[PD-dev] [pure-data:bugs] #1315 fexpr~ crash due to uninitialized variable

Thu Aug 16 14:11:51 CEST 2018

---

** [bugs:#1315] fexpr~ crash due to uninitialized variable**

**Status:** open
**Group:** v0.48
**Created:** Thu Aug 16, 2018 12:11 PM UTC by mrshpot
**Last Updated:** Thu Aug 16, 2018 12:11 PM UTC
**Owner:** nobody
**Attachments:**

- [pd-fexpr-crash-fix.patch](https://sourceforge.net/p/pure-data/bugs/1315/attachment/pd-fexpr-crash-fix.patch) (424 Bytes; text/x-patch)


pd: commit 511f4cfd2a0332bbf3a7654102a1518f3eb95bf6 (tag: 0.48-2)
distro: Arch Linux amd64, gcc-8.2.0

Steps to reproduce:

 - Run: `pd doc/5.reference/expr-help.pd`
 - Open the fexpr~ example subpatch
 - Enable DSP
 - Click any 'start' message

or:

 - Run: `pd doc/5.reference/expr-help.pd`
 - Open the expr~ example subpatch
 - Enable DSP
 - Tweak the limiter/clip example slider

Pd dies with abort() in ex_eval:

~~~
(gdb) bt
0  0x00007ffff7087b5f in raise () from /usr/lib/libc.so.6
1  0x00007ffff7072452 in abort () from /usr/lib/libc.so.6
2  0x0000555555652d5e in ex_eval () at x_vexp.c:1139
3  0x00005555556541e4 in eval_store () at x_vexp.c:1335
4  0x0000555555648d6b in ex_eval () at x_vexp.c:1174
5  0x000055555566a2b0 in expr_perform () at x_vexp_if.c:451
6  0x000055555559787d in dsp_tick () at d_ugen.c:369
7  0x0000555555603847 in sched_tick () at m_sched.c:422
8  0x00005555556040f5 in m_pollingscheduler () at m_sched.c:517
9  m_mainloop () at m_sched.c:596
10 0x00007ffff7074003 in __libc_start_main () from /usr/lib/libc.so.6
11 0x000055555556a21e in _start ()
~~~


Valgrind gives the following warning:

~~~
==15650== Conditional jump or move depends on uninitialised value(s)
==15650==    at 0x1FC409: ex_eval (x_vexp.c:1137)
==15650==    by 0x2081E3: eval_store (x_vexp.c:1335)
==15650==    by 0x1FCD6A: ex_eval (x_vexp.c:1174)
==15650==    by 0x21E2AF: expr_perform (x_vexp_if.c:451)
==15650==    by 0x14B87C: dsp_tick (d_ugen.c:369)
==15650==    by 0x1B7846: sched_tick (m_sched.c:422)
==15650==    by 0x1B80F4: m_pollingscheduler (m_sched.c:517)
==15650==    by 0x1B80F4: m_mainloop (m_sched.c:596)
==15650==    by 0x5622002: (below main) (in /usr/lib/libc-2.28.so)
==15650==  Uninitialised value was created by a stack allocation
==15650==    at 0x208080: eval_store (x_vexp.c:1323)
~~~


So the story seems to be that:

1) eval_store has an uninitialized `struct ex_ex arg;` local variable which is passed to ex_eval() in `case ET_VAR:`
2) ex_eval trips on the `optr->ex_type==ET_VEC` check in `case ET_XI0:` or `case ET_XI:`

If the `struct ex_ex arg;` variable is initialized, all expr~/fexpr~ examples work.

This fixes the problem for me:

~~~

diff --git a/src/x_vexp.c b/src/x_vexp.c
index 0ce43ae..bff93ac 100644
--- a/src/x_vexp.c
+++ b/src/x_vexp.c
@@ -1329,6 +1329,9 @@ eval_store(struct expr *expr, struct ex_ex *eptr, struct ex_ex *optr, int idx)
         int badleft = 0;
         int notable = 0;
 
+        arg.ex_type = ET_INT;
+        arg.ex_int = 0;
+
         switch (eptr->ex_type) {
         case ET_VAR:
                 var = (char *) eptr->ex_ptr;
~~~


---

Sent from sourceforge.net because pd-dev at lists.iem.at is subscribed to https://sourceforge.net/p/pure-data/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/pure-data/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20180816/cc2292fc/attachment.html>
