[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comma expression in arithmetic evaluation referring to arrays make b
From: |
Stephane Chazelas |
Subject: |
Re: Comma expression in arithmetic evaluation referring to arrays make bash crash. |
Date: |
Mon, 15 Feb 2016 16:16:15 +0000 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
2016-02-15 09:31:57 -0500, Chet Ramey:
> On 2/15/16 8:57 AM, Pontus Stenström wrote:
>
> > Bash Version: 4.2
> > Patch Level: 24
> > Release Status: release
> >
> > Description:
> > Comma expression in arithmetic evaluation referring to arrays make bash
> > crash.
> >
> > Repeat-By:
> > This works fine:
> > ((c=3, d=4))
> > This crashes my bash:
> > a=(2 3 4 5) # OK
> > ((c=a[3], d=a[2])) # Crash
>
> It runs fine on bash-4.3.42 on RHEL 5 and Mac OS X.
[...]
Reproduced with 4.2.53 on Debian:
Starting program: bash4.2.53 -c a=\(1\ 2\ 3\ 4\ 5\ 6\)\;\ \(\(b=a\[3\],\
c=a\[4\]\)\)\;\ typeset\ -p\ b\ c
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x000000000043c952 in expr_bind_array_element (tok=tok@entry=0x6f5328 "c",
ind=ind@entry=3, rhs=rhs@entry=0x6f5318 "5") at expr.c:331
#2 0x000000000043e2c8 in expassign () at expr.c:531
#3 0x000000000043d532 in expcomma () at expr.c:441
#4 0x000000000043d736 in subexpr (expr=0x6fb7c8 "b=a[3], c=a[4]") at expr.c:419
#5 0x000000000043e5ca in evalexp (expr=0x6fb7c8 "b=a[3], c=a[4]",
validp=0x7fffffffda90) at expr.c:384
#6 0x00000000004321d8 in execute_arith_command (arith_command=<optimised out>,
arith_command=<optimised out>) at execute_cmd.c:3309
#7 execute_command_internal (command=0x6fb508, asynchronous=0,
pipe_in=7320904, pipe_out=0, fds_to_close=0x6fdc88) at execute_cmd.c:901
#8 0x0000000000432859 in execute_connection (fds_to_close=<optimised out>,
pipe_out=<optimised out>, pipe_in=<optimised out>, asynchronous=<optimised out>,
command=<optimised out>) at execute_cmd.c:2326
#9 execute_command_internal (command=0x6fb5c8, asynchronous=0, pipe_in=-1,
pipe_out=-1, fds_to_close=0x6fb7a8) at execute_cmd.c:891
#10 0x0000000000433fce in execute_command (command=0x6fb5c8) at
execute_cmd.c:382
#11 0x000000000043281e in execute_connection (fds_to_close=<optimised out>,
pipe_out=<optimised out>, pipe_in=<optimised out>, asynchronous=<optimised out>,
command=<optimised out>) at execute_cmd.c:2324
#12 execute_command_internal (command=0x6fb748, asynchronous=0, pipe_in=-1,
pipe_out=-1, fds_to_close=0x6fb788) at execute_cmd.c:891
#13 0x0000000000471024 in parse_and_execute (string=<optimised out>,
from_file=from_file@entry=0x4a990d "-c", flags=flags@entry=4) at
evalstring.c:340
#14 0x000000000041d9ba in run_one_command (command=<optimised out>) at
shell.c:1315
#15 0x000000000041c786 in main (argc=3, argv=0x7fffffffdf78,
env=0x7fffffffdf98) at shell.c:688
See how it calls expr_bind_array_element on "c" as if it wanted
to assign something to c[3] instead of c. The 3 looks like it
comes from the previous a[3] expansion.
--
Stephane