bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comma expression in arithmetic evaluation referring to arrays make b

From: Stephane Chazelas
Subject: Re: Comma expression in arithmetic evaluation referring to arrays make bash crash.
Date: Mon, 15 Feb 2016 16:16:15 +0000
User-agent: Mutt/1.5.21 (2010-09-15) 
2016-02-15 09:31:57 -0500, Chet Ramey:
> On 2/15/16 8:57 AM, Pontus Stenström wrote:
> 
> > Bash Version: 4.2
> > Patch Level: 24
> > Release Status: release
> > 
> > Description:
> >     Comma expression in arithmetic evaluation referring to arrays make bash
> > crash.
> > 
> > Repeat-By:
> >     This works fine:
> >     ((c=3, d=4))
> >     This crashes my bash:
> >     a=(2 3 4 5)        # OK
> >     ((c=a[3], d=a[2])) # Crash
> 
> It runs fine on bash-4.3.42 on RHEL 5 and Mac OS X.
[...]

Reproduced with 4.2.53 on Debian:

Starting program: bash4.2.53 -c a=\(1\ 2\ 3\ 4\ 5\ 6\)\;\ \(\(b=a\[3\],\ 
c=a\[4\]\)\)\;\ typeset\ -p\ b\ c

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x000000000043c952 in expr_bind_array_element (tok=tok@entry=0x6f5328 "c", 
ind=ind@entry=3, rhs=rhs@entry=0x6f5318 "5") at expr.c:331
#2  0x000000000043e2c8 in expassign () at expr.c:531
#3  0x000000000043d532 in expcomma () at expr.c:441
#4  0x000000000043d736 in subexpr (expr=0x6fb7c8 "b=a[3], c=a[4]") at expr.c:419
#5  0x000000000043e5ca in evalexp (expr=0x6fb7c8 "b=a[3], c=a[4]", 
validp=0x7fffffffda90) at expr.c:384
#6  0x00000000004321d8 in execute_arith_command (arith_command=<optimised out>, 
arith_command=<optimised out>) at execute_cmd.c:3309
#7  execute_command_internal (command=0x6fb508, asynchronous=0, 
pipe_in=7320904, pipe_out=0, fds_to_close=0x6fdc88) at execute_cmd.c:901
#8  0x0000000000432859 in execute_connection (fds_to_close=<optimised out>, 
pipe_out=<optimised out>, pipe_in=<optimised out>, asynchronous=<optimised out>,
    command=<optimised out>) at execute_cmd.c:2326
#9  execute_command_internal (command=0x6fb5c8, asynchronous=0, pipe_in=-1, 
pipe_out=-1, fds_to_close=0x6fb7a8) at execute_cmd.c:891
#10 0x0000000000433fce in execute_command (command=0x6fb5c8) at 
execute_cmd.c:382
#11 0x000000000043281e in execute_connection (fds_to_close=<optimised out>, 
pipe_out=<optimised out>, pipe_in=<optimised out>, asynchronous=<optimised out>,
    command=<optimised out>) at execute_cmd.c:2324
#12 execute_command_internal (command=0x6fb748, asynchronous=0, pipe_in=-1, 
pipe_out=-1, fds_to_close=0x6fb788) at execute_cmd.c:891
#13 0x0000000000471024 in parse_and_execute (string=<optimised out>, 
from_file=from_file@entry=0x4a990d "-c", flags=flags@entry=4) at 
evalstring.c:340
#14 0x000000000041d9ba in run_one_command (command=<optimised out>) at 
shell.c:1315
#15 0x000000000041c786 in main (argc=3, argv=0x7fffffffdf78, 
env=0x7fffffffdf98) at shell.c:688

See how it calls expr_bind_array_element on "c" as if it wanted
to assign something to c[3] instead of c. The 3 looks like it
comes from the previous a[3] expansion.

-- 
Stephane
reply via email to
[Prev in Thread] Current Thread [Next in Thread]