User forums > Nightly builds

The 30 December 2018 build (11543) is out.

<< < (7/13) > >>

killerbot:
related to what has been mentioned in a previous comment above : http://forums.codeblocks.org/index.php/topic,22936.0.html
==> the assert was as such also already present before, so that is not due to stepping to gcc810

riban:
@oBFusCATed the crash happens with the simplest of project, e.g. new console project (hello world) when the source code editor is opened. The assertion only happens occasionally so I have not figured out how to trigger that.

BlueHazzard:

--- Quote from: oBFusCATed on January 01, 2019, 07:19:45 pm ---What is the value of j and next?

--- End quote ---

funny:


--- Code: ---> info locals
next = <error reading variable next (Cannot access memory at address 0x0)>
index = 0
i = 0
j = 0
--- End code ---

some heavy compiler optimizing going on here xD

compiled with -g3 and no optimization turned on...

oBFusCATed:

--- Quote from: BlueHazzard on January 03, 2019, 02:22:40 pm ---some heavy compiler optimizing going on here xD

--- End quote ---
I hope this is sarcasm, because the bug happens even with -O0...
And I'm sure it is some kind of buffer overflow, but I'll have to dig a bit more to know the details...

oBFusCATed:
Here is patch which fixes one of the issues with this function....


--- Code: ---diff --git a/src/plugins/codecompletion/parser/tokenizer.cpp b/src/plugins/codecompletion/parser/tokenizer.cpp
index 34e85c0..9b72cef 100644
--- a/src/plugins/codecompletion/parser/tokenizer.cpp
+++ b/src/plugins/codecompletion/parser/tokenizer.cpp
@@ -1668,7 +1668,7 @@ bool Tokenizer::ReplaceMacroUsage(const Token* tk)
     return false;
 }

-void Tokenizer::KMP_GetNextVal(const wxChar* pattern, int next[])
+void Tokenizer::KMP_GetNextVal(const wxChar* pattern, int next[], const int patternLen)
 {
     int j = 0, k = -1;
     next[0] = -1;
@@ -1677,6 +1677,8 @@ void Tokenizer::KMP_GetNextVal(const wxChar* pattern, int next[])
         if (k == -1 || pattern[j] == pattern[k])
         {
             ++j;
+            if (j >= patternLen + 1)
+                abort();
             ++k;
             if (pattern[j] != pattern[k])
                 next[j] = k;
@@ -1704,8 +1706,8 @@ int Tokenizer::KMP_Find(const wxChar* text, const wxChar* pattern, const int pat
         }
     }

-    int next[patternLen];
-    KMP_GetNextVal(pattern, next);
+    int next[patternLen + 1];
+    KMP_GetNextVal(pattern, next, patternLen);

     int index = 0, i = 0, j = 0;
     while (text[i] != _T('\0') && pattern[j] != _T('\0'))
diff --git a/src/plugins/codecompletion/parser/tokenizer.h b/src/plugins/codecompletion/parser/tokenizer.h
index a5ea3bf..911835f 100644
--- a/src/plugins/codecompletion/parser/tokenizer.h
+++ b/src/plugins/codecompletion/parser/tokenizer.h
@@ -489,7 +489,7 @@ private:
     bool GetMacroExpandedText(const Token* tk, wxString& expandedText);

     /** used in the KMP find function */
-    void KMP_GetNextVal(const wxChar* pattern, int next[]);
+    void KMP_GetNextVal(const wxChar* pattern, int next[], const int patternLen);

     /** Tokenizer options specify the token reading option */
     TokenizerOptions     m_TokenizerOptions;

--- End code ---

To find the offenders remove the two +1...

There are at least there more:
1. access to next[k] is not guaranteed to be within bounds
2. the use of dynamic arrays is a GCC extension which I am not sure how well works in C++ and also it is not really portable. It should be replaced with an alloca or static sized array. The size is guarded already, so I don't see a reason to use a dynamic size here. It should be possible to statically size the array.
3. These functions should probably be made global functions and not part of the class.

I won't make any changes, because I don't understand the code here. @ollydbg would you be able to fix the issue now that we know what is causing it?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version