[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gawk] Variable double free bug.
|
From: |
arnold |
|
Subject: |
Re: [bug-gawk] Variable double free bug. |
|
Date: |
Thu, 14 Jan 2016 00:07:30 -0700 |
|
User-agent: |
Heirloom mailx 12.4 7/29/08 |
Hi. Thanks for the report and patch. I will review, but at first glance
this looks right.
Arnold
ruyk <address@hidden> wrote:
> Hello.
>
> I notice that scince this commit 566df675d8a6bb0c632231abe2e7573ce9f9541d
> gawk can terminate ubnormally on some sort of scripts.
>
> For example:
>
> ---
> #!/usr/bin/gawk -f
> BEGIN {
>
> for (i = 0; i < 100; i++)
> func_exec()
> }
>
> function func_exec(opaque)
> {
> func_a(1, opaque) #set additional argument, not expected by fname
> }
>
> function func_a(a, b, loc1, loc2)
> {
> b = 0 #unref Nnull_string
> }
> ---
>
> when we try to run it, we get:
> ---
> gawk: ./main.awk:10: fatal error: internal error: segfault
> Aborted
> ---
>
> This happens because before ``b = 0`` line (opcode Op_store_var) *b*
> have type is Node_array_ref, and inside eval.c:r_get_lhs
> we set n->orig_array->var_value to Nnull_string, and after *func_a*
> execution gawk do superfluous Nnull_string reference decrement.
>
> This patch fixes problem (don't know is it good enough)
> ---
> $ git diff --patch eval.c
> diff --git a/eval.c b/eval.c
> index cf4de1f..948b1e2 100644
> --- a/eval.c
> +++ b/eval.c
> @@ -1155,7 +1155,7 @@ r_get_lhs(NODE *n, bool reference)
> if (n->orig_array->type == Node_var_array)
> fatal(_("attempt to use array `%s' in a scalar
> context"),
> array_vname(n));
> - if (n->orig_array->type != Node_var) {
> + if (n->orig_array->type != Node_var &&
> n->orig_array->type != Node_var_new) {
> n->orig_array->type = Node_var;
> n->orig_array->var_value = Nnull_string;
> }
> ---
>
> Best regards,
>
> Boris