[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fixtype: Assertion `n->type == Node_val' failed
|
From: |
arnold |
|
Subject: |
Re: fixtype: Assertion `n->type == Node_val' failed |
|
Date: |
Fri, 24 Feb 2023 05:39:22 -0700 |
|
User-agent: |
Heirloom mailx 12.5 7/5/10 |
Please try building from git, gawk-5.2-stable branch.
I never saw a double-free error; what system is this happening on?
Can you run valgrind --leak-check=full on it as well?
Thanks,
Arnold
Daniel Pouzzner <douzzer@mega.nu> wrote:
> The patch is progress:
>
> $ /tmp/portage/sys-apps/gawk-5.2.1/image/usr/bin/gawk -f /tmp/arraybug.awk
> a[b] is false
> a[b] is false
> free(): double free detected in tcache 2
> Aborted
>
>
> On Thu, 2023-02-23 at 10:59 -0700, arnold@skeeve.com wrote:
> > Hi.
> >
> > Thanks for the report. Please see the patch below.
> >
> > Arnold
> >
> > "Andrew J. Schorr" <aschorr@telemetry-investments.com> wrote:
> >
> > > Hi,
> > >
> > > Please see the attached bug reproducer discovered by
> > > Daniel Pouzzner. Thanks to Daniel for finding this.
> > > When run against the master branch, I see this:
> > >
> > > bash-4.2$ ./gawk -f /tmp/bug.awk
> > > a[b] is false
> > > gawk: awk.h:2016: fixtype: Assertion `n->type == Node_val' failed.
> > > Aborted (core dumped)
> > >
> > > Regards,
> > > Andy
> > >
> > > ----- Forwarded message from Daniel Pouzzner via Gawkextlib-users
> > > <gawkextlib-users@lists.sourceforge.net> -----
> > >
> > > Date: Mon, 20 Feb 2023 15:37:56 -0600
> > > From: Daniel Pouzzner via Gawkextlib-users
> > > <gawkextlib-users@lists.sourceforge.net>
> > > To: "Andrew J. Schorr" <aschorr@telemetry-investments.com>,
> > > gawkextlib-users
> > > <gawkextlib-users@lists.sourceforge.net>
> > > Cc: Daniel Pouzzner <douzzer@mega.nu>
> > > Subject: Re: [Gawkextlib-users] gawkextlib xml on gawk-5.2.1
> > >
> > > I was able to whittle away the xml parts of the logic until none was
> > > left. This
> > > turns out to be a gawk core bug. Reproducer:
> > >
> > > #!/usr/bin/gawk -f
> > >
> > > function f(x) {
> > > return x;
> > > }
> > >
> > > BEGIN {
> > > print "a[b] is " (a["b"] ? "true" : "false");
> > >
> > > f(a["b"]);
> > >
> > > print "a[b] is " (a["b"] ? "true" : "false");
> > >
> > > print a["b"];
> > > }
> > >
> > > Result on 5.1.1:
> > >
> > > $ /tmp/arraybug.awk
> > > a[b] is false
> > > a[b] is false
> > >
> > > On 5.2.1:
> > >
> > > $ /tmp/portage/sys-apps/gawk-5.2.1/image/usr/bin/gawk -f
> > > /tmp/arraybug.awk
> > > a[b] is false
> > > a[b] is true
> > > free(): double free detected in tcache 2
> > > Aborted
> > >
> > >
> > > The syndrome in a nutshell: if a nonexistent array element is passed as an
> > > argument to a function, the element is sortof-created, such that testing
> > > it
> > > somehow evaluates to true, but its state/internal pointers are invalid.
> > > I've
> > > actually gotten scripts to outright SEGV and exhibit various other
> > > obviously
> > > undefined behavior, like printing characters from the name of the redirect
> > > target ("/dev/stde" etc), by just changing the length of words in a printf
> > > format (constant string).
> > >
> > >
> > > Do I need to refile a bug on gawk core, or have I "done enough", as it
> > > were?
> > >
> > >
> > > Oh and thanks for the quick turnaround!
> > ---------------------------------
> > diff --git a/awk.h b/awk.h
> > index 79cdd85..f6d0f99 100644
> > --- a/awk.h
> > +++ b/awk.h
> > @@ -2031,6 +2031,9 @@ fixtype(NODE *n)
> > static inline bool
> > boolval(NODE *t)
> > {
> > + if (t->type == Node_var) // could have come from converted
> > Node_elem_new
> > + t = t->var_value;
> > +
> > (void) fixtype(t);
> > if ((t->flags & NUMBER) != 0)
> > return ! is_zero(t);
>