All crashes are due to a nil dereference in line 137 of execute.c.
Shortest test case to date:
$ printf '1L1\n+1||||1\n' | bc
(standard_in) 1: illegal character: L
(standard_in) 1: syntax error
Segmentation fault (core dumped)
$ gdb ./bc ./core
[...]
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000404c7a in execute () at execute.c:137
137 pc.pc_addr = gp->l_adrs[l_off];
(gdb) bt
#0 0x0000000000404c7a in execute () at execute.c:137
#1 0x0000000000407f15 in run_code () at util.c:309
#2 0x0000000000401cf6 in yyparse () at bc.y:135
#3 0x0000000000401203 in main (argc=1, argv=0x7fff0e5cc9d8) at main.c:259
(gdb) list
132 || (inst == 'Z' && !c_code)) {
133 gp = functions[pc.pc_func].f_label;
134 l_gp = label_num >> BC_LABEL_LOG;
135 l_off = label_num % BC_LABEL_GROUP;
136 while (l_gp-- > 0) gp = gp->l_next;
137 pc.pc_addr = gp->l_adrs[l_off];
138 }
139 break;
140
141 case 'C' : /* Call a function. */
(gdb) print pc.pc_func
$1 = 0
(gdb) print functions[pc.pc_func]
$2 = {f_defined = 0 '\000', f_void = 0 '\000', f_body = 0xfca730 "1B\001",
f_body_size = 1024, f_code_size = 11, f_label = 0x0, f_params = 0x0, f_autos =
0x0}
(gdb) print gp
$1 = (bc_label_group *) 0x0
(gdb)
So... it seems like the lexer/parser is leaving junk on the state
machine input after the syntax error/illegal character error which then
tries branch instruction to somewhere that cannot exist.
Tempting to say "fail hard on the first error" but this wouldn't be
appropriate in the interactive usage scenario and the crash also occurs
there.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
