Hi all, I just retested this patch. The crash it fixes is still there, and the patch still fixes it. Is this ok to commit?
Cheers, Gary Andrew Burgess wrote: > In two places when a struct demangle_component is of type > DEMANGLE_COMPONENT_FIXED_TYPE we fall back to accessing the default > s_binary member of the union rather than the s_fixed member. This > is incorrect and can cause the demangler to crash. > > In d_dump I've changed the code to only access the s_fixed member of > the union, and also added printing of the remaining parts of the > s_fixed struct, this felt like the most useful thing to do. > > I've added a new test, this causes a SIGSEGV for me before the > patch, and is fine afterwords, however, this undefined, so might not > cause a crash on all platforms. > > If this is approved then please could someone commit it for me, I > don't have gcc write access. > > Thanks, > Andrew > > libiberty/ChangeLog: > > * cp-demangle.c (d_dump): Only access field from s_fixed part of > the union for DEMANGLE_COMPONENT_FIXED_TYPE. > (d_count_templates_scopes): Likewise. > * testsuite/demangle-expected: New test case. > --- > libiberty/cp-demangle.c | 10 +++++++++- > libiberty/testsuite/demangle-expected | 6 ++++++ > 2 files changed, 15 insertions(+), 1 deletion(-) > > diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c > index 68d8ee1..a31dad4 100644 > --- a/libiberty/cp-demangle.c > +++ b/libiberty/cp-demangle.c > @@ -710,7 +710,9 @@ d_dump (struct demangle_component *dc, int indent) > printf ("pointer to member type\n"); > break; > case DEMANGLE_COMPONENT_FIXED_TYPE: > - printf ("fixed-point type\n"); > + printf ("fixed-point type, accum? %d, sat? %d\n", > + dc->u.s_fixed.accum, dc->u.s_fixed.sat); > + d_dump (dc->u.s_fixed.length, indent + 2) > break; > case DEMANGLE_COMPONENT_ARGLIST: > printf ("argument list\n"); > @@ -3869,7 +3871,13 @@ d_count_templates_scopes (int *num_templates, int > *num_scopes, > case DEMANGLE_COMPONENT_FUNCTION_TYPE: > case DEMANGLE_COMPONENT_ARRAY_TYPE: > case DEMANGLE_COMPONENT_PTRMEM_TYPE: > + goto recurse_left_right; > + > case DEMANGLE_COMPONENT_FIXED_TYPE: > + d_count_templates_scopes (num_templates, num_scopes, > + dc->u.s_fixed.length); > + break; > + > case DEMANGLE_COMPONENT_VECTOR_TYPE: > case DEMANGLE_COMPONENT_ARGLIST: > case DEMANGLE_COMPONENT_TEMPLATE_ARGLIST: > diff --git a/libiberty/testsuite/demangle-expected > b/libiberty/testsuite/demangle-expected > index 453f9a3..0e2bb12 100644 > --- a/libiberty/testsuite/demangle-expected > +++ b/libiberty/testsuite/demangle-expected > @@ -4343,3 +4343,9 @@ > cereal::detail::InputBindingMap<cereal::JSONInputArchive>::Serializers > cereal::p > --format=gnu-v3 > _ZNSt9_Any_data9_M_accessIPZ4postISt8functionIFvvEEEvOT_EUlvE_EERS5_v > void post<std::function<void ()> >(std::function<void ()>&&)::{lambda()#1}*& > std::_Any_data::_M_access<void post<std::function<void ()> >(void > post<std::function<void ()> >(std::function<void > ()>&&)::{lambda()#1}*&&)::{lambda()#1}*>() > +# The following input symbol was found during random, it caused a fault > +# within the demangler, it's not a symbol we'd expect in the real world. > +--format=auto --no-params > +_Z3xxxDFyuVb > +xxx(unsigned long long _Fract, bool volatile) > +xxx > -- > 1.8.1.3