bug-gawk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fixtype: Assertion `n->type == Node_val' failed

From: arnold
Subject: Re: fixtype: Assertion `n->type == Node_val' failed
Date: Thu, 23 Feb 2023 10:59:28 -0700
User-agent: Heirloom mailx 12.5 7/5/10 
Hi.

Thanks for the report. Please see the patch below.

Arnold

"Andrew J. Schorr" <aschorr@telemetry-investments.com> wrote:

> Hi,
>
> Please see the attached bug reproducer discovered by
> Daniel Pouzzner. Thanks to Daniel for finding this.
> When run against the master branch, I see this:
>
> bash-4.2$ ./gawk -f /tmp/bug.awk
> a[b] is false
> gawk: awk.h:2016: fixtype: Assertion `n->type == Node_val' failed.
> Aborted (core dumped)
>
> Regards,
> Andy
>
> ----- Forwarded message from Daniel Pouzzner via Gawkextlib-users 
> <gawkextlib-users@lists.sourceforge.net> -----
>
> Date: Mon, 20 Feb 2023 15:37:56 -0600
> From: Daniel Pouzzner via Gawkextlib-users 
> <gawkextlib-users@lists.sourceforge.net>
> To: "Andrew J. Schorr" <aschorr@telemetry-investments.com>, gawkextlib-users
>       <gawkextlib-users@lists.sourceforge.net>
> Cc: Daniel Pouzzner <douzzer@mega.nu>
> Subject: Re: [Gawkextlib-users] gawkextlib xml on gawk-5.2.1
>
> I was able to whittle away the xml parts of the logic until none was left.  
> This
> turns out to be a gawk core bug.  Reproducer:
>
>    #!/usr/bin/gawk -f
>    
>    function f(x) {
>        return x;
>    }
>    
>    BEGIN {
>        print "a[b] is " (a["b"] ? "true" : "false");
>
>        f(a["b"]);
>
>        print "a[b] is " (a["b"] ? "true" : "false");
>    
>        print a["b"];
>    }
>    
> Result on 5.1.1:
>
>    $ /tmp/arraybug.awk
>    a[b] is false
>    a[b] is false
>    
> On 5.2.1:
>
>    $ /tmp/portage/sys-apps/gawk-5.2.1/image/usr/bin/gawk -f /tmp/arraybug.awk
>    a[b] is false
>    a[b] is true
>    free(): double free detected in tcache 2
>    Aborted
>    
>
> The syndrome in a nutshell: if a nonexistent array element is passed as an
> argument to a function, the element is sortof-created, such that testing it
> somehow evaluates to true, but its state/internal pointers are invalid.  I've
> actually gotten scripts to outright SEGV and exhibit various other obviously
> undefined behavior, like printing characters from the name of the redirect
> target ("/dev/stde" etc), by just changing the length of words in a printf
> format (constant string).
>
>
> Do I need to refile a bug on gawk core, or have I "done enough", as it were?
>
>
> Oh and thanks for the quick turnaround!
---------------------------------
diff --git a/awk.h b/awk.h
index 79cdd85..f6d0f99 100644
--- a/awk.h
+++ b/awk.h
@@ -2031,6 +2031,9 @@ fixtype(NODE *n)
 static inline bool
 boolval(NODE *t)
 {
+       if (t->type == Node_var)        // could have come from converted 
Node_elem_new
+               t = t->var_value;
+
        (void) fixtype(t);
        if ((t->flags & NUMBER) != 0)
                return ! is_zero(t);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]