moinejf
commented
4 years ago Sorry for I have no such a crash in my system (ARM 32 bits). May you reduce the source file to the smallest sequence that raises the bug?
Open PangPangpeng opened 4 years ago
moinejf
commented
4 years ago Sorry for I have no such a crash in my system (ARM 32 bits). May you reduce the source file to the smallest sequence that raises the bug?
PangPangpeng
commented
4 years ago I remove some line in the poc , and I reproduce the crash in my system(x86 64bit). I also tried to run it in qemu-arm-static, as you said, I didn't get the crash either. May be it is relevant to the system bit.
root@ubuntu:# uname -a Linux ubuntu 4.15.0-106-generic #107-16.04.1-Ubuntu SMP Thu Jun 4 15:40:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu:/abc2music/origin# ./abcm2ps poc_small abcm2ps-8.14.9 (2020-06-21) File poc_small poc_small:6:2: error: Cannot identify meter top 6 M:Cÿÿ/4 ^ poc_small:10:4: error: Not a note 10 [KgC# alto]rigin ^ poc_small:10:5: error: Not a note 10 [KgC# alto]rigin ^ poc_small:10:10: error: Not a note 10 [KgC# alto]rigin ^ poc_small:10:16: error: Not a note 10 [KgC# alto]rigin ^ poc_small:10:1: error: Chord not closed 10 [KgC# alto]rigin ^ poc_small:10:0: error: Bad character 'n' poc_small:10:0: error: Bad character 'i' poc_small:10:0: error: Bad character 'i' poc_small:10:0: error: Bad character 'r' poc_small:10:0: error: Bad character 'o' poc_small:10:0: error: Bad character 't' poc_small:10:0: error: Bad character 'l' poc_small:10:0: error: Bad character 'K' poc_small:13:0: error: Voice '2' of %%staves has no symbol poc_small:13:0: error: Misplaced ']' in %%staves poc_small:13:0: error: Bad voice ID in %%staves poc_small:13:0: error: Voice 'CEGc' of %%staves has no symbol poc_small:27:23: error: Bad character 27 !fine!C!invertedfermataD !longphrase!E !mediumphrase!F !mf!G!open!A !p!B... ^ poc_small:25:31: error: Decoration !cresc(! not defined poc_small:25:58: error: Too many words in lyric line poc_small:27:11: error: Bad character 'n' poc_small:27:11: error: Bad character 'i' poc_small:27:14: error: Bad character 't' poc_small:27:14: error: Bad character 'r' poc_small:27:20: error: Bad character 'm' poc_small:27:20: error: Bad character 'r' poc_small:27:22: error: Bad character 't' poc_small:27:24: warning: Not enough words for lyric line Segment Fault
moinejf
commented
4 years ago There are still a lot of tunes, a lot of lines and a lot of notes. Can you reduce your file down to one tune, two or three lines in the header and one line of music with the smaller number of notes? Also, is the crash exactly the same as in the full file?
PangPangpeng
commented
4 years ago Oh, your're right......pocx produce another crash. And I tried my best to reduce the poc ,unfortunately, I can only reproduce with the full file. And during I doing that ,I found the other crach could be triggered by this short poc. poc_2.zip
moinejf
commented
4 years ago I found a X64 computer and I build abcm2ps, but then I had no crash with any of your files (including the one of the issue #73). For more information, the computer is a MinisForum with a Intel Atom N3350 running VoidLinux; abcm2ps was compiled with 'clang' and dynamically linked with the glibc.
PangPangpeng
commented
4 years ago I re-compile abcm2ps with 'clang' and dynamically linked with the glibc, I didn't get the crash either. But when I compile abcm2ps with 'gcc-5.4', the crash return again. I debug the code with GDB, and I found the glocal variable curvoice was modified and point to the address &dfmt +384, this is very strange, which cause cfmt and dfmt destoried. when we try to
run get_font_encoding, and the the cfmt.font_tb[ft].fnum was modified coincidentally, we will get an segment fault. Because font_enc[cfmt.font_tb[ft].fnum] tries to read an inaccessible address
I spent a lot time on finding the bug code. I think I found which line modified the address of curvoice.
in function process_pscomment , it calls get_staves, after running this function, it execute this line:
curvoice = &voice_tb[parsys->top_voice], and the parsys->top_voice==0xffff, so it makes curvoice point to (&voice_tb -0x200). using IDA I get the .bss segment, and (&voice_tb -0x200) == (&dfmt+384). Here is the stack.
s=0x693962 "\nX:4\nT:Guitar chords - annotations\nM:none\nL:1/4\nK:C\n\"^no time\"\"^signature\"CD\"gchord\"\"^on bar\"|EF\\\n\"^appogiattura\"{B}c \"^acRiaccatura\"{/B}c \\\n\"^three;annot;lines\"G \"^and\"\"^four\"\"^annot\"\"^lines!\"c| \\\n\"^"...,
s@entry=0x6937a0 "U: N = !tenuto!\n\nX:2\nT:Key signature change\nT:and multi-measure rest\nM:2\nL:1/4\nK:C\nZ4|\"C\"CEGc|[K:A]\"A\"Acea|[K:B]\"B\"Bdfb|[K:A]\"A\"Acea|\n[K:Eb]\"Eb\"EGBe|[K:Cb]\"Cb\"CEGc|[K:C]\"C\"CEGc|\n\nX:3\nT:All clefs with "..., ftype=ftype@entry=0x0, fname=fname@entry=0x692560 "pocx", linenum=<optimized out>, linenum@entry=0x0) at front.c:891at ../csu/libc-start.c:291That was big bug, and well hidden! It should be fixed by the commit 74fc325. Many thanks.
gdb-peda$ set args ./pocs/poc4 gdb-peda$ run Starting program: /root/Intriguer/intriguer/opensoft/abc2music/origin/abcm2ps ./pocs/poc4 abcm2ps-8.14.9 (2020-06-21) File ./pocs/poc4 ./pocs/poc4:26:2: error: Cannot identify meter top 26 M:Cÿÿ/4 ^ ./pocs/poc4:30:4: error: Not a note 30 [KgC# alto]rigin ^ ./pocs/poc4:30:5: error: Not a note 30 [KgC# alto]rigin ^ ./pocs/poc4:30:10: error: Not a note 30 [KgC# alto]rigin ^ ./pocs/poc4:30:16: error: Not a note 30 [KgC# alto]rigin ^ ./pocs/poc4:30:1: error: Chord not closed 30 [KgC# alto]rigin ^ ./pocs/poc4:30:0: error: Bad character 'n' ./pocs/poc4:30:0: error: Bad character 'i' ./pocs/poc4:30:0: error: Bad character 'i' ./pocs/poc4:30:0: error: Bad character 'r' ./pocs/poc4:30:0: error: Bad character 'o' ./pocs/poc4:30:0: error: Bad character 't' ./pocs/poc4:30:0: error: Bad character 'l' ./pocs/poc4:30:0: error: Bad character 'K' ./pocs/poc4:33:0: error: Voice '2' of %%staves has no symbol ./pocs/poc4:33:0: error: Misplaced ']' in %%staves ./pocs/poc4:33:0: error: Bad voice ID in %%staves ./pocs/poc4:33:0: error: Voice 'CEGc' of %%staves has no symbol ./pocs/poc4:67:23: error: Bad character 67 !fine!C!invertedfermataD !longphrase!E !mediumphrase!F !mf!G!open!A !p!B... ^ ./pocs/poc4:65:31: error: Decoration !cresc(! not defined ./pocs/poc4:65:58: error: Too many words in lyric line ./pocs/poc4:67:11: error: Bad character 'n' ./pocs/poc4:67:11: error: Bad character 'i' ./pocs/poc4:67:14: error: Bad character 't' ./pocs/poc4:67:14: error: Bad character 'r' ./pocs/poc4:67:20: error: Bad character 'm' ./pocs/poc4:67:20: error: Bad character 'r' ./pocs/poc4:67:22: error: Bad character 't' ./pocs/poc4:67:24: warning: Not enough words for lyric line
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0xa0000 ('') RBX: 0xb ('\x0b') RCX: 0x0 RDX: 0x1 RSI: 0x44c627 --> 0x20656c7469540020 (' ') RDI: 0xb ('\x0b') RBP: 0xa0000 ('') RSP: 0x7fffffffdd20 --> 0xffffffffffffffff RIP: 0x41f771 (<set_font+193>: mov rcx,QWORD PTR [rax8+0x668c60]) R8 : 0x0 R9 : 0x1 R10: 0xf R11: 0x7ffff788bf60 --> 0xfff1ee20fff1ee10 R12: 0x1 R13: 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x41f763 <set_font+179>: mov edx,DWORD PTR [rip+0x247277] # 0x6669e0
0x41f769 <set_font+185>: test edx,edx
0x41f76b <set_font+187>: jle 0x41f818 <set_font+360>
=> 0x41f771 <set_font+193>: mov rcx,QWORD PTR [rax 8+0x668c60]
0x41f779 <set_font+201>: mov edx,0x449890
0x41f77e <set_font+206>: xor esi,esi
0x41f780 <set_font+208>: mov edi,0x1
0x41f785 <set_font+213>: xor eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdd20 --> 0xffffffffffffffff
0008| 0x7fffffffdd28 --> 0x9 ('\t')
0016| 0x7fffffffdd30 --> 0x675640 ("Composer (Origin)")
0024| 0x7fffffffdd38 --> 0x4364ea (<str_ft_out1+58>: test BYTE PTR [rip+0x22cdd7],0x1 # 0x6632c8 )
0032| 0x7fffffffdd40 --> 0xffffffff
0040| 0x7fffffffdd48 --> 0x675649 ("(Origin)")
0048| 0x7fffffffdd50 --> 0x675640 ("Composer (Origin)")
0056| 0x7fffffffdd58 --> 0x4366fe (<str_ft_out+478>: jmp 0x4366b5 <str_ft_out+405>)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
set_font (ft=0xb) at format.c:1412
1412 error(1, NULL,
gdb-peda$ bt
0 set_font (ft=0xb) at format.c:1412
1 0x00000000004364ea in str_ft_out1 (p=p@entry=0x675640 "Composer (Origin)", l=l@entry=0x9) at subs.c:822
2 0x00000000004366fe in str_ft_out (p=0x675649 <tex_buf+9> "(Origin)", end=0x1) at subs.c:896
3 0x00000000004371ec in str_out (p=, action=) at subs.c:942
4 0x0000000000437214 in put_str (str=str@entry=0x7fffffffdda0 "Composer (Origin)", action=action@entry=0x2) at subs.c:980
5 0x00000000004381f0 in put_inf2r (s1=, s1@entry=0x6e4960, s2=, s2@entry=0x6e4bc0, action=action@entry=0x2) at subs.c:1026
6 0x000000000043928d in write_heading () at subs.c:1783
7 0x0000000000433036 in get_info (s=s@entry=0x6e5530) at parse.c:2913
8 0x0000000000435068 in do_tune () at parse.c:3501
9 0x00000000004088e2 in abc_parse (p=0x694370 "", fname=fname@entry=0x692560 "./pocs/poc4", ln=ln@entry=0x54) at abcparse.c:179
10 0x000000000041fa17 in txt_add_eos (fname=fname@entry=0x692560 "./pocs/poc4", linenum=linenum@entry=0x54) at front.c:379
11 0x0000000000420478 in frontend (s=0x693f76 "\nX:8\nT:Decorations on two voices\nT:(also in 'd:' lines)\n%%infoline 1\nC:Composer\nO:Or@",
12 0x0000000000403fdd in treat_file (fn=0x7fffffffe78c "./pocs/poc4", ext=) at abcm2ps.c:240
13 0x0000000000403118 in main (argc=0x0, argc@entry=0x2, argv=, argv@entry=0x7fffffffe508) at abcm2ps.c:1041
14 0x00007ffff7724840 in __libc_start_main (main=0x4029e0, argc=0x2, argv=0x7fffffffe508, init=, fini=, rtld_fini=, stack_end=0x7fffffffe4f8)
15 0x0000000000403689 in _start ()
poc4.zip