Graphviz Issue Tracker
Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001845graphvizCircopublic2010-03-24 19:532011-04-28 04:03
Reporteruser342 
Assigned Toerg 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS*-*-Debian LinuxOS Version
Summary0001845: Segfault when running Circo
Description



Hi,



I've had the following bug reported against the graphviz Debian package
(debian bug #575255) ...



---



The backtrace says it all ... I've tried on two unstable machine with
the same result. It seems a recent problem. I've attached the dot file,
but I don't think it is related to a specific file.



pietro
<CD>
$circo 0.dot
*** glibc detected *** circo: free(): invalid next size (fast): 0x00000000007032c0 ***
======= Backtrace: =========
/lib/libc.so.6[0x2abca21d6d16]
/lib/libc.so.6(cfree+0x6c)[0x2abca21db9bc]
/usr/lib/graphviz/libgvplugin_neato_layout.so.6[0x2abca69951ac]
/usr/lib/graphviz/libgvplugin_neato_layout.so.6[0x2abca69949bd]
/usr/lib/graphviz/libgvplugin_neato_layout.so.6(circularLayout+0x148)[0x2abca6992fb8]
/usr/lib/graphviz/libgvplugin_neato_layout.so.6(circoLayout+0x110)[0x2abca69927b0]
/usr/lib/graphviz/libgvplugin_neato_layout.so.6(circo_layout+0x25)[0x2abca6992935]
/usr/lib/libgvc.so.5(gvLayoutJobs+0x9b)[0x2abca1cfed7b]
circo[0x400eef]
/lib/libc.so.6(__libc_start_main+0xfd)[0x2abca2184abd]
circo[0x400c19]



---
</CD>



Ordinarily I would have redone that backtrace with debug symbols ...
This time however it looks like I don't need to since Francis
Russell (who submitted the dot -y bug) was kind enough to jump in and
take a look ...



"I did a little investigation into this which may or may not be helpful. The
problem appears to be with the call to position in lib/circogen/circpos.c.
position iterates over a linked list and conditionally saves values into an
array called parents. parents has the size 'childCount', however, in the single
place position is called the linked list has the size 'length'. If
length>childCount and enough iterations add a value to the parents array,
its bounds may be overrun. Changing the line 'posinfo_t* parents =
N_NEW(childCount, posinfo_t);' to 'posinfo_t* parents = N_NEW(length,
posinfo_t);' fixes the segfault, though it's not clear if this method's being
called with an incorrect assumption about the values of childCount and length
anyway."



---



I've confirmed his suggested fix does appear fix the problem (reproduced
below as a patch for convenience). However as Francis says, there may be
more to this if the linked list is not expected to ever contain more
than 'childCount' nodes.



Please can you take a look and see what you think?



Cheers,



  David.



[erg]
The problem actually occurred up-stream, which was breaking the pre-conditions for the
position() function. In general, each child only has one parent, so there should never be
more parents than children.



TagsNo tags attached.
AUXILLARY-FILES
DATE-FIXED
FIX-COMMENT 
<CD>
diff --git a/lib/circogen/circpos.c b/lib/circogen/circpos.c
index 7b66602..e5da26d 100644
--- a/lib/circogen/circpos.c
+++ b/lib/circogen/circpos.c
@@ -366,7 +366,7 @@ position(Agraph_t * g, int childCount, int length, nodelist_t * path,
     doub
FORMER-ID1911
INPUT-FILEhttp://www.graphviz.org/bugs/b1911.dot [^]
OUTPUT-FILE
STATUS-COMMENTFixed (30 Mar 2010)
VERSION     2.26.3
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2011-04-28 04:03 user1 New Issue
2011-04-28 04:03 user1 Assigned To => erg


MantisBT 1.2.5[^]
Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker