Thread: Segmentation Fault Address Out Of Bounds appearing randomly

Hi,

I have been tracking down a segmentation fault for two weeks now and managed to "control" it today. Though I have no answer about why. Here is what I am working on :

I am building a shared library under Ubuntu. In order to build this library, I use several modules obviously dispatched in several .c and .h files.

The main part of the library is a web server implemented using libmicrohttpd that has a callback function used to answer the incoming connection. In this callback, the idea is to send back a value in the form of an XML. To do so, it calls a function that builds the xml based on a char* in the xml module, thus in the xml.c file.

Namely :

Code:

void answer_to_connection()
{
if (received a get)
{
get_xml_value()
     send_xml_value()
}
}

By doing this, I experienced weird behavior from the program, namely everything goes fine until randomly a Segmentation Fault appear, it can appear after the 5th request or the 100th !
I investigated to see Where exactly this segfault appeared and could see that a bad pointer address was returned by get_xml_value() (Address Out Of Bounds). I thought that it was a problem of memory corruption but after performing tests with valgrind and malloc_debug nothing seemed problematic. I then decided to migrate the function inside the file containing answer_to_connection() using the EXACT same tools and functions. The weird thing is that in that configuration the Segmentation Fault doesn't appear anymore. The XML library is miniXML (nothing appeared to be wrong on that)

Do any of you have any idea why and how this could happen ? And why moving the function to another file resolved the problem ? If you need any more information Ill be more than happy to give it !

Thanks in advance

This will be very difficult without much or all of the code. At the very least, we would need to see get_xml_value, and preferably all the functions that are called directly or indirectly by get_xml_value. Until then, these are just guesses:

A common cause of such issues is some sort of array overrun. If get_xml_value calls some other function of yours with a buffer overrun, you would write right up the stack and into the local vars of get_xml_value, and could trash a local var that stores the pointer to be returned. It's experimental, but valgrind has an option to check for array overruns. I've never used it, but it can't hurt to try.

Another possibility is that you store the pointer to return in a local variable that is not initialized, and get_xml_value may find it's way to a return statement in the function that returns that variable without ever setting it. Check all possible execution paths and make sure that you always set any variable before using or returning it.

Also, see if you can identify something about the conditions that cause it to seg fault. Is it one particular type of request? Is it only requests of certain length? If you can isolate the conditions that cause a seg fault, then you can force it to happen and easily track down the . Otherwise, you may just have to hang around for 5 or 100 requests and step through get_xml_value by hand for each one.

A last option is to put copious amounts of fprintf statements everywhere for debugging. Print out every variable and every function return value at every critical step. Make sure you print to stderr since it's unbuffered, otherwise a seg fault may crash the program before stdout is flushed and thus you think your problem is in one place when actually it's elsewhere.

Oh, and make sure you're compiling with warnings turned all the way up and you've resolved all of them. Many of them catch questionable behavior or undefined behavior that can result in problems like yours.