code that should segfault? #362
Comments
I believe you are referring to this statement: Lines 505 to 507 in 6b6c0fe But, Lines 227 to 230 in 6b6c0fe We can try to produce a possible issue with a test. |
|
I tried adding the following test to TEST_F(CLASSNAME(TestArgumentsFixture, RMW_IMPLEMENTATION), test_copy_no_args) {
rcl_arguments_t parsed_args = rcl_get_zero_initialized_arguments();
rcl_ret_t ret = rcl_parse_arguments(0, NULL, rcl_get_default_allocator(), &parsed_args);
EXPECT_EQ(RCL_RET_OK, ret) << rcl_get_error_string().str;
EXPECT_EQ(0, rcl_arguments_get_count_unparsed(&parsed_args));
rcl_arguments_t copied_args = rcl_get_zero_initialized_arguments();
ret = rcl_arguments_copy(&parsed_args, &copied_args);
EXPECT_EQ(RCL_RET_OK, ret) << rcl_get_error_string().str;
EXPECT_EQ(0, rcl_arguments_get_count_unparsed(&copied_args));
EXPECT_EQ(RCL_RET_OK, rcl_arguments_fini(&parsed_args));
EXPECT_EQ(RCL_RET_OK, rcl_arguments_fini(&copied_args));
} |
|
I'm still not convinced there's not an issue here though. The behavior of
It's probably not a bad idea to commit the test and add a guard against allocating/deallocating |
|
Based on this SO post and some empirical testing, it seems we don't have to worry about free'ing the pointer returned by @vingtfranc In summary, to try and answer your original concern, in the event we have 0 unparsed arguments, the resulting
If I've misunderstood something and there is still a problem, we can reopen this issue. |
Yes, but in the case I'm describing, it is not the malloc(0) which is freed: Lines 505 to 513 in 6b6c0fe Here if malloc(0) returns NULL (it does on my system), then args_out->impl->unparsed_args is NULL but args_out->impl->remap_rules can be anything since there is just a malloc on args_out->implLine 493 in 6b6c0fe Thus, when rcl_arguments_fini(args_out) is called, args_out->impl->remap_rules contains a random value, which is misinterpreted as a pointer, and freed:Lines 568 to 584 in 6b6c0fe Besides, even if there was no segfault here, |
|
@vingtfranc Ah, I see the issue now. So are you saying this doesn't segfault for you? Perhaps it was just "luck" that in this case Looks like a bug to me. |
|
Actually, I have compiled the demo node listener.cpp on my experimental system, and the program has the behavior I described (checked step-by-step in gdb). Note that I'm not building ROS 2 the standard way (as my machine has its own building system). So it's possible the case I'm describing may only occur because of my building configuration. On my side, I fixed my code modifying allocator.c: into What does happen on your machine if you add a |
The test I suggested in #362 (comment) fails due to bad allocation and It would appear a few places in our code do not anticipate the possibility that |
|
@vingtfranc Please take a look at #367. I believe it addresses this particular issue. |
jacobperron
added
in review
Hi
I am looking at
node.candarguments.ccode, and there is part that, in my understanding, should cause a segfault (but I guess it doesn't?)If you look from line 286 (
node.cin master branch):node->impl->optionsis filled with 0, and then it is copied tooptionswith the following function (from line 562):and the arguments are copied by
rcl_arguments_copyas defined inarguments.cfrom line 479:So
args_out->implis allocated. Since the allocation here is just a malloc,args_out->implmay contain any kind of value.
Since at this point
args->impl->num_unparsed_argsis 0, this line:is just a
malloc(0), which returnsNULL. So theifstatement is triggered and we callrcl_arguments_fini(args_out)(from line 567). At this pointargs->impl->remap_rulesmay contain anything (it has not been initialized yet), so the code may then enter theifstatement at line 574:and then call
freeon the uninitialized pointer, resulting in a SegFaultIs my understanding correct?
The text was updated successfully, but these errors were encountered: