[Rd] reproducible segmentation fault caused by textConnection()

Bill Dunlap bill at insightful.com
Wed Apr 30 00:30:01 CEST 2008 

If you call gctorture(TRUE) the error happens immediately,
at the same place.
    2064                PROTECT(tmp = lengthgets(this->data, ++this->len));

Is this a case where PROTECT_WITH_INDEX() and REPROTECT()
need to be used (in connections.c)?  Could lengthgets (used
by the SET_LENGTH() macro) be changed to propogate the protection
status?  It looks like it always requires protection tricks
to use.
	Bill

On Tue, 29 Apr 2008, Bill Dunlap wrote:

> On Tue, 29 Apr 2008, Gregoire Pau wrote:
>
> > Dear all,
> >
> > It seems that textConnection() can trigger a segmentation fault. The
> > following script (using two large loops) makes this bug reproducible:
> >
> > for (i in 1:10000) {
> >    z=textConnection(NULL,open='w')
> >    for (j in 1:100) {
> >      write(runif(1)*1e6,file=z)
> >      write('\n',file=z)
> >    }
> >    close(z)
> > }
> >
> > The bug could be reproduced on R-2.6.1, R-2.7.0 and on the latest
> > R-devel 2008-04-29 r45543.
>
> valgrind shows that it uses freed memory after
> a garbage collecting episode (after many iterations),
> because a Routtextconn's 'data' component was freed:
>
>    ==24210== Invalid read of size 1
>    ==24210==    at 0x810B328: Rf_lengthgets (Rinlinedfuns.h:358)
>    ==24210==    by 0x8121C48: text_vfprintf (connections.c:2064)
>    ==24210==    by 0x809D0C1: Rvprintf (printutils.c:770)
>    ==24210==    by 0x809D105: Rprintf (printutils.c:668)
>    ==24210==    by 0x810A984: do_cat (builtin.c:617)
>    ==24210==  Address 0x5823CD8 is 0 bytes inside a block of size 1,176 free'd
>    ==24210==    at 0x40052A3: free (vg_replace_malloc.c:233)
>    ==24210==    by 0x805AC3D: R_gc_internal (memory.c:769)
>    ==24210==    by 0x805B873: Rf_cons (memory.c:1757)
>    ==24210==    by 0x81571F6: Rf_promiseArgs (eval.c:1633)
>
>    (gdb) where 5
>    #0  Rf_lengthgets (x=0x5823cd8, len=289)
>        at ../../src/include/Rinlinedfuns.h:358
>    #1  0x08121c49 in text_vfprintf (con=0x500f280, format=0x81e64d8 "\n",
>     ap=0xbef18b84 "ð\213ñ¾") at connections.c:2064
>    #2  0x0809d0c2 in Rvprintf (format=0x81e64d8 "\n", arg=0xbef18b84 "ð\213ñ¾")
>        at printutils.c:770
>    #3  0x0809d106 in Rprintf (format=0x81e64d8 "\n") at printutils.c:668
>    #4  0x0810a985 in do_cat (call=0x4ae31f0, op=0x4104eec, args=0x55bb2bc,
>        rho=0x55baf20) at builtin.c:617
>    (More stack frames follow...)
>    (gdb) up
>    #1  0x08121c49 in text_vfprintf (con=0x500f280, format=0x81e64d8 "\n",
>        ap=0xbef18b84 "ð\213ñ¾") at connections.c:2064
>    2064                PROTECT(tmp = lengthgets(this->data, ++this->len));
>    (gdb) print this->data
>    $1 = 0x5823cd8
>    (gdb) whatis this
>    type = Routtextconn
>    (gdb) whatis this->data
>    type = SEXP
>    (gdb) print *this->data
>    $2 = {sxpinfo = {type = 16, obj = 0, named = 2, gp = 0, mark = 0, debug = 0,
>      trace = 0, spare = 0, gcgen = 0, gccls = 7}, attrib = 0x40ae088,
>      gengc_next_node = 0x8235270, gengc_prev_node = 0x8235270, u = {primsxp = {
>      offset = 288}, symsxp = {pname = 0x120, value = 0x0,
>      internal = 0x57685c0}, listsxp = {carval = 0x120, cdrval = 0x0,
>      tagval = 0x57685c0}, envsxp = {frame = 0x120, enclos = 0x0,
>      hashtab = 0x57685c0}, closxp = {formals = 0x120, body = 0x0,
>      env = 0x57685c0}, promsxp = {value = 0x120, expr = 0x0,
>      env = 0x57685c0}}}

----------------------------------------------------------------------------
Bill Dunlap
Insightful Corporation
bill at insightful dot com
360-428-8146

 "All statements in this message represent the opinions of the author and do
 not necessarily reflect Insightful Corporation policy or position."

More information about the R-devel mailing list