SIGSEGV at somewhere should not be, there's no NULL pointer - c

I use gdb test core and get this:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000557ce64b63f8 in _create (str=str#entry=0x557ce80a8820 "SEND")
at system.c:708
708 data->res = command->data->res;
(gdb) bt
#0 0x0000557ce64b63f8 in _create (str=str#entry=0x557ce80a8820 "SEND")
at system.c:708
#1 0x0000557ce64b2ef1 in make_command (s=<optimized out>, cmd=0x557ce809cb70) at command.c:121
#2 0x0000557ce63aefdf in main (argc=<optimized out>, argv=0x7fff19053278) at main.c:394
(gdb) p *command
$1 = {status = 1, data = 0x7f21027e9a80, sum = 1543465568, time = 0, msg = { str = 0x7f20fd19f080 "GOOD", len = 4}, id = 2}
(gdb) p *command->data
$2 = {status = 1, item = 0x7f21027eb780, res = 0x7f2100990b00, sum = 1133793665}
(gdb) p *command->data->res
$3 = {msg = { str = 0x7f21010a5500 "Hi, test, test"..., len = 14}, status = 1}
(gdb) p *data
$4 = {status = 1, type = 5, res = 0x0, id = 2}
as you can see, the pointer command and command->data and data are all valid, why this SIGSEGV happened?

why this SIGSEGV happened?
We can't tell.
One possible reason: some other code is actually executing and crashing.
This could happen if system.c has been edited or updated, but the program has not been rebuilt with the new source. Or if the compiler mapping of program counter to file/line is inaccurate (this often happens with optimized code).
If you edit your question to show the output from list _create, disas $pc and info registers, we may be able to tell you more.

Related

frame_dummy() causing seg fault

I experienced segmentation fault and with gdb I found out :
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xb771ca28 in frame_dummy () from /home/Dev/.libs/coap-1.so.0
and :
(gdb) i r
eax 0x0 0
ecx 0x81477bc 135559100
edx 0x378845d4 931677652
ebx 0xb772a000 -1217224704
esp 0xbfddbcd0 0xbfddbcd0
ebp 0x81477bc 0x81477bc
esi 0x0 0
edi 0xbfddbd88 -1075987064
eip 0xb771ca28 0xb771ca28 <frame_dummy+8>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
What exactly causing this seg fault I am not getting.
EDIT :
compiler optimization is set to O0
and got :
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xb7792a90 in coap_address_equals (a=0xac6745d4, b=0x922b814) at src/address.c:20
20 if (a->size != b->size || a->addr.sa.sa_family != b->addr.sa.sa_family)
and with bt I got :
(gdb) bt
#0 0xb7792a90 in coap_address_equals (a=0xac6745d4, b=0x922b814) at src/address.c:20
'#1 0xb779bd8c in coap_find_observer (resource=0x922b530, peer=0x922b814, token=0xbfd8d7a8) at src/resource.c:530
#2 0x0804c55b in hnd_get_cpufreq (ctx=0x92260c0, resource=0x922b530, local_interface=0x922b784, peer=0x922b814, request=0x0, token=0xbfd8d7a8,
response=0x9227ea0) at leshan_test.c:1413
#3 0xb779c2c1 in coap_notify_observers (context=0x92260c0, r=0x922b530) at src/resource.c:656
#4 0xb779c439 in coap_check_notify (context=0x92260c0) at src/resource.c:690
#5 0x08051cba in main (argc=1, argv=0xbfd8e304) at leshan_test.c:3571
With (gdb) r i I found :
/home/libcoap/examples/.libs/leshan_test: relocation error: /home/libcoap/examples/.libs/leshan_test: symbol coap_set_send_handler, version VER_1 not defined in file libcoap-1.so.0 with link time reference
[Inferior 1 (process 16434) exited with code 0177]
EDIT :
disassemble dump : http://pastebin.com/6r3CuELd
EDIT :
(gdb) p *a
Cannot access memory at address 0xac6745d4
(gdb) p *b
$4 = {size = 0, addr = {sa = {sa_family = 0, sa_data = '\000' <repeats 13 times>}, st = {ss_family = 0, __ss_align = 0,
__ss_padding = '\000' <repeats 119 times>}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}}
(gdb)

gdb: "Left operand of assignment is not an lvalue."

I am debugging an ARM microcontroller remotely and trying to modify a variable with gdb in the following block of code:
for (int i = 0; i < 100; i++) {
__asm__("nop");
}
When I execute print i I can see the value of the variable
(gdb) print i
$1 = 0
Executing whatis i returns this
whatis i
~"type = int\n"
But when I try to change the variable I get the following error
(gdb) set variable i=99
Left operand of assignment is not an lvalue.
What am I doing wrong here?
UPDATE: here is the assembler code
! for (int i = 0; i < 100; i++) {
main+38: subs\tr3, #1
main+40: bne.n\t0x80001d0 <main+36>
main+42: b.n\t0x80001c4 <main+24>
main+44: lsrs\tr0, r0, #16
main+46: ands\tr2, r0
! __asm__("nop");
main+36: nop
I had the same problem and making the variable volatile helped.
The command would be just set i = 99
Try it this way:
(gdb) print i
$1 = 3
(gdb) set var i=6
(gdb) print i
$2 = 6
There is two issue here change the variable name from i to var_i as there are some set command starting with i so set i=6 will gives the ambiguous command set error.
The "Left operand of assignment is not an lvalue." can be fixed with the code changes as shown below.
volatile int var_i = 1;
TRACE((2255, 0, NORMAL, "Ravi I am sleeping here........."));
do
{
sleep(5);
var_i = 1;
}while(var_i);
(gdb)bt
#1 0x00007f67fd7b9404 in sleep () from /lib64/libc.so.6
#2 0x00000000004cd410 in pgWSNVBUHandleGetUser (warning: Source file is more recent than executable.
ptRequest=<optimized out>, oRequest=<optimized out>,
(gdb) finish
Run till exit from #0 0x00007f67fd7b9550 in __nanosleep_nocancel () from /lib64/libc.so.6
0x00007f67fd7b9404 in sleep () from /lib64/libc.so.6
(gdb) finish
Run till exit from #0 0x00007f67fd7b9404 in sleep () from /lib64/libc.so.6
0x00000000004cd410 in pgWSNVBUHandleGetUser (ptRequest=<optimized out>, oRequest=<optimized out>,
pptResponse=0x7fff839e8760) at /root/Checkouts/trunk/source/base/webservice/provnvbuuser.c:376
(gdb)
│372 volatile int var_i = 1; │
│373 TRACE((2255, 0, NORMAL, "Ravi I am sleeping here.........")); │
│374 do │
│375 { │
>│376 sleep(5); │
│377 var_i = 1; │
│378 }while(var_i);
(gdb) set var_i=0
(gdb) n
(gdb) p var_i
$1 = 1
(gdb) set var_i=0
(gdb) p var_i
$2 = 0
(gdb) n
(gdb) n

exp() function returns nan when it should not

I have the following piece of code in a while loop where I calculate some probability with the exp() function. No matter what the input to the program
on the 7th iteration of the loop the exp returns nan.
if(new<=old){
coloring[random_node]=random_color;
}else{
proba=exp((-(new-old))/temperature);
/*assert(!isnan(proba));*/
printf("proba == %.50f\n",proba);
if(random_percent(proba)){
coloring[random_node]=random_color;
}
}
The following is the debugging information of the 6th and 7th iteration inside the loop.
Breakpoint 1, graph_coloring_local_search (objectiveValue=50, N=50, E=350, edge_list=0x804d170, node_list=0x804dc68, maxIterations=100,
initial_temperature=7) at coloring.c:391
391 proba=exp((-(new-old))/temperature);
(gdb) p new
$21 = 1
(gdb) p old
$22 = 0
(gdb) p temperature
$23 = 6.9992999999999999
(gdb) p -(new-old)/temperature
$24 = -0.14287143000014288
(gdb) p ((double(*)())exp)(-(new-old)/temperature)
$25 = 0.8668655146301385
(gdb) c
Continuing.
proba == 0.86686551463013850060690401733154430985450744628906
Breakpoint 1, graph_coloring_local_search (objectiveValue=50, N=50, E=350, edge_list=0x804d170, node_list=0x804dc68, maxIterations=100,
initial_temperature=7) at coloring.c:391
391 proba=exp((-(new-old))/temperature);
(gdb) p new
$26 = 1
(gdb) p old
$27 = 0
(gdb) p temperature
$28 = 6.9992999999999999
(gdb) p -(new-old)/temperature
$29 = -0.14287143000014288
(gdb) p ((double(*)())exp)(-(new-old)/temperature)
$30 = -nan(0x8000000000000)
(gdb) c
Continuing.
proba == -nan
In both cases the variables used have exactly the same value.
Zack's intuition was right. My random_percent function looks as follows and the round() macro wasn't declared.
int random_percent(double probability){
int edge=round(100*probability);
return ((rand () % 100) < edge) ? 1 : 0;
}

mudflap error while using socket()

When compiling like this I get the following mudflap violation and I have no clue what it means:
(I am using Debian squeeze, gcc 4.4.5 and eglibc 2.11.2)
mudflap:
myuser#linux:~/Desktop$ export MUDFLAP_OPTIONS="-mode-check -viol-abort -internal-checking -print-leaks -check-initialization -verbose-violations -crumple-zone=32"
myuser#linux:~/Desktop$ gcc -std=c99 -D_POSIX_C_SOURCE=200112L -ggdb3 -O0 -fmudflap -funwind-tables -lmudflap -rdynamic myprogram.c
myuser#linux:~/Desktop$ ./a.out
*******
mudflap violation 1 (check/read): time=1303221485.951128 ptr=0x70cf10 size=16
pc=0x7fc51c9b1cc1 location=`myprogram.c:22:18 (main)'
/usr/lib/libmudflap.so.0(__mf_check+0x41) [0x7fc51c9b1cc1]
./a.out(main+0x113) [0x400b97]
/lib/libc.so.6(__libc_start_main+0xfd) [0x7fc51c665c4d]
Nearby object 1: checked region begins 0B into and ends 15B into
mudflap object 0x70cf90: name=`malloc region'
bounds=[0x70cf10,0x70cf5b] size=76 area=heap check=1r/0w liveness=1
alloc time=1303221485.949881 pc=0x7fc51c9b1431
/usr/lib/libmudflap.so.0(__mf_register+0x41) [0x7fc51c9b1431]
/usr/lib/libmudflap.so.0(__wrap_malloc+0xd2) [0x7fc51c9b2a12]
/lib/libc.so.6(+0xaada5) [0x7fc51c6f1da5]
/lib/libc.so.6(getaddrinfo+0x162) [0x7fc51c6f4782]
Nearby object 2: checked region begins 640B before and ends 625B before
mudflap dead object 0x70d3f0: name=`malloc region'
bounds=[0x70d190,0x70d3c7] size=568 area=heap check=0r/0w liveness=0
alloc time=1303221485.950059 pc=0x7fc51c9b1431
/usr/lib/libmudflap.so.0(__mf_register+0x41) [0x7fc51c9b1431]
/usr/lib/libmudflap.so.0(__wrap_malloc+0xd2) [0x7fc51c9b2a12]
/lib/libc.so.6(+0x6335b) [0x7fc51c6aa35b]
/lib/libc.so.6(+0xac964) [0x7fc51c6f3964]
dealloc time=1303221485.950696 pc=0x7fc51c9b0fe6
/usr/lib/libmudflap.so.0(__mf_unregister+0x36) [0x7fc51c9b0fe6]
/usr/lib/libmudflap.so.0(__real_free+0xa0) [0x7fc51c9b2f40]
/lib/libc.so.6(fclose+0x14d) [0x7fc51c6a9a1d]
/lib/libc.so.6(+0xacc1a) [0x7fc51c6f3c1a]
number of nearby objects: 2
Aborted (core dumped)
myuser#linux:~/Desktop$
gdb:
(gdb) bt
#0 0x00007fd30f18136e in __libc_waitpid (pid=, stat_loc=0x7fff3689d75c, options=) at ../sysdeps/unix/sysv/linux/waitpid.c:32
#1 0x00007fd30f11f299 in do_system (line=) at ../sysdeps/posix/system.c:149
#2 0x00007fd30f44a9c3 in __mf_violation (ptr=, sz=, pc=0, location=0x7fff3689d880 "\360\323p", type=)
at ../../../src/libmudflap/mf-runtime.c:2174
#3 0x00007fd30f44ba5d in __mfu_check (ptr=0x70cf10, sz=, type=, location=)
at ../../../src/libmudflap/mf-runtime.c:1037
#4 0x00007fd30f44bcc1 in __mf_check (ptr=0x70cf10, sz=16, type=0, location=0x400e5a "myprogram.c:22:18 (main)") at ../../../src/libmudflap/mf-runtime.c:816
#5 0x0000000000400b97 in main () at myprogram.c:5
(gdb) bt full
#0 0x00007fd30f18136e in __libc_waitpid (pid=, stat_loc=0x7fff3689d75c, options=) at ../sysdeps/unix/sysv/linux/waitpid.c:32
oldtype =
result =
#1 0x00007fd30f11f299 in do_system (line=) at ../sysdeps/posix/system.c:149
__result = -512
_buffer = {__routine = 0x7fd30f11f5f0 , __arg = 0x7fff3689d758, __canceltype = 915003406, __prev = 0x7fd30f459348}
_avail = 0
status =
save =
pid = 5385
sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {65536, 0 }}, sa_flags = 0, sa_restorer = 0x7fd30f0ec578}
omask = {__val = {0, 4294967295, 206158430240, 1, 2212816, 0, 140734108391560, 3, 140544470949888, 140544474854386, 140544214827009, 0, 7394247, 140544467453304,
140544471045644, 140734108391424}}
#2 0x00007fd30f44a9c3 in __mf_violation (ptr=, sz=, pc=0, location=0x7fff3689d880 "\360\323p", type=)
at ../../../src/libmudflap/mf-runtime.c:2174
buf = "gdb --pid=5384\000\000\037\317p\000\000\000\000\000\377\377\377\377\000\000\000\000(\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000`\306!", '\000' , "\037\317p\000\000\000\000\000\020\317p\000\000\000\000\000\000 D\017\323\177\000\000\362\263\177\017\323\177\000\000\001\000\000\000\377\177\000\000\000\000\000\000\000\000\000\000\340Pp\000\000\000\000\000hHD\017\323\177\000"
violation_number = 1
#3 0x00007fd30f44ba5d in __mfu_check (ptr=0x70cf10, sz=, type=, location=)
at ../../../src/libmudflap/mf-runtime.c:1037
entry_idx = 1
entry = 0x604ec0
judgement = -512
ptr_high = 140734108391840
__PRETTY_FUNCTION__ = "__mfu_check"
#4 0x00007fd30f44bcc1 in __mf_check (ptr=0x70cf10, sz=16, type=0, location=0x400e5a "myprogram.c:22:18 (main)") at ../../../src/libmudflap/mf-runtime.c:816
__PRETTY_FUNCTION__ = "__mf_check"
#5 0x0000000000400b97 in main () at myprogram.c:5
hints = {ai_flags = 0, ai_family = 0, ai_socktype = 1, ai_protocol = 6, ai_addrlen = 0, ai_addr = 0x0, ai_canonname = 0x0, ai_next = 0x0}
result = 0x70cf10
newsocket = 0
(gdb) quit
source code:
#include "stdio.h" // quotes inserted instead of usual chars for correct website view
#include "sys/socket.h"
#include "netdb.h"
int main(void)
{
struct addrinfo hints, *result;
hints.ai_flags = 0;
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_addrlen = 0;
hints.ai_canonname = NULL;
hints.ai_addr = NULL;
hints.ai_next = NULL;
if(getaddrinfo("localhost", "25", &hints, &result) != 0)
{
return -1;
}
int newsocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol); // line 22
if(newsocket == -1)
{
freeaddrinfo(result);
return -2;
}
return 0;
}
It appears to be complaining about a read of ununitialized data ("mudflap violation 1 (check/read)"). It looks like there are a couple known regions near the bad address. One a bit further on ("checked region begins 640B before and ends 625B before") has already been freed ("mudflap dead object"). The other actually begins in the same place as the bad read ("checked region begins 0B into and ends 15B into mudflap object 0x70cf90: name=`malloc region'").
Why don't you set -viol-gdb in MUDFLAP_OPTIONS and use GDB to examine the erroneous code?
ETA: The violation occurs because the access history for this region is "check=1r/0w". This indicates that are reading from it, but, as far as libmudflap knows, the region has never been written to. The read thus represents a "use before initialization" error. This is exactly what the -check-initialization flag you supplied to libmudflap is intended to catch.
Of course, the problem is just that your libc is not instrumented by libmudflap, so while libmudflap can intercept the malloc call, it cannot intercept the pointer accesses that are used to initialize the memory. When your program tries to work with the pointer, it thus looks like all its memory has been allocated but never written to (indeed, never accessed at all).
You can ignore this error, drop -check-initialization so it stops being flagged as an error, or build a libc instrumented for libmudflap and link your executable against that version of libc.

segmentation fault on g_string_truncate ()?

When trying the following in C :
g_string_printf(qbuf,"INSERT INTO inbox (number, smsdate, text) VALUES ('%s','%04d-%02d-%02d %02d:%02d:%02d', '%s')",
xmx.remote.number,
xmx.smsc_time.year,
xmx.smsc_time.month,
xmx.smsc_time.day,
xmx.smsc_time.hour,
xmx.smsc_time.minute,
xmx.smsc_time.second,
xmx.user_data[0].u.text);
I see the following crash:
Program received signal SIGSEGV, Segmentation fault.
0x00984809 in g_string_truncate () from /lib/libglib-2.0.so.0
(gdb)
Why would this happen? Is there any initiation before calling g_string_printf() ?
From frame 2:
(gdb) frame 2
#2 0x08049ba8 in fetching_phone (unit=0x807cd80) at main.c:152
152 g_string_printf(qbuf,"INSERT INTO inbox (number, smsdate, text) VALUES ('%s','%04d-%02d-%02d %02d:%02d:%02d', '%s')",
(gdb) ptype xmx.remote.number
type = char [40]
(gdb) ptype xmx.smsc_time.year
type = int
(gdb) ptype xmx.smsc_time.month
type = int
(gdb) ptype xmx.smsc_time.day
type = int
(gdb) ptype xmx.smsc_time.hour
type = int
(gdb) ptype xmx.smsc_time.minute
type = int
(gdb) ptype xmx.smsc_time.second
type = int
(gdb) ptype xmx.user_data[0].u.text
type = unsigned char [1601]
(gdb)
But, I still can't find where the problem is.
You probably have a bad pointer for the '%s' fields.
As you are running gdb, here is what you can do:
(gdb) bt
...trace...
# see the frame # of your call to g_string_printf()
(gdb) frame 5 # considering it was 5
(gdb) print xmx.remote.number
(gdb) print xmx.user_data[0].u.text
(gdb) print *xmx.remote.number
(gdb) print *xmx.user_data[0].u.text
or you can also check types (is xmx.remote.number a pointer ?)
(gdb) ptype xmx.remote.number
Did you initialize qbuf?
GString *qbuf = g_string_new("");

Resources