[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-gawk] Variable double free bug.
|
From: |
ruyk |
|
Subject: |
[bug-gawk] Variable double free bug. |
|
Date: |
Thu, 14 Jan 2016 02:43:06 +0300 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 |
Hello.
I notice that scince this commit 566df675d8a6bb0c632231abe2e7573ce9f9541d
gawk can terminate ubnormally on some sort of scripts.
For example:
---
#!/usr/bin/gawk -f
BEGIN {
for (i = 0; i < 100; i++)
func_exec()
}
function func_exec(opaque)
{
func_a(1, opaque) #set additional argument, not expected by fname
}
function func_a(a, b, loc1, loc2)
{
b = 0 #unref Nnull_string
}
---
when we try to run it, we get:
---
gawk: ./main.awk:10: fatal error: internal error: segfault
Aborted
---
This happens because before ``b = 0`` line (opcode Op_store_var) *b*
have type is Node_array_ref, and inside eval.c:r_get_lhs
we set n->orig_array->var_value to Nnull_string, and after *func_a*
execution gawk do superfluous Nnull_string reference decrement.
This patch fixes problem (don't know is it good enough)
---
$ git diff --patch eval.c
diff --git a/eval.c b/eval.c
index cf4de1f..948b1e2 100644
--- a/eval.c
+++ b/eval.c
@@ -1155,7 +1155,7 @@ r_get_lhs(NODE *n, bool reference)
if (n->orig_array->type == Node_var_array)
fatal(_("attempt to use array `%s' in a scalar
context"),
array_vname(n));
- if (n->orig_array->type != Node_var) {
+ if (n->orig_array->type != Node_var &&
n->orig_array->type != Node_var_new) {
n->orig_array->type = Node_var;
n->orig_array->var_value = Nnull_string;
}
---
Best regards,
Boris
- [bug-gawk] Variable double free bug.,
ruyk <=