[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: memchr bug? Request for enlightenment (lowercase 'e')

From: "Chris Eleveld (Sector 7 Group)" <Chris_Eleveld sector7 com>
To: axp-list redhat com
Subject: Re: memchr bug? Request for enlightenment (lowercase 'e')
Date: Mon, 26 Mar 2001 14:37:37 -0600

	Actually this may not be.  You allocate 9 bytes.  Memchr is probably
implemented using full word or longword fetches.  As such it can be optimized
to 3 32bit fetches and bit shifts.  Or even 2 64 bit on an alpha.  Since you
lied and siad your buffer was 79 bytes long.  If on the other hand you used
9 instead of 79 you could call this a bug.

On Mon, Mar 26, 2001 at 03:13:26PM -0500, michael.donahue@nist.gov wrote:
> While doing some code testing with Electric Fence, I came across the
> following curiosity, on a stock RedHat 6.2/AXP system.
> 
> Consider the short test program:
> 
>    #include <string.h>
>    #include <stdlib.h>
> 
>    #define TESTSTRING "12345678"
> 
>    int main()
>    {
>      char *p = (char *)malloc(strlen(TESTSTRING)+1);
>      strcpy(p,TESTSTRING);
>      memchr(p,'\0',79);
>      free(p);
>      return 0;
>    }
> 
> When I compile and run I get
> 
>    $ gcc memchr-test.c -lefence
>    $ ./a.out
> 
>      Electric Fence 2.0.5 Copyright (C) 1987-1998 Bruce Perens.
>    Segmentation fault
> 
> It appears that memchr is reading memory past the end of the malloc'ed
> region.  I don't know if this is actually a problem or not, but I don't
> see this behavior on Linux/x86 or Solaris.  Incidentally, I can replace
> '\0' above with '5', '6', '7' or '8' with the same results.  OTOH, '4'
> is okay, and I see no segfault with strlen().
> 
> So, is this a bug?  Has it been fixed in newer libc?
> 
> BTW, the *printf family uses memchr in its %.ns conversions, e.g.,
> the following code exhibits the same behavior:
> 
>    #include <stdio.h>
>    #include <string.h>
>    #include <stdlib.h>
> 
>    #define TESTSTRING "12345678"
> 
>    int main()
>    {
>      char *p = (char *)malloc(strlen(TESTSTRING)+1);
>      strcpy(p,TESTSTRING);
>      printf("%.79s\n",p);
>      free(p);
>      return 0;
>    }
> 
> -m
> 
> -- 
> Michael J. Donahue
> National Institute of Standards and Technology
> Mathematical & Computational Sciences Division
> 100 Bureau Dr Stop 8910
> Gaithersburg, MD 20899-8910
> email: michael.donahue@nist.gov
> voice: (301) 975-5424
>   fax: (301) 990-4127
>   web: http://math.nist.gov/~MDonahue/
> 
> 
> 
> _______________________________________________
> Axp-list mailing list
> Axp-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/axp-list

Follow-Ups:
- Re: memchr bug? Request for enlightenment (lowercase 'e')
  - From: <michael.donahue@nist.gov>

References:
- memchr bug? Request for enlightenment (lowercase 'e')
  - From: <michael.donahue@nist.gov>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []