[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svn_uri_canonicalize heap corruption and regression test failures

From: Philip Martin <philip_at_codematters.co.uk>
Date: Tue, 11 Nov 2008 19:39:19 +0000

I'm seeing lots of regression test failures, typically:

dirent_uri-test [8/69]...*** glibc detected *** free(): invalid next size (fast): 0x0000000001e8fb20 ***

valgrind indicates:

==8303== Invalid read of size 1
==8303== at 0x4C403CD: canonicalize (dirent_uri.c:274)
==8303== by 0x4C417A4: svn_uri_canonicalize (dirent_uri.c:947)
==8303== by 0x402B2C: test_uri_canonicalize (dirent_uri-test.c:673)
==8303== by 0x4B2489A: do_test_num (svn_test_main.c:189)
==8303== by 0x4B24F7A: main (svn_test_main.c:376)
==8303== Address 0x77B3377 is 1 bytes before a block of size 2 alloc'd
==8303== at 0x4A1B858: malloc (vg_replace_malloc.c:149)
==8303== by 0x4EB1F95: pool_alloc (apr_pools.c:1287)
==8303== by 0x4EB2065: apr_pcalloc_debug (apr_pools.c:1343)
==8303== by 0x4C40125: canonicalize (dirent_uri.c:161)
==8303== by 0x4C417A4: svn_uri_canonicalize (dirent_uri.c:947)
==8303== by 0x402B2C: test_uri_canonicalize (dirent_uri-test.c:673)
==8303== by 0x4B2489A: do_test_num (svn_test_main.c:189)
==8303== by 0x4B24F7A: main (svn_test_main.c:376)
==8303==
==8303== Invalid write of size 1
==8303== at 0x4C40392: canonicalize (dirent_uri.c:262)
==8303== by 0x4C417A4: svn_uri_canonicalize (dirent_uri.c:947)
==8303== by 0x402B2C: test_uri_canonicalize (dirent_uri-test.c:673)
==8303== by 0x4B2489A: do_test_num (svn_test_main.c:189)
==8303== by 0x4B24F7A: main (svn_test_main.c:376)
==8303== Address 0x77B3F5B is 0 bytes after a block of size 11 alloc'd
==8303== at 0x4A1B858: malloc (vg_replace_malloc.c:149)
==8303== by 0x4EB1F95: pool_alloc (apr_pools.c:1287)
==8303== by 0x4EB2065: apr_pcalloc_debug (apr_pools.c:1343)
==8303== by 0x4C40125: canonicalize (dirent_uri.c:161)
==8303== by 0x4C417A4: svn_uri_canonicalize (dirent_uri.c:947)
==8303== by 0x402B2C: test_uri_canonicalize (dirent_uri-test.c:673)
==8303== by 0x4B2489A: do_test_num (svn_test_main.c:189)
==8303== by 0x4B24F7A: main (svn_test_main.c:376)
==8303==
==8303== Invalid write of size 1
==8303== at 0x4C403E3: canonicalize (dirent_uri.c:279)
==8303== by 0x4C417A4: svn_uri_canonicalize (dirent_uri.c:947)
==8303== by 0x402B2C: test_uri_canonicalize (dirent_uri-test.c:673)
==8303== by 0x4B2489A: do_test_num (svn_test_main.c:189)
==8303== by 0x4B24F7A: main (svn_test_main.c:376)
==8303== Address 0x77B3F6F is not stack'd, malloc'd or (recently) free'd
PASS: lt-dirent_uri-test 9: test svn_uri_canonicalize

I can get rid of the line 274 failure by reordering the checks:

Index: ../src/subversion/libsvn_subr/dirent_uri.c
===================================================================
--- ../src/subversion/libsvn_subr/dirent_uri.c (revision 34142)
+++ ../src/subversion/libsvn_subr/dirent_uri.c (working copy)
@@ -271,7 +271,7 @@
     }
 
   /* Remove the trailing slash if necessary. */
- if (*(dst - 1) == '/' && canon_segments > 0)
+ if (canon_segments > 0 && *(dst - 1) == '/')
     {
       dst --;
     }

I don't know if it's right and it doesn't fix the other failures.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-11-11 20:39:38 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.