segfault rendering man7/man.html

[stroucki]

Diagnosing this was made more difficult by libthread/daemonize.c declaring a null signal handler for SIGSEGV, the only indication was from Linux kernel messages at the end of compilation.

Analysis from core of troff2html:

#0  0x000055f15de7583b in iputs (b=0x55f15de853c0 <bout>,
    s=0x31 <error: Cannot access memory at address 0x31>) at troff2html.c:341
341             if(s[0]=='<' && s[1]=='+'){
(gdb) up
#1  0x000055f15de75aaf in setattr (a=94495150899200) at troff2html.c:391
391                             iputs(&bout, onattr[j]);
(gdb) print j
$1 = 26
(gdb) l
386             for(i=0; i<nelem(attrorder); i++){
387                     j = attrorder[i];
388                     if(on&(1<<j)){
389                             if(j == Anchor)
390                                     onattr[j] = anchors[nanchors++];
391                             iputs(&bout, onattr[j]);
392                             nest[nnest++] = j;
393                     }
394             }
395             attr = a;
(gdb) print Anchor+0
$2 = 26
(gdb) print nanchors
$3 = 4
(gdb) print anchors[3]
$4 = 0x31 <error: Cannot access memory at address 0x31>

I couldn't figure out what a correction would be; the values of the nonexistent anchors never made it into the final html file. But as nanchors is a global, and the anchors array is filled elsewhere, increasing nanchors here looks suspicious.

[lufia]

Can you give me commands or steps reproduce above?

[stroucki]

It is not happening every time, but about 50% of the time (and on different machines, with different libraries):
root@wopr:/usr/local/plan9/man# ../bin/troff -manhtml man7/man.7|../bin/troff2html -t 'Plan 9 from User Space' >/tmp/manweb.html
This is a command executed from dist/manweb.

The output of troff is not different in the working vs failing case.

[stroucki]

This is an address sanitizer output of the run of troff2html:

==6271==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000178 at pc 0x561c05973b56 bp 0x7ffcbd003e70 sp 0x7ffcbd003e68
READ of size 8 at 0x603000000178 thread T0
    #0 0x561c05973b55 in setattr /usr/local/plan9/src/cmd/troff2html/troff2html.c:390
    #1 0x561c05973dff in flush /usr/local/plan9/src/cmd/troff2html/troff2html.c:422
    #2 0x561c05972fbc in p9main /usr/local/plan9/src/cmd/troff2html/troff2html.c:245
    #3 0x561c05978f0f in main /usr/local/plan9/src/lib9/main.c:10
    #4 0x7ff3de045249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #5 0x7ff3de045304 in __libc_start_main_impl ../csu/libc-start.c:360
    #6 0x561c059724c0 in _start (/usr/local/plan9/bin/troff2html+0xf4c0)

0x603000000178 is located 0 bytes to the right of 24-byte region [0x603000000160,0x603000000178)
allocated by thread T0 here:
    #0 0x7ff3de2b78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
    #1 0x561c0597900a in p9realloc /usr/local/plan9/src/lib9/malloc.c:36
    #2 0x561c059725e8 in erealloc /usr/local/plan9/src/cmd/troff2html/troff2html.c:171
    #3 0x561c05974f81 in xcmd /usr/local/plan9/src/cmd/troff2html/troff2html.c:631
    #4 0x561c05975c90 in process /usr/local/plan9/src/cmd/troff2html/troff2html.c:807
    #5 0x561c05972e6e in p9main /usr/local/plan9/src/cmd/troff2html/troff2html.c:234
    #6 0x561c05978f0f in main /usr/local/plan9/src/lib9/main.c:10
    #7 0x7ff3de045249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/plan9/src/cmd/troff2html/troff2html.c:390 in setattr
Shadow bytes around the buggy address:
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff8010: fd fa fa fa 00 00 01 fa fa fa 00 00 05 fa fa fa
=>0x0c067fff8020: 00 00 00 04 fa fa 00 00 00 04 fa fa 00 00 00[fa]
  0x0c067fff8030: fa fa 00 00 00 04 fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6271==ABORTING

[stroucki]

I spend too much time tracing the execution and I've found that there is no distinction between Estring | Italic and Epp; pull request 741 addresses this.