[Xapian-tickets] [Xapian] #803: Snippet generator crashes on empty query
Xapian
nobody at xapian.org
Thu Apr 2 11:27:47 BST 2020
#803: Snippet generator crashes on empty query
------------------------------------+------------------------
Reporter: Robert Stepanek | Owner: Olly Betts
Type: defect | Status: new
Priority: normal | Milestone:
Component: Other | Version:
Severity: normal | Keywords:
Blocked By: | Blocking:
Operating System: All |
------------------------------------+------------------------
Latest master crashes on my machine for the following test case:
{{{
DEFINE_TESTCASE(snippet_crasher, backend) {
Xapian::Enquire enquire(get_database("apitest_simpledata"));
enquire.set_query(Xapian::Query());
Xapian::MSet mset = enquire.get_mset(0, 0);
TEST_STRINGS_EQUAL(mset.snippet("foo", 3), "foo");
}
}}}
I tried to debug this but did not come to a conclusion what triggers this
crash. The gdb trace of the crasher is
{{{
(gdb) run -b inmemory -v snippet_crasher
Starting program: /home/rost/work/cyruslibs/xapian/xapian-
core/tests/apitest -b inmemory -v snippet_crasher
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Running tests with backend "inmemory"...
Running test: snippet_crasher...
Program received signal SIGSEGV, Segmentation fault.
Xapian::Query::get_num_subqueries (this=this at entry=0x18) at
api/query.cc:285
285 return internal.get() ? internal->get_num_subqueries() : 0;
(gdb) bt
#0 Xapian::Query::get_num_subqueries (this=this at entry=0x18) at
api/query.cc:285
#1 0x00007ffff7f364ca in Xapian::check_query (query=...,
exact_phrases=empty std::__cxx11::list, loose_terms=std::unordered_map
with 0 elements, wildcards=empty std::__cxx11::list, fuzzies=empty
std::__cxx11::list,
longest_phrase=@0x7fffffffb6c0: 0) at
queryparser/termgenerator_internal.cc:723
#2 0x00007ffff7f377ec in Xapian::MSet::Internal::snippet
(this=0x5555558bf630, text="foo", length=<optimized out>, length at entry=3,
stemmer=..., flags=<optimized out>, flags at entry=3, hi_start="<b>",
hi_end="</b>", omit="...")
at queryparser/termgenerator_internal.cc:837
#3 0x00007ffff7de1b8c in Xapian::MSet::snippet
(this=this at entry=0x7fffffffbc68, text="foo", length=length at entry=3,
stemmer=..., flags=flags at entry=3, hi_start="<b>", hi_end="</b>",
omit="...") at api/mset.cc:193
#4 0x0000555555756167 in test_snippet_crasher () at
/usr/include/c++/8/bits/basic_string.h:252
#5 0x00005555557e4007 in test_driver::runtest (this=0x7fffffffd230,
test=0x55555589f4f0 <ApiTestRunner::run() const::tests+2896>) at
harness/testsuite.cc:344
#6 0x00005555557e5cc5 in test_driver::do_run_tests (this=0x7fffffffd230,
b=..., e=...) at harness/testsuite.cc:699
#7 0x00005555557e6347 in test_driver::run_tests (e=..., b=...,
this=0x7fffffffd230) at harness/testsuite.cc:661
#8 test_driver::run (tests=tests at entry=0x55555589e9a0
<ApiTestRunner::run() const::tests>) at harness/testsuite.cc:927
#9 0x00005555555e4ea3 in ApiTestRunner::run (this=0x7fffffffd6c0) at
api_collated.h:372
#10 0x00005555557e221c in TestRunner::do_tests_for_backend_
(this=0x7fffffffd6c0, manager=0x7fffffffd5f0) at harness/testrunner.cc:123
#11 0x00005555557e25dd in TestRunner::do_tests_for_backend (manager=...,
this=0x7fffffffd6c0) at harness/testrunner.h:64
#12 TestRunner::run_tests (this=this at entry=0x7fffffffd6c0, argc=<optimized
out>, argv=<optimized out>) at harness/testrunner.cc:152
#13 0x00005555555e2ef1 in main (argc=<optimized out>, argv=<optimized
out>) at apitest.cc:172
}}}
More specifically, when `Query::get_num_subqueries` is run, the
`Query::internal` member points to the bogus address `0x18`. Most likely
that address will differ in other builds or environments. Valgrind also
reports an invalid read of size 8 at this 0x18 address.
I could not determine where this data corruption occurs. The `internal`
member is initialized to `0` in the constructor.
--
Ticket URL: <https://trac.xapian.org/ticket/803>
Xapian <https://xapian.org/>
Xapian
More information about the Xapian-tickets
mailing list