Very Computer

        #include <stdio.h>
        #include <string.h>
        #define MYSIZE  38912
        char buf[MYSIZE + 1];
        int main() {
                memset(buf, 'a', MYSIZE);
                printf("%s\n", buf);
                return 0;
        }

The amusing thing about this bug is that my Sun engineer says he can't
reproduce it.  I've reproduced it on a half-dozen Suns of various types
in various stages of OS patching, using either GCC or Sunpro cc, with
an empty environment and with a full one, under xterm, `script', Emacs,
you name it.

Any clues as to why Sun can't reproduce it?

Hmmmmm

Quote:Eggert) writes:

>    #include <stdio.h>
>    #include <string.h>
>    #define MYSIZE  38912
>    char buf[MYSIZE + 1];
>    int main() {
>            memset(buf, 'a', MYSIZE);
>            printf("%s\n", buf);
>            return 0;
>    }

Stdio dumps core in memchr which is called with the arguments:

        char * <invalid>, '\n', 38913)

this is the second call to memchr, the first is to:

        char * <valid> , '\n', 0

Where <valid> = <invalid> + 38912.

Both pointers point in the data segment of libc.so.

The bug is in doprnt.  If a file is line buffered, count bytes before the
buffer end are investigated for a '\n'.  Instead, the number of bytes
that needs to be investigated is the min(count,bufptr-iop->_ptr).

(Line 331 of libc/port/print/doprnt.c)

This way he can certainly reproduce it:

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/fcntl.h>
#include <sys/mman.h>

int main()
{
    int fd = open("/dev/zero", O_RDWR);
    int size = sysconf(_SC_PAGESIZE);
    char *buf = mmap(0, 2 * size, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);

   /* read-protect page before buffer */
    mprotect(buf, size, PROT_NONE);

    setvbuf(stdout, buf+size, _IOLBF, 10);

    printf("%s\n", "aaaaaaaaaaaaaaaaa");

Quote:}

I just wanted to report that a kindly engineer at SunSoft,
who wishes to remain anonymous, saw the Usenet article,
found the bug in stdio, sent me a patch, and said the
bug will be fixed in 2.5.  Thanks!

Quote:>    #include <stdio.h>
>    #include <string.h>
>    #define MYSIZE  38912
>    char buf[MYSIZE + 1];
>    int main() {
>            memset(buf, 'a', MYSIZE);
>            printf("%s\n", buf);
>            return 0;
>    }

Something here (2.3 in a SS10), but I noted that if I redirect
stdout to a file it works ok, I did a truss and it looks that it's
write() who's failing
--
regards,

<<< Gun control is being able to hit your target! >>>