* Re: Remaining patches [not found] ` <4CFD0AE3.8050502@bsd.lv> @ 2010-12-11 17:02 ` Ingo Schwarze 2010-12-11 17:07 ` Ingo Schwarze 0 siblings, 1 reply; 5+ messages in thread From: Ingo Schwarze @ 2010-12-11 17:02 UTC (permalink / raw) To: tech Hi Kristaps, Kristaps Dzonsons wrote on Mon, Dec 06, 2010 at 05:10:11PM +0100: > Ingo Schwarze wrote: >> Regarding your recent commits, it is nice all this is going in. >> I'll cross-check a bit more carefully when i'm out of office. >> One thing looks dubious, though. >> >> .de XX >> .. >> >> This should do the same as >> >> .ds XX "" >> >> and *not* the same as >> >> .rm XX >> >> Thus, i sepcifically changed that from NULL to "". >> Otherwise, pages containing .IX throw lots of "unknown macro" >> errors. >> >> In case this crashes on ALPHA, i suspect another bug somewhere... >> Perhaps something related to integer sizes or alignment? > Nope, valgrind pukes all over certain pages with this as well. > Enclosed is an example offender and valgrind's output (in case it's > useful). The output, as you can see, stops at the first > paranthesis. > > I'll look into it some more later. Here is what happens. When parsing ".IX xyzzy", roff.c, roff_userdef() sets *bufp = ""; *szp = 1; return(ROFF_APPEND); Then main.c, parsebuf() has ln.buf = ""; ln.sz = 1; pos = 0; continue; It appends the next line. Hitting the \s at the beginning, it calls resize_buf(&ln, 256) which does buf->sz = buf->sz ? 2 * buf->sz : initial; i.e. buf->sz = 2*1 = 2; realloc(buf->buf, buf->sz); and returning to parsebuf() ln.buf[pos++] = blk.buf[i++]; ln.buf[pos++] = blk.buf[i++]; to copy the two characters of "\s". That's one too much, boom. So, let's fix resize_buf! Can you verify with valgrind? This analysis is purely from reading the code. The OpenBSD build survives with the patch. Yours, Ingo > .TH FOO 1 > .ie \nF \{\ > . de IX > .. > .\} > .el \{\ > . de IX > .. > .\} > .IX Title "FOO 1" > .SH "NAME" > foo \- bar > .SH DESCRIPTION > .IX xyzzy > (\s-1asdfasd\s0) fdsafdsa > ==27147== Memcheck, a memory error detector > ==27147== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. > ==27147== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info > ==27147== Command: ./mandoc -Owidth=68 foo.1 > ==27147== Parent PID: 11203 > ==27147== > ==27147== Invalid write of size 1 > ==27147== at 0x40253C: parsebuf (main.c:733) > ==27147== by 0x402257: pdesc (main.c:626) > ==27147== by 0x401DEC: fdesc (main.c:487) > ==27147== by 0x40198F: ffile (main.c:340) > ==27147== by 0x401819: main (main.c:276) > ==27147== Address 0x518b2a2 is 0 bytes after a block of size 2 alloc'd > ==27147== at 0x4C245E2: realloc (vg_replace_malloc.c:525) > ==27147== by 0x401ACB: resize_buf (main.c:381) > ==27147== by 0x4024F9: parsebuf (main.c:730) > ==27147== by 0x402257: pdesc (main.c:626) > ==27147== by 0x401DEC: fdesc (main.c:487) > ==27147== by 0x40198F: ffile (main.c:340) > ==27147== by 0x401819: main (main.c:276) Index: main.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/main.c,v retrieving revision 1.61 diff -u -p -r1.61 main.c --- main.c 9 Dec 2010 23:01:18 -0000 1.61 +++ main.c 11 Dec 2010 17:01:40 -0000 @@ -375,7 +375,7 @@ static void resize_buf(struct buf *buf, size_t initial) { - buf->sz = buf->sz ? 2 * buf->sz : initial; + buf->sz = buf->sz >= initial ? 2 * buf->sz : initial; buf->buf = realloc(buf->buf, buf->sz); if (NULL == buf->buf) { perror(NULL); -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Remaining patches 2010-12-11 17:02 ` Remaining patches Ingo Schwarze @ 2010-12-11 17:07 ` Ingo Schwarze 2010-12-19 12:41 ` Ingo Schwarze 0 siblings, 1 reply; 5+ messages in thread From: Ingo Schwarze @ 2010-12-11 17:07 UTC (permalink / raw) To: tech > Index: main.c > =================================================================== > RCS file: /cvs/src/usr.bin/mandoc/main.c,v > retrieving revision 1.61 > diff -u -p -r1.61 main.c > --- main.c 9 Dec 2010 23:01:18 -0000 1.61 > +++ main.c 11 Dec 2010 17:01:40 -0000 > @@ -375,7 +375,7 @@ static void > resize_buf(struct buf *buf, size_t initial) > { > > - buf->sz = buf->sz ? 2 * buf->sz : initial; > + buf->sz = buf->sz >= initial ? 2 * buf->sz : initial; > buf->buf = realloc(buf->buf, buf->sz); > if (NULL == buf->buf) { > perror(NULL); Gah, that's wrong as well. It only moves the bug from sz = 1 to sz = initial-1. It must be buf->sz = buf->sz > initial/2 ? 2 * buf->sz : initial; -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Remaining patches 2010-12-11 17:07 ` Ingo Schwarze @ 2010-12-19 12:41 ` Ingo Schwarze 2010-12-20 14:50 ` Kristaps Dzonsons 0 siblings, 1 reply; 5+ messages in thread From: Ingo Schwarze @ 2010-12-19 12:41 UTC (permalink / raw) To: tech Hi Kristaps, Ingo Schwarze wrote on Sat, Dec 11, 2010 at 06:07:14PM +0100: > Gah, that's wrong as well. > It only moves the bug from sz = 1 to sz = initial-1. > > It must be > > buf->sz = buf->sz > initial/2 ? 2 * buf->sz : initial; To get this finally settled: OK for this one, too? Or does it still crash your Alpha? Index: main.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/main.c,v retrieving revision 1.61 diff -u -p -r1.61 main.c --- main.c 9 Dec 2010 23:01:18 -0000 1.61 +++ main.c 19 Dec 2010 12:34:57 -0000 @@ -375,7 +375,7 @@ static void resize_buf(struct buf *buf, size_t initial) { - buf->sz = buf->sz ? 2 * buf->sz : initial; + buf->sz = buf->sz > initial/2 ? 2 * buf->sz : initial; buf->buf = realloc(buf->buf, buf->sz); if (NULL == buf->buf) { perror(NULL); Index: roff.c =================================================================== RCS file: /cvs/src/usr.bin/mandoc/roff.c,v retrieving revision 1.23 diff -u -p -r1.23 roff.c --- roff.c 9 Dec 2010 20:56:30 -0000 1.23 +++ roff.c 19 Dec 2010 12:34:58 -0000 @@ -345,18 +345,11 @@ roff_res(struct roff *r, char **bufp, si size_t nsz; char *n; - /* String escape sequences have at least three characters. */ + /* Search for a leading backslash and save a pointer to it. */ - for (cp = *bufp + pos; cp[0] && cp[1] && cp[2]; cp++) { - - /* - * The first character must be a backslash. - * Save a pointer to it. - */ - - if ('\\' != *cp) - continue; - stesc = cp; + cp = *bufp + pos; + while (NULL != (cp = strchr(cp, '\\'))) { + stesc = cp++; /* * The second character must be an asterisk. @@ -364,7 +357,9 @@ roff_res(struct roff *r, char **bufp, si * so it can't start another escape sequence. */ - if ('*' != *(++cp)) + if ('\0' == *cp) + return(1); + if ('*' != *cp++) continue; /* @@ -373,7 +368,9 @@ roff_res(struct roff *r, char **bufp, si * Save a pointer to the name. */ - switch (*(++cp)) { + switch (*cp) { + case ('\0'): + return(1); case ('('): cp++; maxl = 2; -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Remaining patches 2010-12-19 12:41 ` Ingo Schwarze @ 2010-12-20 14:50 ` Kristaps Dzonsons 2010-12-21 2:00 ` Ingo Schwarze 0 siblings, 1 reply; 5+ messages in thread From: Kristaps Dzonsons @ 2010-12-20 14:50 UTC (permalink / raw) To: tech >> Gah, that's wrong as well. >> It only moves the bug from sz = 1 to sz = initial-1. >> >> It must be >> >> buf->sz = buf->sz> initial/2 ? 2 * buf->sz : initial; > > To get this finally settled: > > OK for this one, too? > Or does it still crash your Alpha? Ingo, this does the trick for me! Let me know when we're completely in sync and I'll put out a version before getting to work on tbl. I think I've finished the -T[x]html updates. Thanks! Kristaps -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Remaining patches 2010-12-20 14:50 ` Kristaps Dzonsons @ 2010-12-21 2:00 ` Ingo Schwarze 0 siblings, 0 replies; 5+ messages in thread From: Ingo Schwarze @ 2010-12-21 2:00 UTC (permalink / raw) To: tech Hi Kristaps, >>> buf->sz = buf->sz> initial/2 ? 2 * buf->sz : initial; > Ingo, this does the trick for me! Good, so i have committed this to both repos, and main.c and roff.c are back in sync. > Let me know when we're completely in sync Well, i still need to merge about a dozen patches, then check that we are back in sync. Time is up for tonight, i'll go on tomorrow night. You have done a lot of work on -Thtml... :-) Yours, Ingo -- To unsubscribe send an email to tech+unsubscribe@mdocml.bsd.lv ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-12-21 2:00 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <4CF65D82.2090302@bsd.lv> [not found] ` <20101201145258.GA18473@iris.usta.de> [not found] ` <4CF662C5.8070806@bsd.lv> [not found] ` <20101202200205.GA12188@iris.usta.de> [not found] ` <4CF82337.2060203@bsd.lv> [not found] ` <20101202232111.GE12188@iris.usta.de> [not found] ` <4CFCE8A6.7000101@bsd.lv> [not found] ` <4CFCE997.6000700@bsd.lv> [not found] ` <20101206142051.GA6999@iris.usta.de> [not found] ` <4CFD0AE3.8050502@bsd.lv> 2010-12-11 17:02 ` Remaining patches Ingo Schwarze 2010-12-11 17:07 ` Ingo Schwarze 2010-12-19 12:41 ` Ingo Schwarze 2010-12-20 14:50 ` Kristaps Dzonsons 2010-12-21 2:00 ` Ingo Schwarze
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).