Re: [Tinycc-devel] Crash report for [mob:3054a76]

[Steffen Nurpmeso]

Hi.

Michael Matz <address@hidden> wrote:
 |On Thu, 10 Nov 2016, Steffen Nurpmeso wrote:
 |
 |> Hallo.
 |> 
 |>|The attached diff fixes the issue for me.
 |> 
 |> One more.
 |
 |diff --git a/tccgen.c b/tccgen.c
 |index fdd8654..00a26c5 100644
 |--- a/tccgen.c
 |+++ b/tccgen.c
 |@@ -6523,11 +6523,13 @@ static void gen_inline_functions(TCCState *s)
 |                 sym->r = VT_SYM | VT_CONST;
 |                 sym->type.t &= ~VT_INLINE;
 | 
 |+                s->inline_fns[i] = NULL;
 |                 begin_macro(&fn->func_str, 0);
 |                 next();
 |                 cur_text_section = text_section;
 |                 gen_function(sym);
 |                 end_macro();
 |+                s->inline_fns[i] = fn;
 | 
 |                 inline_generated = 1;
 |}
 |@@ -6544,7 +6546,7 @@ ST_FUNC void free_inline_functions(TCCState *s)
 |     /* free tokens of unused inline functions */
 |     for (i = 0; i < s->nb_inline_fns; ++i) {
 |         struct InlineFunc *fn = s->inline_fns[i];
 |-        if (fn->sym)
 |+        if (fn != NULL && fn->sym != NULL)
 |             tok_str_free(fn->func_str.str);
 |}
 |
 |What is this supposed to achieve?  It can only make a difference if 
 |free_inline_function could be called from the code inside the 
 |NULLing/reset sequence, which is not the case.

Yes it is, there is a double free in conjunction with the
preprocessor end_macro() (imagine a smile here).  end_macro()
frees the macro and then that free_inline_functions or so tries to
frees it again, which causes a crash.  It could be the code jumps
in the meanwhile?  Wait, i could reproduce those easily...
Luckily this is fast, and with cherry-picking the -rpath stuff..
I'll attach the valgrind logs.
Ciao!

--steffen

valgrind-1.log
Description: Text document

valgrind-2.log
Description: Text document