Crash in wayland-scanner-0.99.0

Sat Oct 20 06:00:10 PDT 2012

Seen on wayland-0.99.0 in a openSUSE 12.1 environment, a crash can
happen during building:

$ make
  GEN    wayland-client-protocol.h
/bin/sh: line 1: 20393 Segmentation fault      (core dumped) ../src/wayland-scanner client-header < ../protocol/wayland.xml > wayland-client-protocol.h
make: *** [wayland-client-protocol.h] Error 139

$ valgrind ./wayland-scanner client-header <../protocol/wayland.xml >FOO
==20493== Memcheck, a memory error detector
==20493== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20493== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==20493== Command: ./wayland-scanner client-header
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x4022E4: start_element (scanner.c:442)
==20493==    by 0x4E3AAF5: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E3BBC0: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E38A9B: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E3A42A: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E3D9D1: XML_ParseBuffer (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x404164: main (scanner.c:1155)
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x402303: start_element (scanner.c:444)
==20493==    by 0x4E3AAF5: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E3BBC0: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E38A9B: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E3A42A: ??? (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x4E3D9D1: XML_ParseBuffer (in /lib64/libexpat.so.1.5.2)
==20493==    by 0x404164: main (scanner.c:1155)
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x403497: emit_structs (scanner.c:824)
==20493==    by 0x4038C8: emit_header (scanner.c:924)
==20493==    by 0x4041C7: main (scanner.c:1162)
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x402911: emit_stubs (scanner.c:595)
==20493==    by 0x4038F6: emit_header (scanner.c:926)
==20493==    by 0x4041C7: main (scanner.c:1162)
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x4029B3: emit_stubs (scanner.c:608)
==20493==    by 0x4038F6: emit_header (scanner.c:926)
==20493==    by 0x4041C7: main (scanner.c:1162)
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x402A7D: emit_stubs (scanner.c:626)
==20493==    by 0x4038F6: emit_header (scanner.c:926)
==20493==    by 0x4041C7: main (scanner.c:1162)
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x402B1D: emit_stubs (scanner.c:644)
==20493==    by 0x4038F6: emit_header (scanner.c:926)
==20493==    by 0x4041C7: main (scanner.c:1162)
==20493==
==20493== Conditional jump or move depends on uninitialised value(s)
==20493==    at 0x402BC7: emit_stubs (scanner.c:656)
==20493==    by 0x4038F6: emit_header (scanner.c:926)
==20493==    by 0x4041C7: main (scanner.c:1162)
==20493==
==20493==
==20493== HEAP SUMMARY:
==20493==     in use at exit: 53,176 bytes in 1,207 blocks
==20493==   total heap usage: 1,242 allocs, 35 frees, 70,880 bytes allocated
==20493==
==20493== LEAK SUMMARY:
==20493==    definitely lost: 1,379 bytes in 4 blocks
==20493==    indirectly lost: 51,797 bytes in 1,203 blocks
==20493==      possibly lost: 0 bytes in 0 blocks
==20493==    still reachable: 0 bytes in 0 blocks
==20493==         suppressed: 0 bytes in 0 blocks
==20493== Rerun with --leak-check=full to see details of leaked memory
==20493==
==20493== For counts of detected and suppressed errors, rerun with: -v
==20493== Use --track-origins=yes to see where uninitialised values come from
==20493== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 6 from 6)

$ gdb wayland-scanner
[...]
(gdb) b emit_type
[...]
(gdb) r client-header <../protocol.xml
Starting program: /home/abuild/rpmbuild/BUILD/wayland-0.99.0/src/wayland-scanner client-header <../protocol/wayland.xml
Breakpoint 1, emit_type (a=0x60b880) at scanner.c:511
511             switch (a->type) {
(gdb) p *a
$1 = {name = 0x60b8c0 "object_id", type = OBJECT, nullable = 0,
  interface_name = 0xbabababababababa <Address 0xbabababababababa out of bounds>, link = {prev = 0x60b740, next = 0x60b8f8}, summary = 0x0}
(gdb) up
#1  0x00000000004034e9 in emit_structs (message_list=0x60af98,
    interface=0x60af70) at scanner.c:830
830                                     emit_type(a);

(So as an added bonus, it's the first element in the list.)