[Rd] incorrect output and segfaults from sprintf with %*d (PR#13667)

waku at idi.ntnu.no waku at idi.ntnu.no
Tue Apr 21 13:05:11 CEST 2009


Full_Name: Wacek Kusnierczyk
Version: 2.10.0 r48365
OS: Ubuntu 8.04 Linux 32bit
Submission from: (NULL) (129.241.110.141)


sprintf has a documented limit on strings included in the output using the
format '%s'.  It appears that there is a limit on the length of strings included
with, e.g., the format '%d' beyond which surprising things happen (output
modified for conciseness):

   gregexpr('1', sprintf('%9000d', 1))
   # [1] 9000 9801

   gregexpr('1', sprintf('%9000d', 1))
   # [1]  9000  9801 10602

   gregexpr('1', sprintf('%9000d', 1))
   # [1]  9000  9801 10602 11403

   gregexpr('1', sprintf('%9000d', 1))
   # [1]  9000  9801 10602 11403 12204

   ...

Note that not only more than one '1' is included in the output, but also that
the same functional expression (no side effects used beyond the interface) gives
different results on each execution.  Analogous behaviour can be observed with
'%nd' where n > 8200.

The actual output above is consistent across separate sessions.

With sufficiently large field width values, R segfaults:

   sprintf('%*d', 10^5, 1)
   # *** caught segfault ***
   # address 0xbfcfc000, cause 'memory not mapped'
   # Segmentation fault


   sessionInfo()
   # R version 2.10.0 Under development (unstable) (2009-04-20 r48365) 
   # i686-pc-linux-gnu



More information about the R-devel mailing list