[PD-dev] [pure-data:bugs] #1315 fexpr~ crash due to uninitialized variable
mrshpot
mrshpot at users.sourceforge.net
Thu Aug 16 14:11:51 CEST 2018
---
** [bugs:#1315] fexpr~ crash due to uninitialized variable**
**Status:** open
**Group:** v0.48
**Created:** Thu Aug 16, 2018 12:11 PM UTC by mrshpot
**Last Updated:** Thu Aug 16, 2018 12:11 PM UTC
**Owner:** nobody
**Attachments:**
- [pd-fexpr-crash-fix.patch](https://sourceforge.net/p/pure-data/bugs/1315/attachment/pd-fexpr-crash-fix.patch) (424 Bytes; text/x-patch)
pd: commit 511f4cfd2a0332bbf3a7654102a1518f3eb95bf6 (tag: 0.48-2)
distro: Arch Linux amd64, gcc-8.2.0
Steps to reproduce:
- Run: `pd doc/5.reference/expr-help.pd`
- Open the fexpr~ example subpatch
- Enable DSP
- Click any 'start' message
or:
- Run: `pd doc/5.reference/expr-help.pd`
- Open the expr~ example subpatch
- Enable DSP
- Tweak the limiter/clip example slider
Pd dies with abort() in ex_eval:
~~~
(gdb) bt
0 0x00007ffff7087b5f in raise () from /usr/lib/libc.so.6
1 0x00007ffff7072452 in abort () from /usr/lib/libc.so.6
2 0x0000555555652d5e in ex_eval () at x_vexp.c:1139
3 0x00005555556541e4 in eval_store () at x_vexp.c:1335
4 0x0000555555648d6b in ex_eval () at x_vexp.c:1174
5 0x000055555566a2b0 in expr_perform () at x_vexp_if.c:451
6 0x000055555559787d in dsp_tick () at d_ugen.c:369
7 0x0000555555603847 in sched_tick () at m_sched.c:422
8 0x00005555556040f5 in m_pollingscheduler () at m_sched.c:517
9 m_mainloop () at m_sched.c:596
10 0x00007ffff7074003 in __libc_start_main () from /usr/lib/libc.so.6
11 0x000055555556a21e in _start ()
~~~
Valgrind gives the following warning:
~~~
==15650== Conditional jump or move depends on uninitialised value(s)
==15650== at 0x1FC409: ex_eval (x_vexp.c:1137)
==15650== by 0x2081E3: eval_store (x_vexp.c:1335)
==15650== by 0x1FCD6A: ex_eval (x_vexp.c:1174)
==15650== by 0x21E2AF: expr_perform (x_vexp_if.c:451)
==15650== by 0x14B87C: dsp_tick (d_ugen.c:369)
==15650== by 0x1B7846: sched_tick (m_sched.c:422)
==15650== by 0x1B80F4: m_pollingscheduler (m_sched.c:517)
==15650== by 0x1B80F4: m_mainloop (m_sched.c:596)
==15650== by 0x5622002: (below main) (in /usr/lib/libc-2.28.so)
==15650== Uninitialised value was created by a stack allocation
==15650== at 0x208080: eval_store (x_vexp.c:1323)
~~~
So the story seems to be that:
1) eval_store has an uninitialized `struct ex_ex arg;` local variable which is passed to ex_eval() in `case ET_VAR:`
2) ex_eval trips on the `optr->ex_type==ET_VEC` check in `case ET_XI0:` or `case ET_XI:`
If the `struct ex_ex arg;` variable is initialized, all expr~/fexpr~ examples work.
This fixes the problem for me:
~~~
diff --git a/src/x_vexp.c b/src/x_vexp.c
index 0ce43ae..bff93ac 100644
--- a/src/x_vexp.c
+++ b/src/x_vexp.c
@@ -1329,6 +1329,9 @@ eval_store(struct expr *expr, struct ex_ex *eptr, struct ex_ex *optr, int idx)
int badleft = 0;
int notable = 0;
+ arg.ex_type = ET_INT;
+ arg.ex_int = 0;
+
switch (eptr->ex_type) {
case ET_VAR:
var = (char *) eptr->ex_ptr;
~~~
---
Sent from sourceforge.net because pd-dev at lists.iem.at is subscribed to https://sourceforge.net/p/pure-data/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/pure-data/admin/bugs/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20180816/cc2292fc/attachment.html>
More information about the Pd-dev
mailing list