[Bug default/25379] New: double freeing of AST variable nodes when there is a syntax error in recursive function

[jose.marchesi at oracle dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=25379

            Bug ID: 25379
           Summary: double freeing of AST variable nodes when there is a
                    syntax error in recursive function
           Product: poke
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: default
          Assignee: unassigned at sourceware dot org
          Reporter: jose.marchesi at oracle dot com
                CC: poke-devel at nongnu dot org
  Target Milestone: ---

The following (syntactically incorrect, note the missing of a closing
curly brace) program makes poke to fail with a double-free error:

    { defun foo = void: { foo (); }

What is happening is that the AST node for the variable reference in
the inner call to `foo' is being fred twice:

- First, when the bison parser destructor frees the node of the
  variable AST node itself.

- Second, when the bison parser destructor frees the node of the
  function `foo'.

The variable reference to `foo' is weak, since it is a recursive
function.  pkl_ast_node_free knows it, and tests for it to avoid these
problems:

    case PKL_AST_VAR:

      pkl_ast_node_free (PKL_AST_VAR_NAME (ast));
      if (!PKL_AST_VAR_IS_RECURSIVE (ast))
        pkl_ast_node_free (PKL_AST_VAR_DECL (ast));
      break;

However, the annotation of variables as recursive references is
performed in pkl_trans1_ps_var, and therefore at bison parser error
destruction time this information is not available.  Hence the
double-free error.

The obvious solution is to move the marking of variable AST nodes as
recursive or non recursive, from trans1 to the bison parser, as ugly
as that may seem.

-- 
You are receiving this mail because:
You are on the CC list for the bug.