Duplicate free()'ed memory

[Enrico Scholz]

[This is a cc: of
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56607

(I had no time to figure out the upstream bugreport address before so I
posted it there first. To make reports easier for other people, please
add the bug address and the bison-URL to the man-page/info-file.)


I have tested it with bison-1.30e and it happens there also; but locations
in the bugreport are refering to 1.30]



Enrico

---------

Description of Problem:

When trying to build lclint beta-release I get a bison coredump while
compiling its cgrammar.y file. Using ElectricFence shows a duplicate
free() in src/symtab.c:145:

|  XFREE(bp->tag)


src/reduce.c:362 seems to responsible:

|  free(tags[i]);

because tags[i] is assigned as 'tags[bp->value] = bp->tag;' in reader.c.
Therefore, multiple free() can happen on the same bp->tag.

Removing the line in reduce.c removes the coredump also, but I don't
know if it opens memory leaks (I have not found a place where tags[i]
got a newly allocated value assigned, so this should not happen).

BTW: Please add an URL tag to the rpm-package; it would make it easier
to determine an address for upstream bugreports.


Version-Release number of selected component (if applicable):

bison-1.30-2
ElectricFence-2.2.2-8


How Reproducible:

everytime


Steps to Reproduce:
1. wget http://lclint.cs.virginia.edu/downloads/lclint-3.0.0.17.src.tgz
2. tar -xzf lclint-3.0.0.17.src.tgz
3. cd lclint-3.0.0.17/src/
4. export EF_PROTECT_FREE=1
4. ef bison -d cgrammar.y


Actual Results:

$ ef bison -d cgrammar.y

  Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <address@hidden>
cgrammar.y contains 1 useless nonterminal and 1 useless rule

ElectricFence Aborting: free(404d4fe8): address not from malloc().
/usr/bin/ef: line 20:  8535 Illegal instruction     (core dumped) ( export
LD_PRELOAD=libefence.so.0.0; exec $* )


Expected Results:

no coredump