<div class="markdown_content"><hr/>
<p><strong> <a class="alink" href="https://sourceforge.net/p/pure-data/bugs/1315/">[bugs:#1315]</a> fexpr~ crash due to uninitialized variable</strong></p>
<p><strong>Status:</strong> open<br/>
<strong>Group:</strong> v0.48<br/>
<strong>Created:</strong> Thu Aug 16, 2018 12:11 PM UTC by mrshpot<br/>
<strong>Last Updated:</strong> Thu Aug 16, 2018 12:11 PM UTC<br/>
<strong>Owner:</strong> nobody<br/>
<strong>Attachments:</strong></p>
<ul>
<li><a class="" href="https://sourceforge.net/p/pure-data/bugs/1315/attachment/pd-fexpr-crash-fix.patch">pd-fexpr-crash-fix.patch</a> (424 Bytes; text/x-patch)</li>
</ul>
<p>pd: commit 511f4cfd2a0332bbf3a7654102a1518f3eb95bf6 (tag: 0.48-2)<br/>
distro: Arch Linux amd64, gcc-8.2.0</p>
<p>Steps to reproduce:</p>
<ul>
<li>Run: <code>pd doc/5.reference/expr-help.pd</code></li>
<li>Open the fexpr~ example subpatch</li>
<li>Enable DSP</li>
<li>Click any 'start' message</li>
</ul>
<p>or:</p>
<ul>
<li>Run: <code>pd doc/5.reference/expr-help.pd</code></li>
<li>Open the expr~ example subpatch</li>
<li>Enable DSP</li>
<li>Tweak the limiter/clip example slider</li>
</ul>
<p>Pd dies with abort() in ex_eval:</p>
<div class="codehilite"><pre><span></span>(gdb) bt
0 0x00007ffff7087b5f in raise () from /usr/lib/libc.so.6
1 0x00007ffff7072452 in abort () from /usr/lib/libc.so.6
2 0x0000555555652d5e in ex_eval () at x_vexp.c:1139
3 0x00005555556541e4 in eval_store () at x_vexp.c:1335
4 0x0000555555648d6b in ex_eval () at x_vexp.c:1174
5 0x000055555566a2b0 in expr_perform () at x_vexp_if.c:451
6 0x000055555559787d in dsp_tick () at d_ugen.c:369
7 0x0000555555603847 in sched_tick () at m_sched.c:422
8 0x00005555556040f5 in m_pollingscheduler () at m_sched.c:517
9 m_mainloop () at m_sched.c:596
10 0x00007ffff7074003 in __libc_start_main () from /usr/lib/libc.so.6
11 0x000055555556a21e in _start ()
</pre></div>
<p>Valgrind gives the following warning:</p>
<div class="codehilite"><pre><span></span>==15650== Conditional jump or move depends on uninitialised value(s)
==15650== at 0x1FC409: ex_eval (x_vexp.c:1137)
==15650== by 0x2081E3: eval_store (x_vexp.c:1335)
==15650== by 0x1FCD6A: ex_eval (x_vexp.c:1174)
==15650== by 0x21E2AF: expr_perform (x_vexp_if.c:451)
==15650== by 0x14B87C: dsp_tick (d_ugen.c:369)
==15650== by 0x1B7846: sched_tick (m_sched.c:422)
==15650== by 0x1B80F4: m_pollingscheduler (m_sched.c:517)
==15650== by 0x1B80F4: m_mainloop (m_sched.c:596)
==15650== by 0x5622002: (below main) (in /usr/lib/libc-2.28.so)
==15650== Uninitialised value was created by a stack allocation
==15650== at 0x208080: eval_store (x_vexp.c:1323)
</pre></div>
<p>So the story seems to be that:</p>
<p>1) eval_store has an uninitialized <code>struct ex_ex arg;</code> local variable which is passed to ex_eval() in <code>case ET_VAR:</code><br/>
2) ex_eval trips on the <code>optr->ex_type==ET_VEC</code> check in <code>case ET_XI0:</code> or <code>case ET_XI:</code></p>
<p>If the <code>struct ex_ex arg;</code> variable is initialized, all expr~/fexpr~ examples work.</p>
<p>This fixes the problem for me:</p>
<div class="codehilite"><pre><span></span><span class="gh">diff --git a/src/x_vexp.c b/src/x_vexp.c</span>
<span class="gh">index 0ce43ae..bff93ac 100644</span>
<span class="gd">--- a/src/x_vexp.c</span>
<span class="gi">+++ b/src/x_vexp.c</span>
<span class="gu">@@ -1329,6 +1329,9 @@ eval_store(struct expr *expr, struct ex_ex *eptr, struct ex_ex *optr, int idx)</span>
int badleft = 0;
int notable = 0;
<span class="gi">+ arg.ex_type = ET_INT;</span>
<span class="gi">+ arg.ex_int = 0;</span>
<span class="gi">+</span>
switch (eptr->ex_type) {
case ET_VAR:
var = (char *) eptr->ex_ptr;
</pre></div>
<hr/>
<p>Sent from sourceforge.net because pd-dev@lists.iem.at is subscribed to <a href="https://sourceforge.net/p/pure-data/bugs/">https://sourceforge.net/p/pure-data/bugs/</a></p>
<p>To unsubscribe from further messages, a project admin can change settings at <a href="https://sourceforge.net/p/pure-data/admin/bugs/options.">https://sourceforge.net/p/pure-data/admin/bugs/options.</a> Or, if this is a mailing list, you can unsubscribe from the mailing list.</p></div>