Re: [ng-spice] Segmentation violation on running scripts


To ng-spice@ieee.ing.uniroma1.it
From "GLAO S. Dezai" <dezai@hotbot.com>
Date Thu, 11 Jan 2001 06:14:20 -0800
Delivered-To mailing list ng-spice@ieee.ing.uniroma1.it
Mailing-List contact ng-spice-help@ieee.ing.uniroma1.it; run by ezmlm
Organization HotBot Mail (http://mail.hotbot.mailcity.lycos.com:80)
Reply-To ng-spice@ieee.ing.uniroma1.it

 
--

On Thu, 11 Jan 2001 00:12:00   Bob Carragher wrote:
>Hello,
>
>I too have run into a segmentation fault similar to what Alan
>describes.  Perhaps it is the same one.  In file variable.c,
>function cp_setparse(), at roughly line 359, is a call to
>tfree(),
>
>        tfree(ss);/*DG: cp_unquote Memory leak*/
>
>This will eventually cause variable ss to be passed to free().
>It is at this point that a segmentation violation can occur.
>
>The call is located a few lines after a call to ft_numparse(),
>
>        td = ft_numparse(&ss, FALSE);
>
>If I understand that function correctly, it can update the
>value of variable ss.  Unfortunately, trying to free ss is
>what causes the segmentation violation.  A fix would be to
>keep a copy of the original value of ss before it is passed
>to ft_numparse(), then pass that location to tfree() instead
>of ss.  (That is the fix that I have applied to my local copy.)
>
>Is or will this fixed in a subsequent rework of NG Spice?


Yes,
I have already pointed out this problem in a previous mail. 
This bug should be fixed in a next release; Here is the mail i sent

Cheers
********
 
Hi all,
I think that i know now why variable.c fails to run in some cases.
The reason is to be found in the cp_setparse function.

I used previously to free the pointer ss  before call of the ft_numparse 
function:

                ss = cp_unquote(wl->wl_word);
                td = ft_numparse(&ss, FALSE);
                 ...          
                 tfree(ss);
Here is the problem. When ss contains a number, the ft_numparse 
increment ss so that at the end of the parsing ss points to the 
end of the allocated area. Freeing ss results to a segfault. If 
ss doesnot contains a number there is no problem.
So to fix the bug something like the following must be done.
                    
                copyval=ss = cp_unquote(wl->wl_word);
                td = ft_numparse(&ss, FALSE);
                 ...          
                 tfree(copyval);

Apologies.
glao










HotBot - Search smarter.
http://www.hotbot.com

Partial thread listing: