[R] Segmentation fault/buffer overflow with fix() in Fedora Core 5 from Extras repository

Prof Brian Ripley ripley at stats.ox.ac.uk
Thu Oct 19 09:08:49 CEST 2006


Is this in a UTF-8 locale?  If so, this is covered by Ei-ji Nakama's 
posting to both R-help and R-devel yesterday: see

https://stat.ethz.ch/pipermail/r-devel/2006-October/039792.html

You have three choices:

1) Use a single-byte locale.
2) Compile with the standard CFLAGS and not the extra flags used by FC.
3) Use R-patched, which has this fixed.

As my dept still sets Linux boxes up in en_GB and not en_GB.utf8, I am 
using workaround 1 and so took a while to work out what the problem might 
be.

What is happening is that FC sets CFLAGS to something other than the R 
default.  This enables extra checks on buffer overflow and stack-smashing, 
but unfortunately removes the flag -std=gnu99 that is needed to allow C99 
features to be used.  Those extra checks are triggered by a few places in 
the MBCS code that Mr Nakama contributed, and some of those were patched 
prior to the release of 2.4.0.  AFAIK the problems are not new but the 
detection has got more efficient.

It is very helpful to include a concise description of your environment. 
You only mentioned the OS in the subject line, never the architecture, 
exact version of R (let alone the exact RPM) nor the locale. 
sessionInfo() provides such information in a compact form.


On Thu, 19 Oct 2006, Paul Johnson wrote:

> The Fedora Extras update of R found its way onto my systems today and
> I noted that fix() and edit() no longer work. There is a program crash
> that closes up R, but it does not leave a core file.   I've tested by
> turning off SELinux, it had no effect.
>
> Do you see it too?  What do you think?  It happens on both systems
> I've tested. As far as I know, both of these systems are up-to-date.
>
> I restarted with "R -d gdb" to try to get a backtrace, but gdb says
> the debugging symbols have been removed and I don't see the
> "debuginfo" package on the Extras archive.  I'm attaching the gdb info
> later, but  I don't think it helps much without line numbers..
>
> I think my next step will be to re-build R on these systems and see if
> the problem disappears. Right? If it still crashes, I'll make sure I
> have debugging symbols and give you a full backtrace.  If it does not
> crash, I'll let you know as well
>
>
> Here's the session that crashes
>
>
>> library(car)
>> data(Chile)
>> edit(Chile)
> *** buffer overflow detected ***: /usr/lib/R/bin/exec/R terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__chk_fail+0x29)[0xa8079d]
> /lib/libc.so.6[0xa8195d]
> /usr/lib/R/modules//R_X11.so[0x7c094a]
> /usr/lib/R/modules//R_X11.so[0x7c20dd]
> /usr/lib/R/modules//R_X11.so[0x7c3428]
> /usr/lib/R/modules//R_X11.so(RX11_dataentry+0xa25)[0x7c4b15]
> /usr/lib/R/lib/libR.so[0x2bf4c5]
> /usr/lib/R/lib/libR.so[0x1dfd26]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so[0x1b4d28]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so[0x1b1887]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so(Rf_applyClosure+0x2a7)[0x1b2f67]
> /usr/lib/R/lib/libR.so[0x1e146f]
> /usr/lib/R/lib/libR.so(Rf_usemethod+0x609)[0x1e28d9]
> /usr/lib/R/lib/libR.so[0x1e30ae]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so(Rf_applyClosure+0x2a7)[0x1b2f67]
> /usr/lib/R/lib/libR.so(Rf_eval+0x2f4)[0x1b07e4]
> /usr/lib/R/lib/libR.so(Rf_ReplIteration+0x311)[0x1d01b1]
> /usr/lib/R/lib/libR.so[0x1d03c1]
> /usr/lib/R/lib/libR.so(run_Rmainloop+0x60)[0x1d0710]
> /usr/lib/R/lib/libR.so(Rf_mainloop+0x1c)[0x1d073c]
> /usr/lib/R/bin/exec/R(main+0x46)[0x8048696]
> /lib/libc.so.6(__libc_start_main+0xc6)[0x9c41fe]
> /usr/lib/R/bin/exec/R[0x8048591]
> ======= Memory map: ========
> 00110000-00329000 r-xp 00000000 08:05 553625     /usr/lib/R/lib/libR.so
> 00329000-00336000 rwxp 00219000 08:05 553625     /usr/lib/R/lib/libR.so
> 00336000-003cd000 rwxp 00336000 00:00 0
> 003cd000-003d5000 r-xp 00000000 08:05 683486     /lib/libnss_files-2.4.90.so
> 003d5000-003d6000 r-xp 00007000 08:05 683486     /lib/libnss_files-2.4.90.so
> 003d7000-003f5000 r-xp 00000000 08:05 1045723
> /usr/lib/R/library/grDevices/libs/grDevices.so
> 003f5000-003f6000 rwxp 0001d000 08:05 1045723
> /usr/lib/R/library/grDevices/libs/grDevices.so
> 003f6000-003fc000 r-xp 00000000 08:05 1046746
> /usr/lib/R/library/methods/libs/methods.so
> 003fc000-003fd000 rwxp 00005000 08:05 1046746
> /usr/lib/R/library/methods/libs/methods.so
> 003fd000-00400000 r-xp 00000000 08:05 1050384
> /usr/lib/R/library/tools/libs/tools.so
> 00400000-00401000 rwxp 00002000 08:05 1050384
> /usr/lib/R/library/tools/libs/tools.so
> 00413000-0043d000 r-xp 00000000 08:05 553410     /usr/lib/R/lib/libRblas.so
> 0043d000-0043e000 rwxp 00029000 08:05 553410     /usr/lib/R/lib/libRblas.so
> 0043e000-004b9000 r-xp 00000000 08:05 2868184    /usr/lib/libgfortran.so.1.0.0
> 004b9000-004ba000 rwxp 0007b000 08:05 2868184    /usr/lib/libgfortran.so.1.0.0
> 004ba000-0050b000 r-xp 00000000 08:05 1049782
> /usr/lib/R/library/stats/libs/stats.so
> 0050b000-0050d000 rwxp 00050000 08:05 1049782
> /usr/lib/R/library/stats/libs/stats.so
> 00510000-00511000 r-xp 00510000 00:00 0          [vdso]
> 00511000-0060a000 r-xp 00000000 08:05 2868912    /usr/lib/libX11.so.6.2.0
> 0060a000-0060e000 rwxp 000f9000 08:05 2868912    /usr/lib/libX11.so.6.2.0
> 00664000-0067b000 r-xp 00000000 08:05 683622     /lib/libpcre.so.0.0.1
> 0067b000-00692000 rwxp 00017000 08:05 683622     /lib/libpcre.so.0.0.1
> 007bb000-007d4000 r-xp 00000000 08:05 1050764    /usr/lib/R/modules/R_X11.so
> 007d4000-007d5000 rwxp 00018000 08:05 1050764    /usr/lib/R/modules/R_X11.so
> 007d5000-007e1000 rwxp 007d5000 00:00 0
> 00896000-008eb000 r-xp 00000000 08:05 2876525    /usr/lib/libXt.so.6.0.0
> 008eb000-008ef000 rwxp 00054000 08:05 2876525    /usr/lib/libXt.so.6.0.0
> 00990000-009a7000 r-xp 00000000 08:05 683431     /lib/ld-2.4.90.so
> 009a7000-009a8000 r-xp 00017000 08:05 683431     /lib/ld-2.4.90.so
> 009a8000-009a9000 rwxp 00018000 08:05 683431     /lib/ld-2.4.90.so
> 009ab000-00acf000 r-xp 00000000 08:05 683432     /lib/libc-2.4.90.so
> 00acf000-00ad1000 r-xp 00124000 08:05 683432     /lib/libc-2.4.90.so
> 00ad1000-00ad2000 rwxp 00126000 08:05 683432     /lib/libc-2.4.90.so
> 00ad2000-00ad5000 rwxp 00ad2000 00:00 0
> 00ad7000-00afc000 r-xp 00000000 08:05 683433     /lib/libm-2.4.90.so
> 00afc000-00afd000 r-xp 00024000 08:05 683433     /lib/libm-2.4.90.so
> 00afd000-00afe000 rwxp 00025000 08:05 683433     /lib/libm-2.4.90.so
> 00b00000-00b02000 r-xp 00000000 08:05 683435     /lib/libdl-2.4.90.so
> 00b02000-00b03000 r-xp 00001000 0Aborted
> [pauljohn at pols125 tmp]$
>
>
> Here is the gdb
>
> (no debugging symbols found)
> *** buffer overflow detected ***: /usr/lib/R/bin/exec/R terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__chk_fail+0x29)[0x4a279d]
> /lib/libc.so.6[0x4a395d]
> /usr/lib/R/modules//R_X11.so[0xd5d94a]
> /usr/lib/R/modules//R_X11.so[0xd5f0dd]
> /usr/lib/R/modules//R_X11.so[0xd60428]
> /usr/lib/R/modules//R_X11.so(RX11_dataentry+0xa25)[0xd61b15]
> /usr/lib/R/lib/libR.so[0x2bf4c5]
> /usr/lib/R/lib/libR.so[0x1dfd26]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so[0x1b4d28]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so[0x1b1887]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so(Rf_applyClosure+0x2a7)[0x1b2f67]
> /usr/lib/R/lib/libR.so[0x1e146f]
> /usr/lib/R/lib/libR.so(Rf_usemethod+0x609)[0x1e28d9]
> /usr/lib/R/lib/libR.so[0x1e30ae]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so(Rf_applyClosure+0x2a7)[0x1b2f67]
> /usr/lib/R/lib/libR.so(Rf_eval+0x2f4)[0x1b07e4]
> /usr/lib/R/lib/libR.so[0x1b4d28]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so[0x1b4372]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so[0x1b1887]
> /usr/lib/R/lib/libR.so(Rf_eval+0x483)[0x1b0973]
> /usr/lib/R/lib/libR.so(Rf_applyClosure+0x2a7)[0x1b2f67]
> /usr/lib/R/lib/libR.so(Rf_eval+0x2f4)[0x1b07e4]
> /usr/lib/R/lib/libR.so(Rf_ReplIteration+0x311)[0x1d01b1]
> /usr/lib/R/lib/libR.so[0x1d03c1]
> /usr/lib/R/lib/libR.so(run_Rmainloop+0x60)[0x1d0710]
> /usr/lib/R/lib/libR.so(Rf_mainloop+0x1c)[0x1d073c]
> /usr/lib/R/bin/exec/R(main+0x46)[0x8048696]
> /lib/libc.so.6(__libc_start_main+0xc6)[0x3e61fe]
> /usr/lib/R/bin/exec/R[0x8048591]
> ======= Memory map: ========
> 00110000-00329000 r-xp 00000000 08:05 553625     /usr/lib/R/lib/libR.so
> 00329000-00336000 rwxp 00219000 08:05 553625     /usr/lib/R/lib/libR.so
> 00336000-003cd000 rwxp 00336000 00:00 0
> 003cd000-004f1000 r-xp 00000000 08:05 683432     /lib/libc-2.4.90.so
> 004f1000-004f3000 r-xp 00124000 08:05 683432     /lib/libc-2.4.90.so
> 004f3000-004f4000 rwxp 00126000 08:05 683432     /lib/libc-2.4.90.so
> 004f4000-004f7000 rwxp 004f4000 00:00 0
> 004f7000-00572000 r-xp 00000000 08:05 2868184    /usr/lib/libgfortran.so.1.0.0
> 00572000-00573000 rwxp 0007b000 08:05 2868184    /usr/lib/libgfortran.so.1.0.0
> 00573000-0057b000 r-xp 00000000 08:05 683486     /lib/libnss_files-2.4.90.so
> 0057b000-0057c000 r-xp 00007000 08:05 683486     /lib/libnss_files-2.4.90.so
> 0057c000-0057d000 rwxp 00008000 08:05 683486     /lib/libnss_files-2.4.90.so
> 0057d000-00583000 r-xp 00000000 08:05 1046746
> /usr/lib/R/library/methods/libs/methods.so
> 00583000-00584000 rwxp 00005000 08:05 1046746
> /usr/lib/R/library/methods/libs/methods.so
> 005eb000-005ec000 r-xp 00000000 08:05 1822684    /usr/lib/gconv/ISO8859-1.so
> 005ec000-005ee000 rwxp 00000000 08:05 1822684    /usr/lib/gconv/ISO8859-1.so
> 00664000-0067b000 r-xp 00000000 08:05 683622     /lib/libpcre.so.0.0.1
> 0067b000-00692000 rwxp 00017000 08:05 683622     /lib/libpcre.so.0.0.1
> 00692000-0078b000 r-xp 00000000 08:05 2868912    /usr/lib/libX11.so.6.2.0
> 0078b000-0078f000 rwxp 000f9000 08:05 2868912    /usr/lib/libX11.so.6.2.0
> 00816000-00834000 r-xp 00000000 08:05 1045723
> /usr/lib/R/library/grDevices/libs/grDevices.so
> 00834000-00835000 rwxp 0001d000 08:05 1045723
> /usr/lib/R/library/grDevices/libs/grDevices.so
> 00896000-008eb000 r-xp 00000000 08:05 2876525    /usr/lib/libXt.so.6.0.0
> 008eb000-008ef000 rwxp 00054000 08:05 2876525    /usr/lib/libXt.so.6.0.0
> 00946000-00949000 r-xp 00000000 08:05 1050384
> /usr/lib/R/library/tools/libs/tools.so
> 00949000-0094a000 rwxp 00002000 08:05 1050384
> /usr/lib/R/library/tools/libs/tools.so
> 00990000-009a7000 r-xp 00000000 08:05 683431     /lib/ld-2.4.90.so
> 009a7000-009a8000 r-xp 00017000 08:05 683431     /lib/ld-2.4.90.so
> 009a8000-009a9000 rwxp 00018000 08:05 683431     /lib/ld-2.4.90.so
> 00aa7000-00ad1000 r-xp 00000000 08:05 553410     /usr/lib/R/lib/libRblas.so
> 00ad1000-00ad2000 rwxp 00029000 08:05 553410     /usr/lib/R/lib/libRblas.so
> 00ad7000-00afc000 r-xp 00000000 08:05 683433     /lib/libm-2.4.90.so
> 00afc000-00afd000 r-xp 00024000 08:05 683433     /lib/libm-2.4.90.so
> 00afd000-00afe000 rwxp 00025000 08:05 683433     /lib/libm-2.4.90.so
> 00b00000-00b02000 r-xp 00000000 08:05 683435     /lib/libdl-2.4.90.so
> 00b02000-00b03000 r-xp 00001000 08:05 683435     /lib/libdl-2.4.90.so
> 00b03000-00b04000 rwxp 00002000 08:05 683435     /lib/libdl-2.4.90.so
> 00b06000-00b18000 r-xp 00000000 08:05 2868900    /usr/lib/libz.so.1.2.3
> 00b18000-00b19000 rwxp 00011000 08:05 2868900    /usr/lib/libz.so.1.2.3
> 00b31000-00b36000 r-xp 00000000 08:05 2868911    /usr/lib/libXdmcp.so.6.0.0
> 00b36000-00b37000 rwxp 00004000 08:05 2868911    /usr/lib/libXdmcp.so.6.0.0
> 00bfc000-00bfd000 r-xp 00bfc000 00:00 0          [vdso]
> 00c38000-00c3a000 r-xp 00000000 08:05 2868910    /usr/lib/libXau.so.6.0.0
> 00c3a000-00c3b000 rwxp 00001000 08:05 2868910    /usr/lib/libXau.so.6.0.0
> 00c4f000-00c5a000 r-xp 00000000 08:05 683434
> /lib/libgcc_s-4.1.1-20060525.so.1
> 00c5a000-00c5b000 rwx
> Program received signal SIGABRT, Aborted.
> 0x003f7cd0 in raise () from /lib/libc.so.6
> (gdb) bt
> #0  0x003f7cd0 in raise () from /lib/libc.so.6
> #1  0x003f9127 in abort () from /lib/libc.so.6
> #2  0x004296f0 in __libc_message () from /lib/libc.so.6
> #3  0x004a279d in __chk_fail () from /lib/libc.so.6
> #4  0x004a395d in __wcsrtombs_chk () from /lib/libc.so.6
> #5  0x00d5d94a in ?? () from /usr/lib/R/modules//R_X11.so
> #6  0x00d5f0dd in ?? () from /usr/lib/R/modules//R_X11.so
> #7  0x00d60428 in ?? () from /usr/lib/R/modules//R_X11.so
> #8  0x00d61b15 in RX11_dataentry () from /usr/lib/R/modules//R_X11.so
> #9  0x002bf4c5 in R_GetX11Image () from /usr/lib/R/lib/libR.so
> #10 0x001dfd26 in R_RunExitFinalizers () from /usr/lib/R/lib/libR.so
> #11 0x001b0973 in Rf_eval () from /usr/lib/R/lib/libR.so
> #12 0x001b4d28 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
> #13 0x001b0973 in Rf_eval () from /usr/lib/R/lib/libR.so
> #14 0x001b1887 in Rf_eval () from /usr/lib/R/lib/libR.so
> #15 0x001b0973 in Rf_eval () from /usr/lib/R/lib/libR.so
> #16 0x001b2f67 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
> #17 0x001e146f in R_do_MAKE_CLASS () from /usr/lib/R/lib/libR.so
> #18 0x001e28d9 in Rf_usemethod () from /usr/lib/R/lib/libR.so
> #19 0x001e30ae in Rf_usemethod () from /usr/lib/R/lib/libR.so
> #20 0x001b0973 in Rf_eval () from /usr/lib/R/lib/libR.so
> #21 0x001b2f67 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
> #22 0x001b07e4 in Rf_eval () from /usr/lib/R/lib/libR.so
> #23 0x001b4d28 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
> #24 0x001b0973 in Rf_eval () from /usr/lib/R/lib/libR.so
> #25 0x001b4372 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
> #26 0x001b0973 in Rf_eval () from /usr/lib/R/lib/libR.so
> #27 0x001b1887 in Rf_eval () from /usr/lib/R/lib/libR.so
> #28 0x001b0973 in Rf_eval () from /usr/lib/R/lib/libR.so
> #29 0x001b2f67 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
> #30 0x001b07e4 in Rf_eval () from /usr/lib/R/lib/libR.so
> #31 0x001d01b1 in Rf_ReplIteration () from /usr/lib/R/lib/libR.so
> #32 0x001d03c1 in Rf_ReplIteration () from /usr/lib/R/lib/libR.so
> #33 0x001d0710 in run_Rmainloop () from /usr/lib/R/lib/libR.so
> #34 0x001d073c in Rf_mainloop () from /usr/lib/R/lib/libR.so
> #35 0x08048696 in main ()
>
>
>

-- 
Brian D. Ripley,                  ripley at stats.ox.ac.uk
Professor of Applied Statistics,  http://www.stats.ox.ac.uk/~ripley/
University of Oxford,             Tel:  +44 1865 272861 (self)
1 South Parks Road,                     +44 1865 272866 (PA)
Oxford OX1 3TG, UK                Fax:  +44 1865 272595



More information about the R-help mailing list