bug-gawk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fixtype: Assertion `n->type == Node_val' failed

From: Daniel Pouzzner
Subject: Re: fixtype: Assertion `n->type == Node_val' failed
Date: Fri, 24 Feb 2023 02:02:39 -0600
User-agent: Evolution 3.46.4 
The patch is progress:

   $ /tmp/portage/sys-apps/gawk-5.2.1/image/usr/bin/gawk -f /tmp/arraybug.awk 
   a[b] is false
   a[b] is false
   free(): double free detected in tcache 2
   Aborted
   

On Thu, 2023-02-23 at 10:59 -0700, arnold@skeeve.com wrote:
> Hi.
> 
> Thanks for the report. Please see the patch below.
> 
> Arnold
> 
> "Andrew J. Schorr" <aschorr@telemetry-investments.com> wrote:
> 
> > Hi,
> > 
> > Please see the attached bug reproducer discovered by
> > Daniel Pouzzner. Thanks to Daniel for finding this.
> > When run against the master branch, I see this:
> > 
> > bash-4.2$ ./gawk -f /tmp/bug.awk
> > a[b] is false
> > gawk: awk.h:2016: fixtype: Assertion `n->type == Node_val' failed.
> > Aborted (core dumped)
> > 
> > Regards,
> > Andy
> > 
> > ----- Forwarded message from Daniel Pouzzner via Gawkextlib-users 
> > <gawkextlib-users@lists.sourceforge.net> -----
> > 
> > Date: Mon, 20 Feb 2023 15:37:56 -0600
> > From: Daniel Pouzzner via Gawkextlib-users 
> > <gawkextlib-users@lists.sourceforge.net>
> > To: "Andrew J. Schorr" <aschorr@telemetry-investments.com>, gawkextlib-users
> >     <gawkextlib-users@lists.sourceforge.net>
> > Cc: Daniel Pouzzner <douzzer@mega.nu>
> > Subject: Re: [Gawkextlib-users] gawkextlib xml on gawk-5.2.1
> > 
> > I was able to whittle away the xml parts of the logic until none was left.  
> > This
> > turns out to be a gawk core bug.  Reproducer:
> > 
> >    #!/usr/bin/gawk -f
> >    
> >    function f(x) {
> >        return x;
> >    }
> >    
> >    BEGIN {
> >        print "a[b] is " (a["b"] ? "true" : "false");
> > 
> >        f(a["b"]);
> > 
> >        print "a[b] is " (a["b"] ? "true" : "false");
> >    
> >        print a["b"];
> >    }
> >    
> > Result on 5.1.1:
> > 
> >    $ /tmp/arraybug.awk
> >    a[b] is false
> >    a[b] is false
> >    
> > On 5.2.1:
> > 
> >    $ /tmp/portage/sys-apps/gawk-5.2.1/image/usr/bin/gawk -f 
> > /tmp/arraybug.awk
> >    a[b] is false
> >    a[b] is true
> >    free(): double free detected in tcache 2
> >    Aborted
> >    
> > 
> > The syndrome in a nutshell: if a nonexistent array element is passed as an
> > argument to a function, the element is sortof-created, such that testing it
> > somehow evaluates to true, but its state/internal pointers are invalid.  
> > I've
> > actually gotten scripts to outright SEGV and exhibit various other obviously
> > undefined behavior, like printing characters from the name of the redirect
> > target ("/dev/stde" etc), by just changing the length of words in a printf
> > format (constant string).
> > 
> > 
> > Do I need to refile a bug on gawk core, or have I "done enough", as it were?
> > 
> > 
> > Oh and thanks for the quick turnaround!
> ---------------------------------
> diff --git a/awk.h b/awk.h
> index 79cdd85..f6d0f99 100644
> --- a/awk.h
> +++ b/awk.h
> @@ -2031,6 +2031,9 @@ fixtype(NODE *n)
>  static inline bool
>  boolval(NODE *t)
>  {
> +     if (t->type == Node_var)        // could have come from converted 
> Node_elem_new
> +             t = t->var_value;
> +
>       (void) fixtype(t);
>       if ((t->flags & NUMBER) != 0)
>               return ! is_zero(t);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]