Bug 14195

Summary: strncasecmp causes segmentation fault when comparing empty strings
Product: glibc Reporter: Kari Jyrkinen <kari.jyrkinen>
Component: libcAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: aj, drepper.fsp, hjl.tools, liubov.dmitrieva, ppluzhnikov
Priority: P2    
Version: 2.15   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Kari Jyrkinen 2012-06-04 09:49:49 UTC
Minimal example:

#include <string.h>

int main(int argc, const char *argv[]) {
  char *p = "";
  return strncasecmp(p, "", 1);
}

It seems the return value is corrupted as the compiled program crashes only when it is referenced. Crashes only on 32 bit and certain processors, might bet when SSE3 and SSE4 are in use, as this problem appeared in the newest glibc and there seems to be changes for it done:

* Optimized strcasecmp and strncasecmp for SSSE3 and SSE4.2 on x86-32.
Comment 1 Paul Pluzhnikov 2012-06-05 15:18:50 UTC
> Crashes only on 32 bit and certain processors

Please tell *which* processor(s) it crashes on.

A crash stack trace from GDB and "info registers" would be nice as well.
Comment 2 Kari Jyrkinen 2012-06-07 11:07:53 UTC
$ cat /proc/cpuinfo 
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           W3530  @ 2.80GHz
stepping	: 5
cpu MHz		: 2792.974
cache size	: 6144 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 5
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 constant_tsc up pni monitor ssse3
bogomips	: 5585.94
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

$ cat /proc/cpuinfo 
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 26
model name	: Intel(R) Xeon(R) CPU           W3530  @ 2.80GHz
stepping	: 5
cpu MHz		: 2800.294
cache size	: 8192 KB
physical id	: 0
siblings	: 4
core id		: 0
cpu cores	: 4
apicid		: 0
initial apicid	: 0
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2 popcnt lahf_lm ida dts tpr_shadow vnmi flexpriority ept vpid
bogomips	: 5600.58
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

# cat /proc/cpuinfo 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 23
model name      : Intel(R) Core(TM)2 Duo CPU     E8400  @ 3.00GHz
stepping        : 10
microcode       : 0xa07
cpu MHz         : 2000.000
cache size      : 6144 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
apicid          : 0
initial apicid  : 0
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm dts tpr_shadow vnmi flexpriority
bogomips        : 5984.88
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:

With dynamical debug libraries I seem to get every program to crash for now, here's a static stack trace:

Program received signal SIGSEGV, Segmentation fault.
0x08055d98 in __strncasecmp_l_ssse3 ()
(gdb) bt
#0  0x08055d98 in __strncasecmp_l_ssse3 ()
#1  0xbffff1d8 in ?? ()
(gdb) info registers
eax            0x0	0
ecx            0x0	0
edx            0x80c3c28	135019560
ebx            0x0	0
esp            0xbffff1a8	0xbffff1a8
ebp            0x0	0x0
esi            0x0	0
edi            0x8049650	134518352
eip            0x8055d98	0x8055d98 <__strncasecmp_l_ssse3+10312>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
Comment 3 Liubov Dmitrieva 2012-08-09 15:19:59 UTC
This issue is reproduced for core2 or atom machine (with SSSE3 support and without SSE42).

Some bug exists in __strncasecmp_l_ssse3 but not in __strncasecmp_l_sse42.
I will try to fix.
Comment 4 Liubov Dmitrieva 2012-08-09 15:21:09 UTC
This issue is reproduced for core2 or atom machine (and any with SSSE3 support and without SSE42).

Some bug exists in __strncasecmp_l_ssse3 but not in __strncasecmp_l_sse42.
I will try to fix.
Comment 5 Andreas Jaeger 2012-08-15 19:10:39 UTC
Thanks, fixed for glibc now.