Bug in edit_push_action()

From: Pavel Roskin <proski gnu org>
To: Paul Sheer <psheer icon co za>
Cc: mc-devel gnome org
Subject: Bug in edit_push_action()
Date: Fri, 02 Aug 2002 01:16:48 -0400 (EDT)

Hello, Paul!

I've been using Valgrind (http://developer.kde.org/~sewardj/) to scan for
memory problems in Midnight Commander, and I have found a problem that
affects Cooledit as well.  I think I'd rather ask you, because you know
the code better and I don't want to apply a fix that could be different
from the one that you might use in Cooledit.

This is the message generated on cooledit-3.17.5 by Valgrind 1.0.0 (mc
produces a very similar warning, just at different lines):

==17482== Conditional jump or move depends on uninitialised value(s)
==17482==    at 0x80A2997: edit_push_action (edit.c:714)
==17482==    by 0x80A5F20: edit_push_key_press (edit.c:2133)
==17482==    by 0x80A62CE: edit_execute_key_command (edit.c:2237)
==17482==    by 0x80A9FC3: eh_editor (editwidget.c:1113)
==17482== 
==17482== Conditional jump or move depends on uninitialised value(s)
==17482==    at 0x80A2A97: edit_push_action (edit.c:736)
==17482==    by 0x80A5F20: edit_push_key_press (edit.c:2133)
==17482==    by 0x80A62CE: edit_execute_key_command (edit.c:2237)
==17482==    by 0x80A9FC3: eh_editor (editwidget.c:1113)

This happens when I press the first key in the editor.  The debugger shows 
following:

(gdb) p edit->stack_pointer
$1 = 0
(gdb) n
684         if (sp > edit->stack_size - 10) {   /* say */
(gdb) 
698         spm1 = (edit->stack_pointer - 1) & edit->stack_size_mask;
(gdb) 
699         if (push_action_disabled)
(gdb) 
712         if (spm1 != edit->stack_bottom && ((sp - 2) & 
edit->stack_size_mask) != edit->stack_bottom) {
(gdb) p spm1
$2 = 31
(gdb) p edit->stack_bottom
$3 = 0
(gdb) p sp
$4 = 0
(gdb) p edit->stack_size_mask
$5 = 31
(gdb) n
714             if (edit->undo_stack[spm1] < 0) {
(gdb) p edit->undo_stack[spm1]
$6 = 1970169197
(gdb)

As you see, spm1 "wraps" to the end of the buffer, which is not
initialized and contains a random value.  The point on the stack spm1
refers to is checked to see if the action can be stored as the repetition
of the previous action.

I don't know what is wrong - wrapping to the other side of the stack, not
initializing the stack (with zeroes?), incorrect comparison with
edit->stack_bottom or all of the above.

Valgrind shows many more potential bugs in Cooledit.  I hope you will 
enjoy fixing them :-)

-- 
Regards,
Pavel Roskin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]