Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Segmentation Fault using Ag #8258

Closed
Stormys opened this issue Aug 21, 2017 · 4 comments
Closed

Segmentation Fault using Ag #8258

Stormys opened this issue Aug 21, 2017 · 4 comments

Comments

@Stormys
Copy link

Stormys commented Aug 21, 2017

Some of the functions that I use Ag to obtain their dot formated graph will output a segmentation fault.

I believe it may have to do with me using

e anal.jmptbl=true
e anal.jmpref=true
e anal.jmpabove=true

and only the graphs that contain jump tables seem to fail.

Below is the backtrace that occurs in gdb:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff397acc0 in _IO_vfprintf_internal (s=s@entry=0x7fffffffc760, format=<optimized out>, 
    format@entry=0x7ffff7ba9f48 "\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n", 
    ap=ap@entry=0x7fffffffc900) at vfprintf.c:1632
1632    vfprintf.c: No such file or directory.
(gdb) backtrace
#0  0x00007ffff397acc0 in _IO_vfprintf_internal (s=s@entry=0x7fffffffc760, format=<optimized out>, 
    format@entry=0x7ffff7ba9f48 "\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n", 
    ap=ap@entry=0x7fffffffc900) at vfprintf.c:1632
#1  0x00007ffff39a2a49 in _IO_vsnprintf (
    string=0x5555557e385c "\t\"0x5555562b9940\" -> \"0x00401c89\" [color=\"f/5f\033\\\033]4;60;rgb:5f/5f/87\033\\\033]4;61;rgb:5f/5f/af\033\\\033]4;62;rgb:5f/5f/d7\033\\\033]4;63;rgb:5f/5f/ff\033\\\033]4;64;rgb:5f/87/00\033\\\033]4;65;rgb:5f/87/5f\033\\\033]4;66;rgb:5f/87/87\033\\\033]4;6"..., 
    maxlen=<optimized out>, 
    format=0x7ffff7ba9f48 "\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n", args=0x7fffffffc900)
    at vsnprintf.c:114
#2  0x00007ffff73a905d in r_cons_printf_list (
    format=0x7ffff7ba9f48 "\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n", ap=0x7fffffffc940)
    at cons.c:815
#3  0x00007ffff73a91b1 in r_cons_printf (
    format=0x7ffff7ba9f48 "\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n") at cons.c:837
#4  0x00007ffff7b38a3e in core_anal_graph_nodes (core=0x55555575d520 <r>, fcn=0x555555b6b5d0, 
    opts=2) at canal.c:1112
#5  0x00007ffff7b3d3af in r_core_anal_graph (core=0x55555575d520 <r>, addr=4204256, opts=2)
    at canal.c:2430
#6  0x00007ffff7ab5b2c in cmd_anal_graph (core=0x55555575d520 <r>, 
    input=0x5555559443e2 " 0x004026e0") at cmd_anal.c:5160
#7  0x00007ffff7ab7df5 in cmd_anal (data=0x55555575d520 <r>, input=0x5555559443e1 "g 0x004026e0")
    at cmd_anal.c:5803
#8  0x00007ffff7b330a7 in r_cmd_call (cmd=0x555555850730, input=0x5555559443e0 "ag 0x004026e0")
    at cmd_api.c:226
#9  0x00007ffff7af134b in r_core_cmd_subst_i (core=0x55555575d520 <r>, 
    cmd=0x5555559443e0 "ag 0x004026e0", colon=0x0) at cmd.c:2296
#10 0x00007ffff7aee82c in r_core_cmd_subst (core=0x55555575d520 <r>, 
    cmd=0x5555559443e0 "ag 0x004026e0") at cmd.c:1494
#11 0x00007ffff7aefb24 in r_core_cmd_subst_i (core=0x55555575d520 <r>, 
    cmd=0x5555562b9880 "ag 0x004026e0 ", colon=0x0) at cmd.c:1908
#12 0x00007ffff7aee82c in r_core_cmd_subst (core=0x55555575d520 <r>, 
    cmd=0x5555562b9880 "ag 0x004026e0 ") at cmd.c:1494
#13 0x00007ffff7af35b6 in r_core_cmd (core=0x55555575d520 <r>, 
    cstr=0x5555562bc060 "ag 0x004026e0 > test.dot", log=1) at cmd.c:2904
#14 0x00007ffff7a7324c in r_core_prompt_exec (r=0x55555575d520 <r>) at core.c:2013
#15 0x000055555555a7df in main (argc=2, argv=0x7fffffffdc78, envp=0x7fffffffdc90) at radare2.c:1224
@lowlyw
Copy link
Contributor

lowlyw commented Aug 21, 2017

i can repro

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfffffffffffffff0)
  * frame #0: 0x00007fffda0beb52 libsystem_c.dylib`strlen + 18
    frame #1: 0x00007fffda1049fc libsystem_c.dylib`__vfprintf + 5701
    frame #2: 0x00007fffda12d423 libsystem_c.dylib`__v2printf + 699
    frame #3: 0x00007fffda11192a libsystem_c.dylib`_vsnprintf + 586
    frame #4: 0x00007fffda1119d3 libsystem_c.dylib`vsnprintf + 80
    frame #5: 0x000000010032726d libr_cons.dylib`r_cons_printf_list(format="\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n", ap=0x00007fff5fbfd960) at cons.c:815
    frame #6: 0x0000000100324d45 libr_cons.dylib`r_cons_printf(format="\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n") at cons.c:837
    frame #7: 0x00000001001dc5c0 libr_core.dylib`core_anal_graph_nodes(core=0x00000001000074b0, fcn=0x0000000101c16560, opts=2) at canal.c:1112
    frame #8: 0x00000001001db8ee libr_core.dylib`r_core_anal_graph(core=0x00000001000074b0, addr=4294971872, opts=2) at canal.c:2430
    frame #9: 0x000000010015b844 libr_core.dylib`cmd_anal_graph(core=0x00000001000074b0, input=" entry0") at cmd_anal.c:5269
    frame #10: 0x000000010011e446 libr_core.dylib`cmd_anal(data=0x00000001000074b0, input="g entry0") at cmd_anal.c:5911
    frame #11: 0x00000001001d4852 libr_core.dylib`r_cmd_call(cmd=0x000000010207f400, input="ag entry0") at cmd_api.c:226
    frame #12: 0x0000000100147db2 libr_core.dylib`r_core_cmd_subst_i(core=0x00000001000074b0, cmd="ag entry0", colon=0x0000000000000000) at cmd.c:2340
    frame #13: 0x0000000100115a15 libr_core.dylib`r_core_cmd_subst(core=0x00000001000074b0, cmd="ag entry0") at cmd.c:1538
    frame #14: 0x000000010011310c libr_core.dylib`r_core_cmd(core=0x00000001000074b0, cstr="ag entry0", log=1) at cmd.c:2948
    frame #15: 0x00000001001036d5 libr_core.dylib`r_core_prompt_exec(r=0x00000001000074b0) at core.c:2012
    frame #16: 0x0000000100003fbc r2`main(argc=2, argv=0x00007fff5fbff3b8, envp=0x00007fff5fbff3d0) at radare2.c:1235
    frame #17: 0x00007fffda088235 libdyld.dylib`start + 1
    frame #18: 0x00007fffda088235 libdyld.dylib`start + 1
(lldb) f 5
frame #5: 0x000000010032726d libr_cons.dylib`r_cons_printf_list(format="\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n", ap=0x00007fff5fbfd960) at cons.c:815
   812 			palloc (MOAR + strlen (format) * 20);
   813 	club:
   814 			size = I.buffer_sz - I.buffer_len - 1; /* remaining space in I.buffer */
-> 815 			written = vsnprintf (I.buffer + I.buffer_len, size, format, ap3);
   816 			if (written >= size) { /* not all bytes were written */
   817 				palloc (written);

(lldb) p size
(size_t) $0 = 60252
(lldb) p ap3
(va_list) $1 = {
  [0] = (gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x00007fff5fbfd990, reg_save_area = 0x00007fff5fbfd8a0)
}
(lldb) p format
(const char *) $2 = 0x000000010024f454 "\t\"0x%08llx\" -> \"0x%08llx\" [color=\"%s\"];\n"

@radare
Copy link
Collaborator

radare commented Aug 22, 2017 via email

@radare
Copy link
Collaborator

radare commented Aug 22, 2017 via email

@Stormys
Copy link
Author

Stormys commented Aug 22, 2017

Mine was on Linux.

@Stormys Stormys mentioned this issue Aug 22, 2017
Closed
@radare radare closed this as completed in ec5aefe Aug 22, 2017
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@radare @Stormys @lowlyw