juho.vuori at fimr.fi
2008-Jun-11 05:40 UTC
[Rd] read.table() causes segfault with incorrect data (PR#11627)
Full_Name: Juho Vuori Version: 2.7.0 (2008-04-22) OS: Linux poseidon.fimr.fi 2.6.23.17-88.fc7PAE #1 SMP Thu May 15 00:22:53 EDT 2008 i686 i686 i386 GNU/Linux Submission from: (NULL) (193.166.188.194) Calling read.table() twice the following way causes a segmentation fault in R. Run R and type the following commands:> read.table(stdin())0: 1 2 3 1: 3 2: Error in scan(file, what, nmax, sep, dec, quote, skip, nlines, na.strings, : line 2 did not have 3 elements> read.table(stdin())*** caught segfault *** address 0x64616572, cause 'memory not mapped' Traceback: 1: read.table(stdin()) Segmentation fault only occurs if the first call failed due to incorrect data.
Bill Dunlap
2008-Jun-11 16:37 UTC
[Rd] read.table() causes segfault with incorrect data (PR#11627)
On Wed, 11 Jun 2008 juho.vuori at fimr.fi wrote:> Full_Name: Juho Vuori > Version: 2.7.0 (2008-04-22) > OS: Linux poseidon.fimr.fi 2.6.23.17-88.fc7PAE #1 SMP Thu May 15 00:22:53 EDT 2008 i686 i686 i386 GNU/Linux > Submission from: (NULL) (193.166.188.194) > > > Calling read.table() twice the following way causes a segmentation fault in R. > Run R and type the following commands: > > > read.table(stdin()) > 0: 1 2 3 > 1: 3 > 2: > Error in scan(file, what, nmax, sep, dec, quote, skip, nlines, na.strings, : > line 2 did not have 3 elements > > read.table(stdin()) > > *** caught segfault *** > address 0x64616572, cause 'memory not mapped' >valgrind shows that con->nPushBack>0 but con->PushBack has already been freed by do_clearpushback: > read.table(stdin()) 0: 1 2 3 1: 3 2: Error in scan(file, what, nmax, sep, dec, quote, skip, nlines, na.strings, : line 2 did not have 3 elements > read.table(stdin()) ==11631== Invalid read of size 4 ==11631== at 0x80B3281: ConsoleGetcharWithPushBack (scan.c:130) ==11631== by 0x80B348E: scanchar (scan.c:214) ==11631== by 0x80B7E24: do_readtablehead (scan.c:1568) ==11631== by 0x80653E0: do_internal (names.c:1129) ... ==11631== Address 0x443E638 is 0 bytes inside a block of size 20 free'd ==11631== at 0x40052A3: free (vg_replace_malloc.c:233) ==11631== by 0x8128A41: do_clearpushback (connections.c:3671) ==11631== by 0x80653E0: do_internal (names.c:1129) ==11631== by 0x815EA27: Rf_eval (eval.c:461) ==11631== by 0x812B133: R_run_onexits (context.c:147) 0x080b3281 in ConsoleGetcharWithPushBack (con=0x4067c50) at scan.c:130 130 curLine = con->PushBack[con->nPushBack-1]; (gdb) print con $1 = 0x4067c50 (gdb) print con->PushBack $2 = (char **) 0x443e638 The following change to connections.c:do_clearpushback() seems to fix it. Index: connections.c ==================================================================--- connections.c (revision 45893) +++ connections.c (working copy) @@ -3669,6 +3669,7 @@ if(con->nPushBack > 0) { for(j = 0; j < con->nPushBack; j++) free(con->PushBack[j]); free(con->PushBack); + con->nPushBack = 0 ; } return R_NilValue; } ---------------------------------------------------------------------------- Bill Dunlap Insightful Corporation bill at insightful dot com "All statements in this message represent the opinions of the author and do not necessarily reflect Insightful Corporation policy or position."