Jason, can you take a look? Thanks.
Ian
On Tue, Aug 19, 2014 at 3:46 AM, Gary Benson <gben...@redhat.com> wrote:
> Hi all,
>
> I just retested this patch. The crash it fixes is still there,
> and the patch still fixes it. Is this ok to commit?
>
> Cheers,
> Gary
>
> Andrew Burgess wrote:
>> In two places when a struct demangle_component is of type
>> DEMANGLE_COMPONENT_FIXED_TYPE we fall back to accessing the default
>> s_binary member of the union rather than the s_fixed member. This
>> is incorrect and can cause the demangler to crash.
>>
>> In d_dump I've changed the code to only access the s_fixed member of
>> the union, and also added printing of the remaining parts of the
>> s_fixed struct, this felt like the most useful thing to do.
>>
>> I've added a new test, this causes a SIGSEGV for me before the
>> patch, and is fine afterwords, however, this undefined, so might not
>> cause a crash on all platforms.
>>
>> If this is approved then please could someone commit it for me, I
>> don't have gcc write access.
>>
>> Thanks,
>> Andrew
>>
>> libiberty/ChangeLog:
>>
>> * cp-demangle.c (d_dump): Only access field from s_fixed part of
>> the union for DEMANGLE_COMPONENT_FIXED_TYPE.
>> (d_count_templates_scopes): Likewise.
>> * testsuite/demangle-expected: New test case.
>> ---
>> libiberty/cp-demangle.c | 10 +++++++++-
>> libiberty/testsuite/demangle-expected | 6 ++++++
>> 2 files changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
>> index 68d8ee1..a31dad4 100644
>> --- a/libiberty/cp-demangle.c
>> +++ b/libiberty/cp-demangle.c
>> @@ -710,7 +710,9 @@ d_dump (struct demangle_component *dc, int indent)
>> printf ("pointer to member type\n");
>> break;
>> case DEMANGLE_COMPONENT_FIXED_TYPE:
>> - printf ("fixed-point type\n");
>> + printf ("fixed-point type, accum? %d, sat? %d\n",
>> + dc->u.s_fixed.accum, dc->u.s_fixed.sat);
>> + d_dump (dc->u.s_fixed.length, indent + 2)
>> break;
>> case DEMANGLE_COMPONENT_ARGLIST:
>> printf ("argument list\n");
>> @@ -3869,7 +3871,13 @@ d_count_templates_scopes (int *num_templates, int
>> *num_scopes,
>> case DEMANGLE_COMPONENT_FUNCTION_TYPE:
>> case DEMANGLE_COMPONENT_ARRAY_TYPE:
>> case DEMANGLE_COMPONENT_PTRMEM_TYPE:
>> + goto recurse_left_right;
>> +
>> case DEMANGLE_COMPONENT_FIXED_TYPE:
>> + d_count_templates_scopes (num_templates, num_scopes,
>> + dc->u.s_fixed.length);
>> + break;
>> +
>> case DEMANGLE_COMPONENT_VECTOR_TYPE:
>> case DEMANGLE_COMPONENT_ARGLIST:
>> case DEMANGLE_COMPONENT_TEMPLATE_ARGLIST:
>> diff --git a/libiberty/testsuite/demangle-expected
>> b/libiberty/testsuite/demangle-expected
>> index 453f9a3..0e2bb12 100644
>> --- a/libiberty/testsuite/demangle-expected
>> +++ b/libiberty/testsuite/demangle-expected
>> @@ -4343,3 +4343,9 @@
>> cereal::detail::InputBindingMap<cereal::JSONInputArchive>::Serializers
>> cereal::p
>> --format=gnu-v3
>> _ZNSt9_Any_data9_M_accessIPZ4postISt8functionIFvvEEEvOT_EUlvE_EERS5_v
>> void post<std::function<void ()> >(std::function<void
>> ()>&&)::{lambda()#1}*& std::_Any_data::_M_access<void
>> post<std::function<void ()> >(void post<std::function<void ()>
>> >(std::function<void ()>&&)::{lambda()#1}*&&)::{lambda()#1}*>()
>> +# The following input symbol was found during random, it caused a fault
>> +# within the demangler, it's not a symbol we'd expect in the real world.
>> +--format=auto --no-params
>> +_Z3xxxDFyuVb
>> +xxx(unsigned long long _Fract, bool volatile)
>> +xxx
>> --
>> 1.8.1.3
