GNOME Bugzilla – Bug 662044
doxygen segfaults if msg() is passed a null second arg.
Last modified: 2011-12-03 18:22:55 UTC
Created attachment 199282 [details] [review] make certain fileVersion is valid before calling msg with fileVersion.data() I built doxygen 1.7.5.1 on x86_64-sun-solaris2.10, because an earlier version (1.4.6) was segfaulting when trying to build the documentation that's part of ruby. 1.7.5.1 also segfaults, and it looks like the issue is the same. It's possible for message.cpp:msg() to be passed NULL for the varargs bit, and when it is, it just passes it on to vfprintf, which causes a segfault. Here's an example from the ruby doc build: gmake[1]: Leaving directory `/local/src/RPM/BUILD/ruby-1.9.2-p290' Generating RDoc documentation ./miniruby -I./lib -I.ext/common -I./- -r./ext/purelib.rb ./tool/runruby.rb --extout=.ext -- "./bin/rdoc" --no-force-update --all --ri --op ".ext/rdoc" "." No newer files. Searching for include files... Searching for example files... Searching for images... Searching for files in directory /local/src/RPM/BUILD/ruby-1.9.2-p290/doc/images gmake: *** [doc/capi/.timestamp] Segmentation Fault (core dumped) $dbx /local/bin/doxygen core For information about new features see `help changes' To remove this message, put `dbxenv suppress_startup_message 7.8' in your .dbxrc Reading doxygen core file header read successfully Reading ld.so.1 Reading libpthread.so.1 Reading libCstd.so.1 Reading libCrun.so.1 Reading libm.so.2 Reading libc.so.1 t@1 (l@1) program terminated by signal SEGV (no mapping at the fault address) 0x00007fffffaf4be0: strlen+0x0040: movq (%rsi),%rax Current function is msg 111 vfprintf(stdout, fmt, args); (dbx) where current thread: t@1 [1] strlen(0x0, 0x0, 0xfffffd7fffdfd8b8, 0x73, 0x0, 0xfffffd7fffdfd990), at 0x7fffffaf4be0 [2] _ndoprnt(0x0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0x7fffffb506fa [3] vfprintf(0x0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0x7fffffb51a61 =>[4] msg(fmt = 0xcb9b84 "%s\n", ...), line 111 in "message.cpp" [5] FileDef::acquireFileVersion(this = 0x1737c60), line 1519 in "filedef.cpp" [6] FileDef::FileDef(this = 0x1737c60, p = 0x173a220 "/local/src/RPM/BUILD/ruby-1.9.2-p290/doc/images/", nm = 0x1730cf0 "boottime-classes.png", lref = (nil), dn = (nil)), line 100 in "filedef.cpp" [7] readDir(fi = 0xfffffd7fffdfe550, fnList = (nil), fnDict = 0x144af70, exclDict = (nil), patList = (nil), exclPatList = (nil), resultList = (nil), resultDict = (nil), errorIfNotExist = true, recursive = true, killDict = (nil)), line 9067 in "doxygen.cpp" [8] readFileOrDirectory(s = 0x1483f30 "./doc/images", fnList = (nil), fnDict = 0x144af70, exclDict = (nil), patList = (nil), exclPatList = (nil), resultList = (nil), resultDict = (nil), recursive = true, errorIfNotExist = true, killDict = (nil)), line 9186 in "doxygen.cpp" [9] searchInputFiles(inputFiles = CLASS), line 10077 in "doxygen.cpp" [10] parseInput(), line 10321 in "doxygen.cpp" [11] main(argc = 1, argv = 0xfffffd7fffdfedf8), line 37 in "main.cpp" Fixing msg() so that it handles NULL anywhere in the argument list is tricky, so in this case it might be easier to fix filedef to be more careful to not pass NULL to it. The section of acquireFileVersion in question is: if (numRead > 0) { fileVersion = QCString(buf,numRead).stripWhiteSpace(); msg("%s\n",fileVersion.data()); } else { msg("no version available\n"); } I've seen other spots in the code check fileVersion.isEmpty(), so as a guess I inserted that check before the call to msg, and it at least allows doxygen to proceed through the ruby documentation without segfaulting. Patch is attached.
Thanks, I'll include the patch in the next subversion update.
*** Bug 663642 has been marked as a duplicate of this bug. ***
This bug was previously marked ASSIGNED, which means it should be fixed in doxygen version 1.7.6. Please verify if this is indeed the case. Reopen the bug if you think it is not fixed and please include any additional information that you think can be relevant.