[ltt-dev] Segfault in state.c

[Nigel Hathaway]

In lttv/lttv/state.c, expand_trap_table() segfaults if the incoming
ts->nb_traps == 0 (with ts->trap_states == NULL, which actually causes
the segfault).

The version I have looks like this:

static void expand_trap_table(LttvTraceState *ts, int id)
{
  guint new_nb = check_expand(ts->nb_traps, id);
  guint i;
  if(likely(new_nb == ts->nb_traps))
    return;
  expand_name_table(ts, &ts->trap_names, ts->nb_traps, new_nb);
  fill_name_table(ts, ts->trap_names, ts->nb_traps, new_nb, "trap");
  /* Update the table size */
  ts->nb_traps = new_nb;

  LttvTrapState *old_table = ts->trap_states;
  ts->trap_states = g_new(LttvTrapState, new_nb);
  memcpy(ts->trap_states, old_table,
    ts->nb_traps * sizeof(LttvTrapState));
  for(i = ts->nb_traps; i < new_nb; i++)
    ts->trap_states[i].running = 0;
}

Also, the 'for' statement has no effect as it currently stands.

It would make more sense if the table size were updated at the end.
Doing this also fixes the segfault problem.

What happens to old_table if it is non-NULL? Isn't this a memory leak?

Here is the patch:

--- lttv-0.12.11-18022009.orig/lttv/lttv/state.c        2009-02-16
01:41:18.000000000 +0000
+++ lttv-0.12.11-18022009/lttv/lttv/state.c     2009-10-08
15:40:32.000000000 +0100
@@ -363,8 +363,6 @@
     return;
   expand_name_table(ts, &ts->trap_names, ts->nb_traps, new_nb);
   fill_name_table(ts, ts->trap_names, ts->nb_traps, new_nb, "trap");
-  /* Update the table size */
-  ts->nb_traps = new_nb;

   LttvTrapState *old_table = ts->trap_states;
   ts->trap_states = g_new(LttvTrapState, new_nb);
@@ -372,6 +370,9 @@
     ts->nb_traps * sizeof(LttvTrapState));
   for(i = ts->nb_traps; i < new_nb; i++)
     ts->trap_states[i].running = 0;
+
+  /* Update the table size */
+  ts->nb_traps = new_nb;
 }

 static void expand_irq_table(LttvTraceState *ts, int id)