|
From: | Pascal Cuoq |
Subject: | Re: [Tinycc-devel] Use of uninitalized automatic variable in TCC when parsing “int f ( int ( )” |
Date: | Sun, 10 Mar 2019 00:42:17 +0000 |
Finally, adding one more bit of instrumentation shows that TCC can crash because of the uninitialized variable being discussed in this thread.
To understand the crash, add the following patch to the instrumentation that was already discussed:
diff --git a/tccgen.c b/tccgen.c
index 87ec798..ee5a838 100644
--- a/tccgen.c
+++ b/tccgen.c
@@ -588,6 +588,10 @@ ST_FUNC Sym *sym_push(int v, CType *type, int r, int c)
/* XXX: simplify */
if (!(v & SYM_FIELD) && (v & ~SYM_STRUCT) < SYM_FIRST_ANOM) {
/* record symbol in token array */
+ if (v == 0xd00f0011) {
+ printf("v < 0, this will not go well\n");
+ fflush(stdout);
+ }
ts = table_ident[(v & ~SYM_STRUCT) - TOK_IDENT];
if (v & SYM_STRUCT)
ps = &ts->sym_struct;
This patch shows that the value 0xf00f0011, that was been chosen as the value of the uninitialized variable n in the function type_decl, can for some inputs be propagated until it is used to compute an address.
$ cat c.i
int f(int ()) {
return 0;
}
$ ./tcc -c c.i
*v left uninitialized
using n uninitialized
v < 0, this will not go well
Segmentation fault
Pascal
|
[Prev in Thread] | Current Thread | [Next in Thread] |