From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 17:24:08 2013 Received: (at submit) by debbugs.gnu.org; 20 Aug 2013 21:24:08 +0000 Received: from localhost ([127.0.0.1]:43328 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VBtPK-0006YA-CZ for submit@debbugs.gnu.org; Tue, 20 Aug 2013 17:24:07 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58845) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VBtPH-0006Xv-Kk for submit@debbugs.gnu.org; Tue, 20 Aug 2013 17:24:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VBtP8-0005cB-SS for submit@debbugs.gnu.org; Tue, 20 Aug 2013 17:24:03 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-99.2 required=5.0 tests=BAYES_50,USER_IN_WHITELIST autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49993) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VBtP8-0005c7-Q8 for submit@debbugs.gnu.org; Tue, 20 Aug 2013 17:23:54 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60485) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VBtP1-0004Mz-Gl for bug-coreutils@gnu.org; Tue, 20 Aug 2013 17:23:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VBtOv-0005YM-G3 for bug-coreutils@gnu.org; Tue, 20 Aug 2013 17:23:47 -0400 Received: from joseki.proulx.com ([216.17.153.58]:52944) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VBtOv-0005YC-5a for bug-coreutils@gnu.org; Tue, 20 Aug 2013 17:23:41 -0400 Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id 37DE6211DA; Tue, 20 Aug 2013 15:23:40 -0600 (MDT) Received: by hysteria.proulx.com (Postfix, from userid 1000) id 360522DC87; Tue, 20 Aug 2013 15:23:40 -0600 (MDT) Date: Tue, 20 Aug 2013 15:23:40 -0600 From: Bob Proulx To: bug-coreutils@gnu.org Subject: tr: crash upon failed write(2) Message-ID: <20130820212340.GA20676@hysteria.proulx.com> Mail-Followup-To: bug-coreutils@gnu.org, 720352@bugs.debian.org, 720352-submitter@bugs.debian.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -2.4 (--) X-Debbugs-Envelope-To: submit Cc: 720352-submitter@bugs.debian.org, 720352@bugs.debian.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Stephane Chazelas opened a bug in the Debian bug tracker concerning a core dump crash from tr and I forward it here. I reproduced this on my Debian amd64 system with 8.21. I have CC'd the bug on this message. Because we have two BTS instances I won't know the GNU bug number and can't set up the reply headers ahead of time. Please ensure when replying to CC the interested parties. It will probably take some fiddling. http://bugs.debian.org/720352 Bob Stephane Chazelas wrote: Easiest way to reproduce: ~$ tr a b < /dev/zero > /dev/full zsh: segmentation fault (core dumped) tr a b < /dev/zero > /dev/full I first reproduced it on: ~$ tr a b < file 1<> file where "file" was a sparse file and the filesystem was full. In that other instance, I also observed "tr" outputting random data to stdout actually corrupting the file. /mnt# df -h . Filesystem Size Used Avail Use% Mounted on /dev/loop1 9.7M 92K 9.1M 1% /mnt /mnt# truncate -s20M a /mnt# tr a b < a 1<> a zsh: segmentation fault tr a b < a 1<> a (139)/mnt# hd a 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 0098c400 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 0098c410 00 00 00 00 00 00 00 00 49 79 f2 5d ff 7f 00 00 |........Iy.]....| 0098c420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 01400000 Valgrind shows: ==1521== Memcheck, a memory error detector ==1521== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==1521== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==1521== Command: tr a b ==1521== ==1521== Invalid read of size 8 ==1521== at 0x3FFC28789B: __GI_mempcpy (memcpy.S:272) ==1521== by 0x3FFC278225: _IO_default_xsputn (genops.c:464) ==1521== by 0x3FFC2768D2: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1356) ==1521== by 0x3FFC270F24: fwrite_unlocked (iofwrite_u.c:46) ==1521== by 0x40229B: ??? (in /usr/bin/tr) ==1521== by 0x3FFC221994: (below main) (libc-start.c:260) ==1521== Address 0x60d000 is not stack'd, malloc'd or (recently) free'd ==1521== ==1521== ==1521== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==1521== Access not within mapped region at address 0x60D000 ==1521== at 0x3FFC28789B: __GI_mempcpy (memcpy.S:272) ==1521== by 0x3FFC278225: _IO_default_xsputn (genops.c:464) ==1521== by 0x3FFC2768D2: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1356) ==1521== by 0x3FFC270F24: fwrite_unlocked (iofwrite_u.c:46) ==1521== by 0x40229B: ??? (in /usr/bin/tr) ==1521== by 0x3FFC221994: (below main) (libc-start.c:260) And gdb from a "tr" compiled with -g -O0: #0 __mempcpy_sse2 () at ../sysdeps/x86_64/memcpy.S:272 #1 0x0000003ffc278226 in __GI__IO_default_xsputn (f=f@entry=0x3ffc5a7160 <_IO_2_1_stdout_>, data=data@entry=0x60e300 , n=n@entry=8193) at genops.c:464 #2 0x0000003ffc2768d3 in _IO_new_file_xsputn (n=8192, data=, f=0x3ffc5a7160 <_IO_2_1_stdout_>) at fileops.c:1356 #3 _IO_new_file_xsputn (f=0x3ffc5a7160 <_IO_2_1_stdout_>, data=, n=8192) at fileops.c:1278 #4 0x0000003ffc270f25 in __GI_fwrite_unlocked (buf=, size=1, count=8192, fp=) at iofwrite_u.c:46 #5 0x0000000000404a37 in main (argc=3, argv=0x7ffff50c6d08) at src/tr.c:1938 ltrace: read(0, "y\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\n"..., 8192) = 8192 fwrite_unlocked("y\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\n"..., 1, 8192, 0x3ffc5a7160 It could very will be a bug in eglibc as I can't really see anything wrong with the tr code. It also occurs with LC_ALL=C It also occurs on Ubuntu 13.10 amd64, not on 12.04 amd64, possibly pointing to eglibc 2.17. I couldn't reproduce it with any other utility only "tr", but then again, none of the other utilities I tried to run under ltrace showed any call to fwrite_unlocked with more than a few bytes.. I can't reproduce it with stdbuf -o3605 tr a b > /dev/full < /dev/zero or any value below 3605, but I do with any value above that. From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 18:26:59 2013 Received: (at 15147) by debbugs.gnu.org; 20 Aug 2013 22:26:59 +0000 Received: from localhost ([127.0.0.1]:43461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VBuOA-00007v-1s for submit@debbugs.gnu.org; Tue, 20 Aug 2013 18:26:58 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:36992) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VBuO6-00007k-Ln for 15147@debbugs.gnu.org; Tue, 20 Aug 2013 18:26:55 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id A93D339E80FF; Tue, 20 Aug 2013 15:26:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2FetuHIe4oW; Tue, 20 Aug 2013 15:26:53 -0700 (PDT) Received: from [192.168.1.9] (pool-71-108-49-126.lsanca.fios.verizon.net [71.108.49.126]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 2C9C439E8008; Tue, 20 Aug 2013 15:26:53 -0700 (PDT) Message-ID: <5213ED2C.5000502@cs.ucla.edu> Date: Tue, 20 Aug 2013 15:26:52 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: 15147@debbugs.gnu.org, 720352@bugs.debian.org, 720352-submitter@bugs.debian.org Subject: Re: bug#15147: tr: crash upon failed write(2) References: <20130820212340.GA20676@hysteria.proulx.com> In-Reply-To: <20130820212340.GA20676@hysteria.proulx.com> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -5.1 (-----) X-Debbugs-Envelope-To: 15147 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.1 (-----) I can reproduce the problem without coreutils on Ubuntu 13.04 x86-64. Compile the following program with plain "gcc foo.c" and then run "./a.out >/dev/full"; it'll dump core the same way. So it appears that this is a bug in the C library, not in coreutils. It's a fairly serious bug, I'd say. #include int main (void) { static char io_buf[BUFSIZ]; if (fwrite (io_buf, 1, sizeof io_buf, stdout) != sizeof io_buf) { perror ("write error"); return 1; } return 0; } From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 20 18:51:53 2013 Received: (at 15147-done) by debbugs.gnu.org; 20 Aug 2013 22:51:53 +0000 Received: from localhost ([127.0.0.1]:43478 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VBumG-0001vU-VU for submit@debbugs.gnu.org; Tue, 20 Aug 2013 18:51:53 -0400 Received: from joseki.proulx.com ([216.17.153.58]:39343) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VBumD-0001vI-Bg for 15147-done@debbugs.gnu.org; Tue, 20 Aug 2013 18:51:50 -0400 Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id 6C399211DA; Tue, 20 Aug 2013 16:51:48 -0600 (MDT) Received: by hysteria.proulx.com (Postfix, from userid 1000) id 5F8312DC87; Tue, 20 Aug 2013 16:51:48 -0600 (MDT) Date: Tue, 20 Aug 2013 16:51:48 -0600 From: Bob Proulx To: 15147-done@debbugs.gnu.org, 720352@bugs.debian.org, 720352-submitter@bugs.debian.org Subject: Re: bug#15147: tr: crash upon failed write(2) Message-ID: <20130820225148.GA32503@hysteria.proulx.com> References: <20130820212340.GA20676@hysteria.proulx.com> <5213ED2C.5000502@cs.ucla.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5213ED2C.5000502@cs.ucla.edu> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Score: -2.8 (--) X-Debbugs-Envelope-To: 15147-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) Paul Eggert wrote: > I can reproduce the problem without coreutils > on Ubuntu 13.04 x86-64. Compile the following > program with plain "gcc foo.c" and then run > "./a.out >/dev/full"; it'll dump core the same way. > > So it appears that this is a bug in the C library, > not in coreutils. Ouch. Yes. Okay. I will close the GNU coreutils bug. I will reassign this in Debian from coreutils to libc6. Will use a different mail to reduce the email address confusion of two BTS systems. :-) > It's a fairly serious bug, I'd say. Agreed! Thanks, Bob From unknown Sun Aug 17 22:13:08 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 18 Sep 2013 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator