[Bug-dico] idxgcide segfaults

[ludo@xxxxxxx (Ludovic Courtès)]

Hello,

On a glibc 2.23 system, the ‘idxgcide’ program of Dico 2.2 segfaults:

--8<---------------cut here---------------start------------->8---
ludo@pluto /tmp/guix-build-dico-2.2.drv-0/dico-2.2/modules/gcide/tests$ export MALLOC_PERTURB_="$(printf "%i" 0x77)"
ludo@pluto /tmp/guix-build-dico-2.2.drv-0/dico-2.2/modules/gcide/tests$ ../idxgcide dict . 
Adres-eraro(nekropsio elŝutita)
ludo@pluto /tmp/guix-build-dico-2.2.drv-0/dico-2.2/modules/gcide/tests$ gdb ../.libs/idxgcide core 
GNU gdb (GDB) 7.11.1

[...]

Core was generated by `/tmp/guix-build-dico-2.2.drv-0/dico-2.2/modules/gcide/.libs/idxgcide dict .'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000401aae in store_ref (ref=0x1888020) at idxgcide.l:102
102	    memcpy(idx_page->ipg_ref + idx_page->ipg_header.hdr.phdr_numentries++,
(gdb) bt full
#0  0x0000000000401aae in store_ref (ref=0x1888020) at idxgcide.l:102
        textarea = <optimized out>
#1  flush_refs () at idxgcide.l:129
        i = 0
        ref = 0x1888020
#2  main (argc=<optimized out>, argv=<optimized out>) at idxgcide.l:349
        index = 1
(gdb) frame 0
#0  0x0000000000401aae in store_ref (ref=0x1888020) at idxgcide.l:102
102	    memcpy(idx_page->ipg_ref + idx_page->ipg_header.hdr.phdr_numentries++,
(gdb) p *ref
$1 = {ref_hwoff = 5120, ref_hwlen = 8, ref_hwbytelen = 9, ref_letter = 65, ref_offset = 849, ref_size = 198, 
  ref_headword = 0x1887050 "aardvark"}
(gdb) p *idx_page
$2 = {ipg_header = {hdr = {phdr_numentries = 9838263505978427529, phdr_text_offset = 5129}, align = {
      ref_hwoff = 9838263505978427529, ref_hwlen = 5129, ref_hwbytelen = 9838263505978427528, 
      ref_letter = -2004318072, ref_offset = 9838263505978427528, ref_size = 9838263505978427528, 
      ref_headword = 0x8888888888888888 <error: Cannot access memory at address 0x8888888888888888>}}, ipg_ref = {
    {ref_hwoff = 9838263505978427528, ref_hwlen = 9838263505978427528, ref_hwbytelen = 9838263505978427528, 
      ref_letter = -2004318072, ref_offset = 9838263505978427528, ref_size = 9838263505978427528, 
      ref_headword = 0x8888888888888888 <error: Cannot access memory at address 0x8888888888888888>}}}
--8<---------------cut here---------------end--------------->8---

… and here’s what Valgrind reports:

--8<---------------cut here---------------start------------->8---
$ ../../../libtool --mode=execute /gnu/store/3z1lqx5ljm5j5r4rb4np2vjr9cp0iv6g-valgrind-3.11.0/bin/valgrind ../idxgcide dict . 
==21445== Memcheck, a memory error detector
==21445== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21445== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21445== Command: /tmp/guix-build-dico-2.2.drv-0/dico-2.2/modules/gcide/.libs/idxgcide dict .
==21445== 
==21445== Conditional jump or move depends on uninitialised value(s)
==21445==    at 0x401A3C: store_ref (idxgcide.l:93)
==21445==    by 0x401A3C: flush_refs (idxgcide.l:129)
==21445==    by 0x401A3C: main (idxgcide.l:349)
==21445== 
==21445== Use of uninitialised value of size 8
==21445==    at 0x401AAE: store_ref (idxgcide.l:102)
==21445==    by 0x401AAE: flush_refs (idxgcide.l:129)
==21445==    by 0x401AAE: main (idxgcide.l:349)
==21445== 
==21445== Use of uninitialised value of size 8
==21445==    at 0x401ABA: store_ref (idxgcide.l:102)
==21445==    by 0x401ABA: flush_refs (idxgcide.l:129)
==21445==    by 0x401ABA: main (idxgcide.l:349)
==21445== 
==21445== Conditional jump or move depends on uninitialised value(s)
==21445==    at 0x4019DC: flush_refs (idxgcide.l:130)
==21445==    by 0x4019DC: main (idxgcide.l:349)
==21445== 
==21445== Conditional jump or move depends on uninitialised value(s)
==21445==    at 0x40233F: flush_page (idxgcide.l:77)
==21445==    by 0x401B0E: flush_refs (idxgcide.l:131)
==21445==    by 0x401B0E: main (idxgcide.l:349)
==21445== 
==21445== Syscall param write(buf) points to uninitialised byte(s)
==21445==    at 0x6040CD0: __write_nocancel (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD63BE: _IO_file_write@@GLIBC_2.2.5 (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD59F2: new_do_write (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD69D5: _IO_file_xsputn@@GLIBC_2.2.5 (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FCC5F8: fwrite (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x4022F1: full_write (idxgcide.l:68)
==21445==    by 0x402353: flush_page (idxgcide.l:82)
==21445==    by 0x401B0E: flush_refs (idxgcide.l:131)
==21445==    by 0x401B0E: main (idxgcide.l:349)
==21445==  Address 0x6366be0 is 0 bytes inside a block of size 10,240 alloc'd
==21445==    at 0x4C29B5F: malloc (in /gnu/store/3z1lqx5ljm5j5r4rb4np2vjr9cp0iv6g-valgrind-3.11.0/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21445==    by 0x4017B6: main (idxgcide.l:293)
==21445== 
==21445== Syscall param write(buf) points to uninitialised byte(s)
==21445==    at 0x6040CD0: __write_nocancel (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD63BE: _IO_file_write@@GLIBC_2.2.5 (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD59F2: new_do_write (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD7268: _IO_do_write@@GLIBC_2.2.5 (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD7FBE: _IO_switch_to_get_mode (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD5AF9: _IO_file_seekoff@@GLIBC_2.2.5 (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD3424: fseek (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x4019F1: main (idxgcide.l:351)
==21445==  Address 0x6369730 is 0 bytes inside a block of size 4,096 alloc'd
==21445==    at 0x4C29B5F: malloc (in /gnu/store/3z1lqx5ljm5j5r4rb4np2vjr9cp0iv6g-valgrind-3.11.0/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21445==    by 0x5FCB144: _IO_file_doallocate (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD826F: _IO_doallocbuf (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD5BF2: _IO_file_seekoff@@GLIBC_2.2.5 (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x5FD3424: fseek (in /gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libc-2.23.so)
==21445==    by 0x4018DA: main (idxgcide.l:339)
==21445== 
==21445== 
==21445== HEAP SUMMARY:
==21445==     in use at exit: 35,404 bytes in 9 blocks
==21445==   total heap usage: 2,815 allocs, 2,806 frees, 357,431 bytes allocated
==21445== 
==21445== LEAK SUMMARY:
==21445==    definitely lost: 0 bytes in 0 blocks
==21445==    indirectly lost: 0 bytes in 0 blocks
==21445==      possibly lost: 0 bytes in 0 blocks
==21445==    still reachable: 35,404 bytes in 9 blocks
==21445==         suppressed: 0 bytes in 0 blocks
==21445== Rerun with --leak-check=full to see details of leaked memory
==21445== 
==21445== For counts of detected and suppressed errors, rerun with: -v
==21445== Use --track-origins=yes to see where uninitialised values come from
==21445== ERROR SUMMARY: 196 errors from 7 contexts (suppressed: 1 from 1)
--8<---------------cut here---------------end--------------->8---

Seems like the structure pointed to by ‘idx_page’ is partly
uninitialized.  Ideas?

Thanks,
Ludo’.