Open Radar

 
Summary: backtrace_symbols_fd() writes a NUL byte "\0" at the end of each line

Steps to Reproduce: See attached reproduction case.

The core issue is that _backtrace_snprintf() from the Libc project incorrectly adds 1 to its return value. This includes the trailing NUL byte "\0", which backtrace_symbols_fd() writes to the file. (backtrace_symbols() is unaffected, since it returns NUL-terminated strings).

See source: http://www.opensource.apple.com/source/Libc/Libc-763.12/gen/backtrace.c

Expected Results: backtrace_symbols_fd() does not write a "\0" at the end of each line

Actual Results:backtrace_symbols_fd() writes a "\0" at the end of each line

Regression: 100% reproducible on iOS 5.1 and Mac OS X 10.7

% cat ./backtrace_repro.c 
#include <execinfo.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>

int main(int argc, char** argv) {
  void* frames[32];
  int num_frames = backtrace(frames, sizeof frames);

  int fd = open("/tmp/backtrace", O_RDWR | O_CREAT | O_TRUNC, 0644);
  if (fd == -1) {
    perror("Couldn't open /tmp/backtrace");
    return 1;
  }

  backtrace_symbols_fd(frames, num_frames, fd);

  char buf[4096];
  ssize_t offset = 0;
  ssize_t num_bytes = pread(fd, buf, sizeof buf, offset);
  while (num_bytes > 0) {
    char* nul_location = (char*)memchr(buf, '\0', num_bytes);
    if (nul_location) {
      printf("*** FOUND NUL BYTE (offset %zd) ***\n", offset + (nul_location - buf));
    }
    offset += num_bytes;
    num_bytes = pread(fd, buf, sizeof buf, offset);
  }

  close(fd);
}

% gcc -o backtrace_repro backtrace_repro.c 

% ./backtrace_repro
*** FOUND NUL BYTE (offset 68) ***