GNOME Bugzilla – Bug 527318
crash in Gnome Calculator: pressed "4"
Last modified: 2008-04-12 02:45:45 UTC
What were you doing when the application crashed? pressed "4" Distribution: openSUSE 11.0 (X86-64) Alpha3 Gnome Release: 2.22.0 2008-04-07 (SUSE) BugBuddy Version: 2.22.0 System: Linux 2.6.25-rc8-12-default #1 SMP 2008-04-02 01:36:51 +0200 x86_64 X Vendor: The X.Org Foundation X Vendor Release: 10400090 Selinux: No Accessibility: Disabled GTK+ Theme: Industrial Icon Theme: gnome Memory status: size: 147582976 vsize: 147582976 resident: 6971392 share: 10702848 rss: 17674240 rss_rlim: 893987840 CPU usage: start_time: 59862 rtime: 60 utime: 52 stime: 8 cutime:0 cstime: 0 timeout: 0 it_real_value: 0 frequency: 100 Backtrace was generated from '/usr/bin/gcalctool' [?1034h[Thread debugging using libthread_db enabled] [New Thread 0x7f91a58e56f0 (LWP 19947)] 0x00007f91a1224745 in __libc_waitpid (pid=19958, stat_loc=0x7fffad912a10, options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:32 32 return INLINE_SYSCALL (wait4, 4, pid, stat_loc, options, NULL);
+ Trace 194823
Thread 1 (Thread 0x7f91a58e56f0 (LWP 19947))
----------- .xsession-errors (7 sec old) --------------------- 7f2553252000-7f2553253000 r--p 0001d000 08:03 548010 /lib64/ld-2.7.so 7f2553253000-7f2553254000 rw-p 0001e000 08:03 548010 /lib64/ld-2.7.so 7fff5b186000-7fff5b254000 rw-p 7ffffff31000 00:00 0 [stack] 7fff5b3ff000-7fff5b400000 r-xp 7fff5b3ff000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] (evolution:25732): Gdk-WARNING **: GdkWindow is too large to allow the use of shape masks or shape regions. (evolution:25732): bf-junk-filter-WARNING **: error occurred while spawning /usr/bin/bogofilter: Nelze spustit proces potomka "/usr/bin/bogofilter" (není souborem ani adresářem) Number of items in the folder: 1505 (evolution:25732): Gdk-WARNING **: GdkWindow is too large to allow the use of shape masks or shape regions. (evolution:25732): bf-junk-filter-WARNING **: error occurred while spawning /usr/bin/bogofilter: Nelze spustit proces potomka "/usr/bin/bogofilter" (není souborem ani adresářem) --------------------------------------------------
And this is what appears in console: *** buffer overflow detected ***: gcalctool terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f91a066f8a7] /lib64/libc.so.6[0x7f91a066dcb0] /lib64/libc.so.6[0x7f91a066d24b] /lib64/libc.so.6(__snprintf_chk+0x7b)[0x7f91a066d11b] gcalctool[0x41a594] gcalctool[0x41a8fa] /usr/lib64/libgobject-2.0.so.0(g_closure_invoke+0x16d)[0x7f91a0dd620d] /usr/lib64/libgobject-2.0.so.0[0x7f91a0dea1f1] /usr/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0x7e4)[0x7f91a0deb6d4] /usr/lib64/libgobject-2.0.so.0(g_signal_emit+0x83)[0x7f91a0debc23] /usr/lib64/libgtk-x11-2.0.so.0[0x7f91a4f9aafd] /usr/lib64/libgobject-2.0.so.0(g_closure_invoke+0x16d)[0x7f91a0dd620d] /usr/lib64/libgobject-2.0.so.0[0x7f91a0de9b06] /usr/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0x7e4)[0x7f91a0deb6d4] /usr/lib64/libgobject-2.0.so.0(g_signal_emit+0x83)[0x7f91a0debc23] /usr/lib64/libgtk-x11-2.0.so.0[0x7f91a4f99c9d] /usr/lib64/libgtk-x11-2.0.so.0[0x7f91a50698b8] /usr/lib64/libgobject-2.0.so.0(g_closure_invoke+0x16d)[0x7f91a0dd620d] /usr/lib64/libgobject-2.0.so.0[0x7f91a0de9ec2] /usr/lib64/libgobject-2.0.so.0(g_signal_emit_valist+0x664)[0x7f91a0deb554] /usr/lib64/libgobject-2.0.so.0(g_signal_emit+0x83)[0x7f91a0debc23] /usr/lib64/libgtk-x11-2.0.so.0[0x7f91a517e9ae] /usr/lib64/libgtk-x11-2.0.so.0(gtk_propagate_event+0xe3)[0x7f91a5062433] /usr/lib64/libgtk-x11-2.0.so.0(gtk_main_do_event+0x2eb)[0x7f91a506347b] /usr/lib64/libgdk-x11-2.0.so.0[0x7f91a496827c] /usr/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x23b)[0x7f91a0b42a3b] /usr/lib64/libglib-2.0.so.0[0x7f91a0b4621d] /usr/lib64/libglib-2.0.so.0(g_main_loop_run+0x1cd)[0x7f91a0b4674d] /usr/lib64/libgtk-x11-2.0.so.0(gtk_main+0xa7)[0x7f91a5063897] gcalctool[0x4061c6] /lib64/libc.so.6(__libc_start_main+0xfa)[0x7f91a05a619a] gcalctool[0x4058a9] ======= Memory map: ======== 00400000-0042b000 r-xp 00000000 08:03 880309 /usr/bin/gcalctool 0062b000-0062c000 r--p 0002b000 08:03 880309 /usr/bin/gcalctool 0062c000-0062e000 rw-p 0002c000 08:03 880309 /usr/bin/gcalctool 0062e000-00ba8000 rw-p 0062e000 00:00 0 [heap] 7f919d294000-7f919d2f2000 r--p 00000000 08:03 32567 /var/cache/libx11/compose/l4_030_313cb605_00280cc0 7f919d2f2000-7f919d31c000 r--p 00000000 08:03 424157 /usr/share/fonts/truetype/albwb.ttf 7f919d31c000-7f919d37c000 rw-s 00000000 00:09 2228249 /SYSV00000000 (deleted) 7f919d37c000-7f919d38a000 r-xp 00000000 08:03 548200 /lib64/libbz2.so.1.0.5 7f919d38a000-7f919d589000 ---p 0000e000 08:03 548200 /lib64/libbz2.so.1.0.5 7f919d589000-7f919d58a000 r--p 0000d000 08:03 548200 /lib64/libbz2.so.1.0.5 7f919d58a000-7f919d58b000 rw-p 0000e000 08:03 548200 /lib64/libbz2.so.1.0.5 7f919d58b000-7f919d5c4000 r-xp 00000000 08:03 675298 /usr/lib64/libcroco-0.6.so.3.0.1 7f919d5c4000-7f919d7c3000 ---p 00039000 08:03 675298 /usr/lib64/libcroco-0.6.so.3.0.1 7f919d7c3000-7f919d7c4000 r--p 00038000 08:03 675298 /usr/lib64/libcroco-0.6.so.3.0.1 7f919d7c4000-7f919d7c7000 rw-p 00039000 08:03 675298 /usr/lib64/libcroco-0.6.so.3.0.1 7f919d7c7000-7f919d7fd000 r-xp 00000000 08:03 675273 /usr/lib64/libgsf-1.so.114.0.8 7f919d7fd000-7f919d9fd000 ---p 00036000 08:03 675273 /usr/lib64/libgsf-1.so.114.0.8 7f919d9fd000-7f919da00000 r--p 00036000 08:03 675273 /usr/lib64/libgsf-1.so.114.0.8 7f919da00000-7f919da02000 rw-p 00039000 08:03 675273 /usr/lib64/libgsf-1.so.114.0.8 7f919da02000-7f919da03000 rw-p 7f919da02000 00:00 0 7f919da03000-7f919da6f000 r-xp 00000000 08:03 675981 /usr/lib64/libgio-2.0.so.0.0.0 7f919da6f000-7f919dc6f000 ---p 0006c000 08:03 675981 /usr/lib64/libgio-2.0.so.0.0.0 7f919dc6f000-7f919dc71000 r--p 0006glibtop: cannot find btime in /proc/stat: není souborem ani adresářem And this appears during compilation (especially see "will always overflow" warnings): calctool.c: In function 'main': ui.h:27: note: 'ui_init' was declared here bison -d -p ce -d ./ce_parser.y ./ce_parser.y: conflicts: 106 shift/reduce bison -d -p lr ./lr_parser.y ./lr_parser.y: conflicts: 12 shift/reduce ce_parser.tab.c: In function 'ceparse': ce_parser.tab.c:1535: warning: implicit declaration of function 'celex' lr_parser.tab.c: In function 'lrparse': lr_parser.tab.c:1471: warning: implicit declaration of function 'lrlex' lr_parser.tab.c:1842: warning: call to function 'lrerror' without a real prototype ./lr_parser.h:39: note: 'lrerror' was declared here lr_parser.tab.c:1988: warning: call to function 'lrerror' without a real prototype ./lr_parser.h:39: note: 'lrerror' was declared here lex.ce.c: In function 'celex': ./ce_tokeniser.l:144: warning: ignoring return value of 'fwrite', declared with attribute warn_unused_result ./ce_tokeniser.l: At top level: lex.ce.c:1604: warning: 'yyunput' defined but not used lex.ce.c:1647: warning: 'input' defined but not used lex.lr.c: In function 'lrlex': ./lr_tokeniser.l:113: warning: ignoring return value of 'fwrite', declared with attribute warn_unused_result ./lr_tokeniser.l: At top level: lex.lr.c:1466: warning: 'yyunput' defined but not used lex.lr.c:1509: warning: 'input' defined but not used gtk.c: In function 'kframe_key_press_cb': gtk.c:2018: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2021: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2024: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2027: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2030: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2033: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2036: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2039: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2042: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c:2045: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c: In function 'accuracy_radio_cb': gtk.c:2379: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here gtk.c: In function 'accuracy_default_cb': gtk.c:2400: warning: call to function 'do_accuracy' without a real prototype functions.h:62: note: 'do_accuracy' was declared here In function 'snprintf', inlined from 'set_bit_panel' at gtk.c:933: /usr/include/bits/stdio2.h:65: warning: call to __builtin___snprintf_chk will always overflow destination buffer In function 'snprintf', inlined from 'set_bit_panel' at gtk.c:935: /usr/include/bits/stdio2.h:65: warning: call to __builtin___snprintf_chk will always overflow destination buffer functions.c: In function 'exp_backspace': functions.c:351: warning: field precision should have type 'int', but argument 4 has type 'size_t' functions.c:351: warning: field precision should have type 'int', but argument 4 has type 'size_t' functions.c:358: warning: field precision should have type 'int', but argument 4 has type 'size_t' functions.c:358: warning: field precision should have type 'int', but argument 4 has type 'size_t' functions.c: In function 'do_expression': functions.c:501: warning: call to function 'do_function' without a real prototype functions.h:64: note: 'do_function' was declared here functions.c:505: warning: call to function 'do_sto' without a real prototype functions.h:59: note: 'do_sto' was declared here functions.c:509: warning: call to function 'do_exchange' without a real prototype functions.h:61: note: 'do_exchange' was declared here
Created attachment 108993 [details] [review] gcalctool-c-style.patch Attached patch fixes some warnings and also this crash. The important fix for this crash is the place, where you use SNPRINTF(label, MAXLINE,... in context, where "label" has only 3 bytes.
The SNPRINTF was fixed in bug 526976 though it shouldn't have caused the crash as the printf formats (" 0" or " %c") should never write more than 3 octets. I will investigate tonight. I will apply the warning fixes tonight.
The crash may be relevant to gcc+glibc compiler settings (most probably -D_FORTIFY_SOURCE=2). Documentation of snprintf() does not guarantee the fate of the rest of the buffer, if the buffer has 3 bytes, but you are telling to snprintf(), that it has 512 bytes.
Fixed in 2.22.2: http://svn.gnome.org/viewvc/gcalctool?view=revision&revision=2071