If no one beats to me, I will try to add the warning for using preprocessor
directive inside macro expansion. It should be a better error message
than the current one.

Chris

On Thu, Mar 19, 2009 at 3:09 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, Mar 19, 2009 at 09:52:50PM +0000, Al Viro wrote:
>> On Thu, Mar 19, 2009 at 01:04:20PM -0700, Christopher Li wrote:
>>
>> > We should stop the segfault though. I take a look at it. It seems that
>> > there is a SYM_NODE with base_type is NULL. I guess in some of
>> > the error path we result in an invalid AST three.
>>
>> We are getting some mess with K&R declarations.  Which is bloody likely
>> to be my fault; will check.
>
> Yeah...  It's an old b0rken handling of calls for K&R + changes that exposed
> that even worse.
>
> Status quo is restored by the patch below, but it's a stopgap - e.g.
> void f();
> void g(void)
> {
>        f(0, 0);
> }
> will warn about extra arguments as if we had void f(void); as sparse had
> been doing all along.  B0rken.
>
> Testcase for the segfault is
> void f(x, y);
> void g(void)
> {
>        f(0, 0);
> }
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
> diff --git a/parse.c b/parse.c
> index b9b96ba..87f6264 100644
> --- a/parse.c
> +++ b/parse.c
> @@ -2323,6 +2323,7 @@ static struct token *identifier_list(struct token *token, struct symbol *fn)
>                sym->ident = token->ident;
>                token = token->next;
>                sym->endpos = token->pos;
> +               sym->ctype.base_type = &incomplete_ctype;
>                add_symbol(list, sym);
>                if (!match_op(token, ',') ||
>                    token_type(token->next) != TOKEN_IDENT ||
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sparse" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-sparse" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Al Viro]

On Thu, Mar 19, 2009 at 04:11:41PM -0700, Christopher Li wrote:
> Thanks Al,
> 
> I will apply it later tonight.
> 
> If no one beats to me, I will try to add the warning for using preprocessor
> directive inside macro expansion. It should be a better error message
> than the current one.

Well...  patch below would give more or less close approximation to the
current set of nasal demons produced by gcc in these situations + error
when that crap happens.
Warning: it might make things slower, and it needs testing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/pre-process.c b/pre-process.c
index cf53893..df6cca4 100644
--- a/pre-process.c
+++ b/pre-process.c
@@ -193,13 +193,36 @@ static void expand_list(struct token **list)
 	}
 }
 
+static void preprocessor_line(struct stream *stream, struct token **line);
+
 static struct token *collect_arg(struct token *prev, int vararg, struct position *pos)
 {
+	struct stream *stream = input_streams + prev->pos.stream;
 	struct token **p = &prev->next;
 	struct token *next;
 	int nesting = 0;
 
 	while (!eof_token(next = scan_next(p))) {
+		if (next->pos.newline && match_op(next, '#')) {
+			if (!next->pos.noexpand) {
+				sparse_error(next->pos,
+					     "directive in argument list");
+				preprocessor_line(stream, p);
+				__free_token(next);	/* Free the '#' token */
+				continue;
+			}
+		}
+		switch (token_type(next)) {
+		case TOKEN_STREAMEND:
+		case TOKEN_STREAMBEGIN:
+			*p = &eof_token_entry;
+			return next;
+		}
+		if (false_nesting) {
+			*p = next->next;
+			__free_token(next);
+			continue;
+		}
 		if (match_op(next, '(')) {
 			nesting++;
 		} else if (match_op(next, ')')) {

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Al Viro]

On Sat, Mar 21, 2009 at 04:40:20AM +0000, Al Viro wrote:
> On Thu, Mar 19, 2009 at 04:11:41PM -0700, Christopher Li wrote:
> > Thanks Al,
> > 
> > I will apply it later tonight.
> > 
> > If no one beats to me, I will try to add the warning for using preprocessor
> > directive inside macro expansion. It should be a better error message
> > than the current one.
> 
> Well...  patch below would give more or less close approximation to the
> current set of nasal demons produced by gcc in these situations + error
> when that crap happens.
> Warning: it might make things slower, and it needs testing.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---

It needed testing, all right - #elif handling got broken by the initial
variant...  Hopefully fixed version follows:

diff --git a/pre-process.c b/pre-process.c
index cf53893..34b21ff 100644
--- a/pre-process.c
+++ b/pre-process.c
@@ -193,13 +193,36 @@ static void expand_list(struct token **list)
 	}
 }
 
+static void preprocessor_line(struct stream *stream, struct token **line);
+
 static struct token *collect_arg(struct token *prev, int vararg, struct position *pos)
 {
+	struct stream *stream = input_streams + prev->pos.stream;
 	struct token **p = &prev->next;
 	struct token *next;
 	int nesting = 0;
 
 	while (!eof_token(next = scan_next(p))) {
+		if (next->pos.newline && match_op(next, '#')) {
+			if (!next->pos.noexpand) {
+				sparse_error(next->pos,
+					     "directive in argument list");
+				preprocessor_line(stream, p);
+				__free_token(next);	/* Free the '#' token */
+				continue;
+			}
+		}
+		switch (token_type(next)) {
+		case TOKEN_STREAMEND:
+		case TOKEN_STREAMBEGIN:
+			*p = &eof_token_entry;
+			return next;
+		}
+		if (false_nesting) {
+			*p = next->next;
+			__free_token(next);
+			continue;
+		}
 		if (match_op(next, '(')) {
 			nesting++;
 		} else if (match_op(next, ')')) {
@@ -1357,8 +1380,9 @@ static int handle_elif(struct stream * stream, struct token **line, struct token
 	if (token_type(top_if) != TOKEN_IF)
 		return 1;
 	if (false_nesting) {
-		if (expression_value(&token->next))
-			false_nesting = 0;
+		false_nesting = 0;
+		if (!expression_value(&token->next))
+			false_nesting = 1;
 	} else {
 		false_nesting = 1;
 		token_type(top_if) = TOKEN_SKIP_GROUPS;

Re: [bug, bisected, -chrisl] Segfault at evaluate.c:341

[Christopher Li]

>
> It needed testing, all right - #elif handling got broken by the initial
> variant...  Hopefully fixed version follows:

Looks good. BTW, it is simpler than my version which try to do
the processor in argument list.

Applied, thanks.

Chris