gawk: other double free(_wstr)

[Karel Zak]

 Hi,

 there is other double free() call in gawk. Try:

 echo -e "AAA BBX\nAAA BBY" | ./gawk ' /^AAA BB/ { x = substr($2, 1); $1 = 
"FOO"; print $0 }'

 *** glibc detected *** gawk: double free or corruption (fasttop):
 0x000000000065b8b0 ***
 ======= Backtrace: =========
 /lib64/libc.so.6[0x3d2c06ea60]
 /lib64/libc.so.6(cfree+0x8c)[0x3d2c07217c]
 gawk(free_wstr+0x18)[0x428578]
 gawk(unref+0x4c)[0x4285fc]
 gawk(reset_record+0x69)[0x41f699]
 gawk(set_record+0x11)[0x41f7b1]
 gawk[0x423115]
 gawk(do_input+0x28)[0x4260d8]
 gawk(main+0xe9c)[0x427d8c]


 It's gawk-stable and Dmitry's patches doesn't help too much.

 The problem is probably somewhere around rebuild_record(), because it
 calls unref() (which correctly deallocates wstptr), but then the 
 rebuild_record() reassigns deallocated wstptr back to fields_arr[i]:

     n->stptr = cops;
     unref(fields_arr[i]);   <--- free( fields_arr[i]->wstptr )
     fields_arr[i] = n;      <--- deallocated wstptr is back 
 
 I'm not sure how correctly fix the problem, maybe the "n"
 should be without WSTRCUR flag before reassigning to fields_arr[i]. 

     n->flags &= ~(MALLOC|TEMP|PERM|STRING|CURSTR|WCURSTR);
                                          ^^^^^^^^^^^^^^^
                                         

 The problem comes up, because gawk newly deallocates wstptr in
 unref(). See node.c unref() diff between gawk-3.1.5 and gawk-stable
 CVS:

         if ((tmp->flags & FIELD) != 0) {
 +               free_wstr(tmp);
                 freenode(tmp);
                 return;
        }


    Karel

-- 
 Karel Zak  <address@hidden>