[Bug ld/31009] regression: assertion fail ../../bfd/merge.c:243

[matz at suse dot de]

https://sourceware.org/bugzilla/show_bug.cgi?id=31009

--- Comment #6 from Michael Matz <matz at suse dot de> ---
(In reply to Jonny Weir from comment #5)
> Ignore that last message, it is misleading, this is a more accurate
> representation of what is happening with the values:

Ah, yes.  I was suspecting already that you were printing the value*2/3.
Anyway:

> bfdtab->count + 1 = 1598 | table->nbuckets = 524288 | table->nbuckets * 2 /
> 3 = 349525
> bfdtab->count + 1 = 1599 | table->nbuckets = 2147483648 | table->nbuckets *
> 2 / 3 = 0

Yeez!  One of the input sections is projected to possibly add 2 billion
strings.
Can you perhaps add some printfs to sec_merge_maybe_resize (the only place
that does increase nbuckets)?  Similar to below, maybe also add printf's for
each early-out (all the 'return false' in there).

And then we need to trace why the overflow isn't detected earlier (I tried to
make it so that it does, obviously I failed, that's what the 'return false' are
for, after all) and isn't gracefully handled.

diff --git a/bfd/merge.c b/bfd/merge.c
index 722e6659486..b36cee49b3a 100644
--- a/bfd/merge.c
+++ b/bfd/merge.c
@@ -175,12 +175,14 @@ sec_merge_maybe_resize (struct sec_merge_hash *table,
unsigned added)
       uint64_t *newl;
       unsigned long alloc;

+      printf ("XXX resize 1: count=%u added=%u newnb=%lu\n", bfdtab->count,
added, newnb);
       while (bfdtab->count + added > newnb * 2 / 3)
        {
          newnb *= 2;
          if (!newnb)
            return false;
        }
+      printf ("XXX resize 2: newnb=%lu\n", newnb);

       alloc = newnb * sizeof (newl[0]);
       if (alloc / sizeof (newl[0]) != newnb)

-- 
You are receiving this mail because:
You are on the CC list for the bug.