[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Critical gawk -M bug still in Debian 11
|
From: |
alexandre . ferrieux |
|
Subject: |
Re: Critical gawk -M bug still in Debian 11 |
|
Date: |
Wed, 14 Feb 2024 10:28:36 +0100 |
|
User-agent: |
Betterbird (Linux) |
Hi Arnold,
2. On my system, with gawk 5.1.0, I see:
$ ( echo 1 2 ; echo 3 4 ; echo 3 5) |
gawk-5.1.0 -M '{x=$1+0;t[$1]+=$2}END{for(a in t)print "t["a"]="t[a]}'
t[1]=2
t[3]=9
You might try downloading and compiling the gawk-5.1.0 tar ball and
see what you get; perhaps Debian has changed the code in some way
that causes breakage.
Yes, that's what I thought (and to be frank, hoped for) at first ... but
unfortunately, I do get the bug also from compiling the git version in the whole
range from tag 'gawk-5.1.0' (=40a6d096) to the commit hash just before the fix
c31e4636, which is 4f06f706. So, the Debian folks did not add noise this time :}
About your test: sorry to ask the obvious, but I'd check:
- the proper activation of -M, since configure autodetects the presence or not
of GMP/MPFR, and silently proceeds in either case (I'd suggest changing this:
enable them by default, complaining if the dependencies are missing).
- the activation or not of some debug-malloc or similar, which might interact
with the uninitialized fields causing the bug.
- the -g/-O3 flags as they might also fiddle with them.
- the installed versions of GMP/MPFR
$ ldd ./gawk
linux-vdso.so.1 (0x00007ffe7e90a000)
libmpfr.so.6 => /lib/x86_64-linux-gnu/libmpfr.so.6 (0x00007f3490c8a000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f3490c09000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3490c03000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f3490abf000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f34908eb000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3490ffc000)
$ dpkg -S /usr/lib/x86_64-linux-gnu/libmpfr.so.6
libmpfr6:amd64: /usr/lib/x86_64-linux-gnu/libmpfr.so.6
$ dpkg -S /usr/lib/x86_64-linux-gnu/libgmp.so.10
libgmp10:amd64: /usr/lib/x86_64-linux-gnu/libgmp.so.10
3. With respect to nuclear power plants and so on, I feel obligated
to point out the "Disclaimer of Warranty" clause in the GPL. The idea of
someone using gawk for such a thing makes me shudder in horror.
Yes, of course :)
However, just about any open-source tool today ends up with similar disclaimer,
through the GPL or explicitly. And more fundamentally, for a really critical
application, I believe it is better to rely on a tried-and-trusted substrate
with simple semantics at each level(the interpreter/compiler/OS/processor) along
with easily reviewable domain-specific code, rather than (what is the opposite
trend today) a completely obscure chain you need to paint with sheer faith (like
some metal oxide) needing a very brain-intensive domain-specific code which can
be (knowledgeably) maintained by 1% of the workforce.
The tried-and-trusted substrate with simple semantics, even today, does not
wander very far from sh+awk+sed (yes, the Gnu versions).
So, I feel it is extremely important not to falter on a legal pretext, and
recognize the pillars of the industry for what they are, regardless of fashion.
Gawk is one of them, and there's no serious replacement in sight.
It *may* still hide a few critical bugs like this one, but aiming for them is
IMHO a better bet than trying to build confidence is the shiny modern behemoths.
I know you've been doing exactly that for more than three decades. Just don't
lose sight of the importance of your work.
4. I understand your concerns and symnpathize with them. However, this
simply isn't the right forum. I have no control or influence over any
of the GNU/Linux distributions. (Indeed, CentOS 7 is even further behind
on it's version of gawk than 5.1.0.)
It is possible to track down the Debian maintainers of the gawk package.
I suggest that you open a dialog directly with them.
Sure, you're right of course. Simply , for future discoveries of similar vein
(hope there aren't any...), I'd like to know the proper wording to use in (1)
commit comments and (2) release notes to trigger backporting. While it is
obviously their call, maybe you have past experience with older nasty bugs that
did make it into emergency backports, like the Linux kernel often does ? How did
you word the release notes ?
-Alex
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.